Monitor trending CVEs: Data comes from Twitter + NIST NVD APIs - back-end: Python, Flask, PostgreSQL, and Redis - front-end: React + Bootstrap.

$16k Stealing secrets.yaml from GitLab using stored XSS - Hackerone bug bounty: This video is an explanation of a bug bounty report submitted to GitLab bug bounty program via Hackerone by William Bowling.

Wordpress Plugin Update Confusion - The full guide how to scan and mitigate the next big Supply Chain Attack: A couple of month ago while browsing twitter on a weekend Nagli stubmled upon a rather interesting post from @vavkamil.

Finding XSS on .apple.com and building a proof of concept to leak your PII information: Back in February of this year zseano hacked with members of BugBountyHunter.com on a public bug bounty program and we chose Apple as our target.

Enzyme Finance Price Oracle Manipulation Bug Fix Postmortem: In 2020 and at the beginning of 2021, one of the worst phrases you could hear either as a DeFi security researcher or developer was, “Project X was hacked due to Price Oracle manipulation using flashloans.

Param Miner now supports using header smuggling to identify back-end headers: Thanks to a quality contribution from @_danielthatcher.

PentesterLab has a new design.

SecLists update 2021.4.

PentesterLab holiday specials.

Awesome Cyber Monday deals - 2021.

InfoSec Cyber Monday Deals 2021.

Discord Nitro deal: Holiday BOGO Promo.

Mustafa praising the Bugcrowd triage team: Amazing!

Alex Birsan reached nr 1 on PayPal's BBP: Congrats!

b1twis3 joined AWS as security engineer: Exciting!

YASCON'21 CTF winners: Congrats to all!

Advice - Caraid on turning your hobby into your profession.

Hiring - Detectify internal Security Research team.

Hiring - Snap Security Engineering is hiring new grads: And the best part? You do not need security experience.

Discussion - Steph on best work benefits: What is the best work benefit you've ever seen?

Metadata in Digital Media: like photos or videos, it contains things like the creation date, location it was recorded, the applications used for editing, or even information about the creator of the item.

Touchy Logger: A few weeks back, ash and a friend of his called Viktor solved a CTF challenge together that fascinated both of them.

WordPress Plugin Confusion: How an update can get you pwned: tl;dr: Like the novel “Dependency Confusion” supply chain attack, it is possible to take over internally developed WordPress plugins unclaimed on the wordpress.org registry.

Find Reflected XSS Candidates in Source Code | ShiftLeft Blog.

The Tabletop Exercise (TTX): Exercising is fun! More precisely, information security tabletop exercises (TTXs) are fun.

Zseano on CSRF: Victim user Id was sent in request to determine which to update , but ‘0’ worked. (No need to target one account and affects everyone. No need to know specific userid).

Omar's Smart Contract Auditing Process overview: For pentesters, devs, bug bounty, or anyone vested in blockchain security.

Max shares academic books: Published in 2021 on cyber conflict/competition relevant topics – or will be published in 2022.

Internal Pentest Playbook: Notes on the most common things Steve needs for an Internal Network Penetration Test.

Awesome AppSec: A curated list of resources for learning about application security.

Become an Ethical Hacker for $0.

Server-Side Request Forgery (SSRF) | Complete Guide: This video covers the theory behind Server-Side Request Forgery (SSRF) vulnerabilities, how to find these types of vulnerabilities from both a white box and black box perspective, how to exploit them and how to prevent them.

UHC- Union: The best box to practice SQL Union Injections says IppSec.

iCloud Private Relay vs VPN vs Tor: This is the 87th episode of the privacy guides series.

Client side template injection (CSTI) - November XSS Challenge Writeup.

Mixtape - Cassetternet: In 1983, Simon Goodwin had a strange thought. Would it be possible to broadcast computer software over the radio?

Automators - Chris Lawley, the iPad Man: iPad expert Chris Lawly joins in to talk about iPad-based automation and where a Mac fits in his workflow.

Indie Hackers #233: Hard-Learned Lessons from Decades of Entrepreneurship with Spencer Fry of Podia.

The Tim Ferriss Show #547 - Balaji Srinivasan: on Bitcoin, The Great Awokening, Wolf Warrior Diplomacy, Open-Source Ecology, Reputational Civil War, Creating New Cities, and Options for Becoming a Sane but Sovereign Individual.