2777
🛡️ Cybersecurity enthusiast | 💻 Helping secure the digital world | 🌐 Web App Tester | 🕵️♂️ OSINT Specialist Admin: @laazy_hack3r
CSRF Protection without Tokens or Hidden Form Fields
https://blog.miguelgrinberg.com/post/csrf-protection-without-tokens-or-hidden-form-fields
December CTF Challenge: Chaining XS leaks and postMessage XSS
https://www.intigriti.com/researchers/blog/hacking-tools/december-ctf-challenge-xs-leaks-postmessage-xss
#Threat_Research
"Elastic Global Threat Report", 2025.
// The age of patient, stealthy attacks is giving way to a new era of high-velocity threats. Our year-over-year analysis reveals a clear strategic shift: Adversaries are retooling for speed, weaponizing AI to generate novel threats at scale, and prioritizing immediate execution over prolonged stealth. This acceleration forces defenders to adapt to an attack lifecycle measured in minutes, not months, where rapid, context-rich decisions drawn from both real-time and historical data have become the key to effective defense
Ollama Remote Code Execution: Securing the Code That Runs LLMs
https://www.sonarsource.com/blog/ollama-remote-code-execution-securing-the-code-that-runs-llms/
#OSINT
#AppSec
"Careless Whisper: Exploiting Silent Delivery Receipts to Monitor Users on Mobile Instant Messengers", Oct. 2025.
// Besides plain messaging, many services implement additional features such as delivery and read receipts informing a user when a message has successfully reached its target. This paper highlights that delivery receipts can pose significant privacy risks to users
Date: 2025-12-22
Bug bounty program was removed from Immunefi:
Genius Yield
Date: 2025-12-20
Bug bounty program was removed from Immunefi:
Mynt and Zero
https://challenge-1225.intigriti.io/
http://GitBook_s.t.me
#blog #intigriti #challenge
https://aisearch.bugbountyhunt.com
#ai #bugbounty #search
https://github.com/amrelsagaei/Bug-Bounty-Hunting-Methodology-2025
#bugbounty #methodology #hunting
#Infographics
#Offensive_security
Active Directory Pentest Mindmap 2025
https://mayfly277.github.io/posts/AD-mindmap-2k25
]-> Source code
#Whitepaper
"JWT Security:
Complete Enterprise Implementation Guide for Modern Applications", Ver.2.0, Oct. 2025.
// JSON Web Tokens (JWT) have fundamentally transformed authentication and authorization in modern distributed systems, becoming the cornerstone of stateless authentication architectures worldwide. This comprehensive technical guide represents the most thorough examination of JWT security available, combining theoretical foundations with battle-tested production implementations
#info
#Infographics
#Infosec_Standards
The DoD Cybersecurity Policy Chart, 2025.
]-> https://csiac.dtic.mil/resources/the-dod-cybersecurity-policy-chart
// Cybersecurity-Related Policies and Issuances Developed by the DoW Deputy CIO for Cybersecurity.
Last Updated: Nov 4, 2025.
When WebSockets Lead to RCE in CurseForge
https://elliott.diy/blog/curseforge/
#AIOps
#Analytics
"AI Agent Trends 2026", Google 2025.
// This report provides key insights for business leaders to shape their AI agent strategy for 2026 and beyond. Within each trend, you will find real-life examples, technical resources, and customer stories to share with your teams for deeper learning. These trends were identified using a blend of qualitative and quantitative data, including internal Google Cloud and Google DeepMind interviews with AI leaders, customer case studies, and insights from The ROI of AI 2025 report
#Analytics
#WebApp_Security
OWASP Top 10 2025:
The Ten Most Critical Web Application Security Risks
https://owasp.org/Top10/2025/0x00_2025-Introduction
#Deepfakes
"Can Current Detectors Catch Face-to-Voice Deepfake Attacks?", 2025.
