Olivia
Online
Yunie
@yunniscan
Crypto 🗝; 👩🏻💻 Coding 📝 • Fbzrgvzrf vg vf gur crbcyr ab bar pna vzntvar nalguvat bs jub qb gur guvatf ab bar pna vzntvar. ✨
Cryptoland
Joined June 2015
341 Following
429 Followers
2.6K Posts
MIT just quietly dropped a free AI curriculum that puts $50,000 university courses to shame.
12 books.
Zero tuition.
From the same institution that produced the people building the models everyone is talking about.
FOUNDATIONS
1. Foundations of Machine Learning — https://t.co/Un6UbjJBMW
2. Understanding Deep Learning — https://t.co/UQxZmyFq2V
3. Machine Learning Systems — https://t.co/YAgrLVH8N1
ADVANCED TECHNIQUES
4. Algorithms for ML — https://t.co/YlBk59oGwX
5. Deep Learning — https://t.co/KMO1uWQ69z
REINFORCEMENT LEARNING
6. RL Basics (Sutton & Barto) — https://t.co/sOZlDXA1Tz
7. Distributional RL — https://t.co/uOkviYj8fF
8. Multi-Agent Systems — https://t.co/Dx9caJW4QL
9. Long Game AI — https://t.co/K9Qm2Tk8FE
ETHICS & PROBABILITY
10. Fairness in ML — https://t.co/MgkLdRvQ2m
11. Probabilistic ML Part 1 — https://t.co/Zz33gQizle
12. Probabilistic ML Part 2 — https://t.co/qBe776ERrO
This is a complete MIT-level AI education.
Not a YouTube playlist.
Not a Twitter thread full of fluff.
Textbooks written by the researchers who built the field.
The people who actually study this will not just understand AI better than their peers.
They will understand it better than most people currently getting paid to work in it.
Most people will bookmark this and never open it.
The ones who open it tonight are the ones who show up in 12 months having built something nobody around them understands yet.
Bookmark this.
Open the first one tonight.
Follow @cyrilXBT for more resources that actually compound.
🚨 Anthropic just showed a 27-minute workshop on how to actually do prompts for Claude.
Taught by the people who built it.
Free. No registration. No paywall.
I've seen $300 courses that don't cover what they teach in the first 8 minutes.
Watch it and bookmark it now.
I've been a backend Engineer for 12+ years. Today, I'm a Principal Engineer at Atlassian.
I've designed systems that handle millions of requests. Sat on both sides of system design interviews.
Reviewed more architecture docs than I can count.
Starting today, I'm breaking down the fundamentals of scaling for the next 25 days.
If you're learning system design bookmark this thread, you're going to get a lot of learning from this.
我最近发现了一个超酷的网站检查工具叫 Web-Check。它有很强的黑客范儿。
它让你能检查网站的几乎所有信息:IP 详情、SSL、DNS 记录、cookies、域名信息、爬虫规则、服务器位置、重定向历史、开放端口、路由追踪、DNSSEC、网站性能、关联主机名等等。
https://t.co/W9uSjIkehX
Who to follow
Arthur
@artur_t0rres
FortiGuard Labs Threat Intelligence | CISSP | NSE7-ATP | CEH | ECSA | CTIA | eNDP | ITIL | Cybersec Professor at UANL | Cybersecurity passionate and researcher.
Hack Defender
@hackdef
Aim to provide world class security services and training
Alejandro Hernández
@nitr0usmx
✇ Cybersecurity ✧ Director of Services at @IOActive ✎ Stock Trading ◮ Spanglish
Every JWT writeup online covers 2–3 attacks and stops.
I got tired of jumping between 40 blog posts, so I wrote the whole thing. All in one place.
https://t.co/iCSzQ4GjcS
#infosec #appsec #bugbounty #websec #jwt
Have you ever seen a CVE and want to turn it into an exploit but don't know how? Check out my latest tutorial where I turn CVE-2018-1160 into a fully functioning exploit!
Video can be found here:
https://t.co/VMtvy4U8ov
i kid you not. i got this message from a program manager:
> try to hack it
i proxy -> login -> tell claude "look at all the req in caido for <host>"
16 minutes later:
15 million users' info leaked LOL
Hackers asked for a third edition of The Web Hacker’s Handbook.
Rather than releasing another book which will quickly get out-dated, we created the Web Security Academy, a living, constantly updated learning hub with hands-on labs and video walk-throughs so you can learn by doing, not just reading.
https://t.co/7YFhICfOrV
🚀 Become a Pro in Linux Server Administration
Gain full command over your IT infrastructure by mastering the core competencies every Linux System Administrator must know
💌 Comment “PDF” if you want a downloadable version of this full guide.
Tip :
GET /api/v1/user/{username} --> 403 Forbidden
DELETE /api/v1/user/{username} --> 200 OK
Check out other request methods; access control might not be properly enforced in them.
Sometimes it's as easy as this
#ssrf
Cybersecurity firm Zscaler has disclosed a data breach after attackers gained unauthorized access to its Salesforce instance. The incident comes in the wake of the recent compromise of Salesloft Drift, an AI chat agent integrated with Salesforce, where threat actors stole OAuth and refresh tokens to infiltrate customer Salesforce environments and extract sensitive data.
