Live web app hacking using Caido with it’s co-founder sytten. Caido is a lightweight web security auditing toolkit. more

A hacker interview with Ryan Montgomery aka 0day. more

Full Disclosure - DOM-based XSS And Failures In Bug Bounty Hunting. Kuldeep shares a bug bounty failure and 3 actionable takeaways. more

Hunting for Nginx Alias Traversals in the wild. This article delves into the intricacies of Nginx, focusing on the location and alias directives that are central to how Nginx handles specific URLs. more

Patch Diffing CVE-2023-28121 to Compromise a WooCommerce. Back in March 2023, Julien noticed an interesting security advisory that was published by Wordfence about a critical “Authentication Bypass and Privilege Escalation” (aka CVE-2023-28121) affecting the “WooCommerce Payments” plugin which has more than 600. more

TweetDeck has been “improved” and will be a paid feature. more

j3ssie/osmedeus v4.5.0 is a workflow engine for offensive security. more

j3ssie/metabigor v1.2.5 is an OSINT tools and more but without API keys. more

For Kali Linux, pip install is on the way out. Installing Python packages must be done via APT, aka. Kali Linux’s package manager. Python packages coming from other sources should be installed in virtual environments. more

NahamSec is thinking about hosting a bug bounty meet up at Defcon with Jason and STÖK. more

STÖK, Dylan, and Jesper broke stuff for science using…Uranium?! I look forward to seeing the full story. more

Paul started his own company, Coastline Cyber. A boutique cyber security consulting firm. more

People loved Jason’s first live course. The next Bug Hunter’s Methodology takes place this weekend. more

FIRST.org (CVSS) removed the previously celebrated self-service provisioned accounts statement to many bug bounty hunters dismay. more | follow-up

Kuldeep was recognized as an SRT Hero and member of the Circle of Trust. Let’s go! more

ninetynine was invited to their first Live Hacking Event in Las Vegas no less. Good luck! more

Jane joined Meta to work on Threads. I can’t wait to see your influence! more

Ian left his job at Robinhood to work on Seats Aero full-time. Awesome! more

TIL there are severance package hunters. more

Corgi shared her fast food history with a surprising twist: Operation Big Mis-Steak. more

Renniepak shares his struggles with taking time off while being self-employed. more

Fletcher, the CIO of Cisco, shares his journey in the tech industry, emphasizing the importance of passion and attitude in succeeding in the constantly changing field. more

Starting a new job? Here are four actionable tips for new hires which you can implement in your first 90 days. more

If Twitter falls, the OSINT community needs a new home, says fs0c131y — I’m also concerned with fragmentation and losing the overview. more

A discussion around getting maximizing bounty payouts vs proving that actual security vulnerabilities are worth paying for. more

A collection of InfoSec handles on Meta’s Twitter clone, Threads. more

What did you buy with your first bounty payout? more | source

It became public that a hacker accessed HackerOne email addresses in a recent disclosed report. more| discussion

A Journey Into Hacking Google Search Appliance. more

CVE-2023-36934 Analysis: MOVEit Transfer SQL Injection. the focus at ProjectDiscovery is on enhancing their open-source solution, Nuclei, by incorporating templates for trending CVEs. more

Exploiting XXE with local DTD files. This little technique can force your blind XXE to output anything you want. more

DNS Analyzer helps you find DNS vulnerabilities with Burp Suite. more | tool

Why ORMs and Prepared Statements Can’t (Always) Win. The Sonar Research team discovered several SQL injection vulnerabilities in Soko, a software deployed on the Gentoo Linux infrastructure. These SQL injections happened despite the use of an Object-Relational Mapping (ORM) library and prepared statements. more

A collection of public security research. more

A discussion around disclosing bug bounty reports reports and sharing methodologies. more

Whitecyberduck’s useful Cybersecurity Websites. more

Books that have significantly impacted how people do business. more

Sleuthcon 2023 videos have been posted. This conference is designed to highlight the work done by people and organizations to identify and explore cybercrime and financially-motivated cyber threats. more

JWT Authentication Bypass via jwk Header Injection. Learn about JSON Web Token (JWT) vulnerabilities. more

Top 3 bug bounty tips by NahamSec, who made $100K in 2 months. more

Generic HTML Sanitizer Bypass Investigation. LiveOverflow stumbled upon a weird HTML behavior on Twitter and started to investigate it. more

Ippsec takes on another HackTheBox box, Inject. more

Rana is back with Web Security Academy. This time she covers Authentication Vulnerabilities - Lab #1 Username enumeration via different responses. more

We Hack Purple Podcast 79 with Isabelle Mauny, where they discuss several of the challenges when creating secure APIs. more

Archwisp shared offline copies of all of the Defcon parties mixes and videos. more

Smashing Security 329: Pornhub, Barbie dolls, and can you trust a free TV? more

Critical Thinking - Bug Bounty Podcast Episode 26: Client-side Quirks & Browser Hacks. more