// First, we present the first systematic evaluation of FOICE detection, showing that leading detectors consistently fail under both standard and noisy conditions. Second, we introduce targeted fine-tuning strategies that capture FOICE-specific artifacts, yielding significant accuracy improvements. Third, we assess generalization after fine-tuning, revealing trade-offs between specialization to FOICE and robustness to unseen synthesis pipelines. These findings expose fundamental weaknesses in today’s defenses and motivate new architectures and training protocols for next-generation audio deepfake detection
#OSINT
#AppSec
#Research
"Hey there! You are using WhatsApp: Enumerating Three Billion Accounts for Security and Privacy", NDSS 2026.
]-> https://github.com/sbaresearch/whatsapp-census
// To initiate conversations, users must first discover whether their contacts are registered on the platform. This is achieved by querying WhatsApp's servers with mobile phone numbers extracted from the user's address book. This architecture inherently enables phone number enumeration, as the service must allow legitimate users to query contact availability. While rate limiting is a standard defense against abuse, we revisit the problem and show that WhatsApp remains highly vulnerable to enumeration at scale
Date: 2025-12-22
Bug bounty program was removed from Immunefi:
Revert
Date: 2025-12-20
Bug bounty program was removed from Immunefi:
Sovryn
The methods and properties that offer various means to modify and navigate the document. Each serves a specific purpose, tailored to your requirements for the document's layout.
GitBook
#bug_bounty #xss #js #dom #dom_xss
https://github.com/fcavallarin/wirebrowser
#tool #api
https://hackers-arise.com/bug-bounty-get-started-with-httpx/
#httpx #bugbounty #tool
#NetSec
#AppSec
#Analytics
#Offensive_security
"Tor Project Pentest - Code audit and network health report", 2025.
// This document outlines the results of a pentest and whitebox security review conducted against a number of Tor Project items. Test Targets: Network Metrics, Visualization Stack, Relay & Network Health Tools, Exit Relay Scanning, Bandwidth Measurement, Tor Core Code Changes
#DevOps
#Tech_book
"DevOps Security and Automation:
Building, deploying, and scaling modern software systems", 2025.
]-> Example code files
// This book equips readers with the knowledge and practical skills needed to excel in DevOps. From foundational concepts to advanced techniques, it covers the DevOps lifecycle, including version control, CI/CD, IaC, containerization, Kubernetes, observability, security integration, and site reliability engineering. Each chapter includes hands-on exercises using industry-standard tools like Docker, Jenkins, Terraform, and Prometheus
#exploit
1⃣ CVE-2025-64669:
LPE in Windows Admin Center
// A privilege escalation flaw in Windows Admin Center 2.4x allows attackers to execute malicious code with SYSTEM privileges via insecure directory permissions and DLL hijacking
2⃣ Exploiting Anno 1404
// Multiple vulns in Anno 1404: Venice multiplayer mode enable arbitrary code execution through path traversal, DLL hijacking, RPC exposure, and memory corruption, demonstrated on Win10
3⃣ win3zz/google-cloud-shell-container-escape-b69ffb46b5df">Google Cloud Shell Container Escape
// A successful container escape from Google Cloud Shell was achieved via hotplug hijacking, exploiting kernel hotplug events on a KVM-hosted environment, highlighting the risks posed by kernel vulnerabilities and system configurations
4⃣ Windows Exploitation Techniques:
Winning Race Conditions with Path Lookups
// The article details methods to drastically slow Windows object namespace lookups using complex directory structures, symbolic links, and hash collisions, thereby expanding race condition windows for exploitation
#MLSecOps
#Threat_Modelling
"Cisco Integrated AI Security and Safety Framework Report", Dec. 2025.
]-> Cisco AI security and safety taxonomy
// This paper presents Cisco’s Integrated AI Security and Safety Framework, a unified, lifecycleaware taxonomy and operationalization framework that can be used to classify, integrate, and operationalize the full range of AI risks. It integrates AI security and AI safety across modalities, agents, pipelines, and the broader ecosystem