The exposed information includes:
- Names
- Business email addresses
- Job titles
- Phone numbers
- Regional/location details
- Zscaler product licensing and commercial details
- Content from certain customer support cases
According to Google Threat Intelligence, the activity has been attributed to a threat actor or group known as UNC6395
🐀 Top 100 Missed Bugs by Bounty Hunters (real report inspo)
🌐 Web Bugs
Open Redirect in OAuth
Stored XSS in Markdown
DOM XSS in legacy
Clickjacking state changes
CSRF on JSON endpoints
CRLF injection
Host header injection → cache poison
Bad CORS (null origin/wildcard+creds)
Exposed .git dirs
Template injection (Jinja2/Twig)
🔌 API Bugs
11. BOLA/IDOR
12. Mass assignment
13. Verbose errors (stack traces)
14. JWT alg=none bypass
15. No rate limiting
16. Replay attacks
17. GraphQL introspection on
18. GraphQL batch auth bypass
19. Forgotten SOAP APIs
20. Shadow APIs
🔑 Auth/Session
21. Reset poisoning (Host header)
22. Tokens never expiring
23. Weak magic links
24. Brute-force no CAPTCHA
25. JWT sigs not validated
26. JWT leaked in logs
27. SSO misconfigs (SAML/OAuth)
28. Login CSRF
29. MFA bypass backup codes
30. Remember-me cookie hijack
🧩 Logic Flaws
31. Coupon abuse
32. Race checkout double spend
33. Role escalation
34. Invite/referral abuse
35. Refund abuse
36. Plan ID tampering
37. Premium features via API
38. Loyalty points abuse
39. Reusing expired links
40. File overwrite via ID guess
📱 Mobile
41. Hardcoded keys in APK
42. Weak SSL pinning
43. Staging endpoints in app
44. Unprotected deep links
45. Exported activities (Android)
46. Sensitive data in SQLite
47. iOS Keychain leaks
48. Feature flags exposed
49. Open Firebase DBs
50. Unsigned updates
☁️ Infra/Cloud
51. Public S3 buckets
52. Exposed GCP storage
53. Backups in /old/
54. Jenkins open
55. K8s dashboard no auth
56. Exposed .env
57. Cloud metadata SSRF
58. Forgotten staging subs
59. Weak TLS versions
60. Anonymous FTP
💥 SSRF/RCE
61. Blind SSRF in PDFs
62. SSRF via image parsing
63. SSRF in webhooks
64. XXE file read
65. Template injection → RCE
66. Old Log4j/struts
67. Command injection in scripts
68. Upload bypass double ext
69. Polyglot files
70. Insecure deserialization
🌀 Misc
71. DNS rebinding
72. Cache poison via params
73. Reset token race
74. Reflected file download
75. Clickjacking OAuth approve
76. CSP bypass via JSONP
77. Directory traversal
78. Prototype pollution
79. API keys in JS
80. Subdomain takeover
🎯 Rare/High Value
81. MX misconfig → BEC
82. SSRF → Redis/Elastic RCE
83. CI/CD leaks (GitHub Actions)
84. Swagger UI no auth
85. Weak WebSocket auth
86. Hidden GraphQL mutations
87. Beta domains exposed
88. OAuth missing state
89. CSRF in admin
90. Passwordless flow abuse
🍒 Low-Hanging Fruit
91. Info in robots.txt
92. .bak / .old backups
93. Stack traces in 500s
94. Swagger docs exposed
95. Default creds on test boxes
96. Public phpinfo()
97. Old WP plugin CVEs
98. Source maps online
99. Email enum in signup/reset
100. Directory listing
⚡️ Boring bugs = steady payouts. Sexy CVEs get clout, but these get $$$.
Bug Bounty tips 👀
New WAF Bypass Discovered - Akamai & Cloudflare 🔥
A fresh technique has been spotted that successfully bypasses WAFs like Akamai and Cloudflare.
#Exploit #WAFBypass #XSS #Cloudflare #Akamai #WebSecurity #BugBounty #bugbountytips
A recent SSRF in a PDF generator 👇
The server converted my supplied HTML into PDF, so I dropped in a <meta http-equiv="refresh" content="0;url=http://10.20.x.x/"> tag and got the backend to fetch responses from the internal network. I was able to access an API on internal network at 10.20.x.x, but the program team wanted more impact.
With help from @mcipekci , we scanned all ports on 127.0.0.1 and ended up finding an OpenPrinting CUPS server exposed on port 631. Program team finally accepted the report as High severity.
When you land an SSRF, don’t just check the default localhost port. Enumerate all common ports on localhost.
Anyone?
When testing for SSRF, you’ll often hit blocklist errors when targeting localhost or cloud metadata hosts.
Here are some bypass techniques that consistently work for me:
- Use a 303 redirect to an internal host — many apps follow redirects without validation & convert POST → GET
- DNS tricks like https://t.co/pshzbZl7tT (resolves back to localhost)
- Append @blacklistedDomain after a whitelisted URL/domain
- Add # at the end of the domain if the backend appends paths/params when making request.
I just published a Repeater feature to make it easier to explore request smuggling. It repeats your request until the status code changes. It's called "Retry until success" and you can install it via the Extensibility helper bapp.
If you are studying web hacking techniques, don't get overwhelmed and don't assume people know all of the attacks and how they all work. EVERYONE needs to Google or lookup stuff during their bug hunting process, or research papers - we are all still learning on a daily basis.
Last Seen Users on Sotwe
Most Popular Users
Elon Musk 
@elonmusk
240.3M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.6M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.4M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.7M followers
KATY PERRY
@katyperry
87.2M followers
Taylor Swift
@taylorswift13
81M followers
Lady Gaga
@ladygaga
72.6M followers
Kim Kardashian
@kimkardashian
69.6M followers
Virat Kohli
@imvkohli
69.1M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.6M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.8M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.3M followers