2777
🛡️ Cybersecurity enthusiast | 💻 Helping secure the digital world | 🌐 Web App Tester | 🕵️♂️ OSINT Specialist Admin: @laazy_hack3r
BB Target - https://cybozu.co.jp/en/company/products/bug-bounty/
Читать полностью…
https://www.youtube.com/watch?v=griDEeIcXQc
Читать полностью…
Hey Hunter's,
DarkShadow here back again, just dropping a list of queries.
30K+ Search Queries 🚀
(Google | Shodan | FOFA)
For hunters, red teamers & OSINT warriors:
⚡ Hunt faster
⚡ Spot misconfigurations instantly
⚡ Scan the global surface with precision
GitHub →https://github.com/projectdiscovery/awesome-search-queries
Show your love Guy's ❤️
#bugbountytips #osint
Find sensitive information with gf# Search for testing point with gau and fff
gau target -subs | cut -d"?" -f1 | grep -E "\.js+(?:on|)$" | tee urls.txt
sort -u urls.txt | fff -s 200 -o out/
# After we save responses from known URLs, it's time to dig for secrets
for i in `gf -list`; do [[ ${i} =~ "_secrets"* ]] && gf ${i}; done
𝗠𝗖𝗣 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗥𝗲𝘀𝗼𝘂𝗿𝗰𝗲𝘀
🔗 Awesome MCP Security:
https://github.com/Puliczek/awesome-mcp-security
🔗 Defensive Guide :
https://www.infracloud.io/blogs/securing-mcp-servers/
🔗 MCP Tool :
https://github.com/eqtylab/mcp-guardian
🔗 MCP Threat Modeling :
https://www.csoonline.com/article/4023795/top-10-mcp-vulnerabilities.html
🔗 MCP Security Research :
https://arxiv.org/pdf/2507.06250
🔗 MCP Security Article :
https://www.darkreading.com/application-security/agentic-ai-risky-mcp-backbone-attack-vectors
🔗 MCP Security 101 Guide :
https://www.redhat.com/en/blog/model-context-protocol-mcp-understanding-security-risks-and-controls
🔗 MCP Top Vulnerability :
https://cymulate.com/blog/cve-2025-53109-53110-escaperoute-anthropic/
🔗 MCP Security Video :
https://m.youtube.com/watch?v=zj29lslZxFg
@acesclan #mcp #agentic #ai
#info #Events #Cyber_Education
Cybersecurity Events Sep. - Dec. 2025:
1. Cyber-AI 2025 (Sep. 1-4)
2. Nullcon Berlin (Sep. 3-5)
3. Blue Team Con (Sep. 4-7)
4. SECCON 2025 (Sep. 9)
5. 44CON (Sep. 18-19)
6. National Cyber Summit (Sep. 23-25)
7. HackAICon 2025 (Sep. 25)
8. ESORICS 2025 (Sep. 22-26)
9. BruCON 2025 (Sep. 25-26)
10. COSAC 2025 (Sep.28 - Oct.2)
11. Black Hat AI Summit at SecTor (Sep.30 - Oct.2)
12. Hexacon 2025 (Oct. 4-5)
13. Offensive AI Con 2025 (Oct. 5-8)
14. c0c0n 2025 (Oct. 7-11)
15. Black Hat Fall Online Trainings (Oct. 20-23)
16. OWASP LASCON 2025 (Oct. 21-22)
17. IEEE ISSRE 2025 (Oct. 21-24)
18. DevSecCon 2025 (Oct. 22)
19. SAINTCON 2025 (Oct. 21-24)
20. IAPP Privacy.Security.Risk (Oct. 28-31)
21. OSINTCon 2025 (Nov. 1-2)
22. SANS Fall Cyber Solutions Fest - AI Track (Nov. 6)
23. DEATHCon (Nov. 8-9)
24. POC2025 Hacking Conference (Nov. 13-14)
25. SURICON 2025 (Nov. 19-21)
26. Black Hat Middle East & Africa (Dec. 2-4)
27. Black Hat Europe 2025 (Dec. 8-11)
28. Annual Computer Security Applications Conference (ACSAC2025) (Dec. 8-12)
29. BSidesTLV 2025 (Dec. 11)
30. SANS Cyber Defense Initiative (Dec. 12-17)
🌘 From Prompt Injections to Protocol Exploits:Threats in LLM-Powered AI Agents Workflows, 2025.
// In this Research, we introduce the first unified, end-to-end threat model for LLM-agent ecosystems, spanning host-to-tool and agent-to-agent communications, formalize adversary capabilities and attacker objectives, and catalog over thirty attack techniques. We organized the threat model into four domains: Input Manipulation (prompt injections, long-context hijacks, multimodal adversarial inputs), Model Compromise (prompt- and parameter-level backdoors, composite and encrypted multi-backdoors, poisoning strategies), System and Privacy Attacks (speculative side-channels, membership inference, retrieval poisoning, social-engineering simulations), and Protocol Vulnerabilities (exploits in Model Context Protocol, Agent Communication Protocol, Agent Network Protocol, Agent-to-Agent protocol)
🧩 #Research #MLSecOps
#Threat_Research
#Offensive_security
"Teaching LLMs how to XSS:
An introduction to fine-tuning and reinforcement learning (using your own GPU)", 2025.
// ways to automate XSS with LLMs as a learning exercise
✨List of Awesome Red Team / Red Teaming Resources. This list is for anyone wishing to learn about Red Teaming but do not have a starting point.
https://github.com/0xMrNiko/Awesome-Red-Teaming
Asset inventory of over 800 public bug bounty programs.
https://github.com/trickest/inventory
🚨CVE-2025-0133 : Payload + Template
Payload: %3Csvg%20xmlns%3D%22http%3A%2F%http://2Fwww.w3.org%2F2000%2Fsvg%22%3E%3Cscript%3Eprompt%28%22XSS%22%29%3C%2Fscript%3E%3C%2Fsvg%3E
Write-up: https://codewithvamp.medium.com/cve-2025-0133-reflected-xss-vulnerability-in-palo-alto-globalprotect-gateway-portal-028128f2f5b9
Template: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-0133.yaml
#Research
#MLSecOps
"Generative AI in cybersecurity:
A Comprehensive Review of LLM Applications and Vulnerabilities", 2025.
// This paper provides a comprehensive review of the future of cybersecurity through GenAI and LLMs. We explore LLM applications across various domains, including hardware design security, intrusion detection, software engineering, design verification, cyber threat intelligence, malware and phishing detection. We present an overview of LLM evolution and its current state. Our analysis extends to LLM vulnerabilities, such as prompt injection, insecure output handling, data poisoning, DDoS, and adversarial instructions
Active Directory Pentesting
https://exploit-notes.hdks.org/exploit/windows/active-directory/
🔥 Find Low Hanging Fruits Using Nuclei AI 🔥nuclei -list targets.txt -ai "Find exposed AI/ML model files (.pkl, .h5, .pt) that may leak proprietary algorithms or sensitive training data"
nuclei -list targets.txt -ai "Find exposed automation scripts (.sh, .ps1, .bat) revealing internal tooling or credentials"
nuclei -list targets.txt -ai "Identify misconfigured CSP headers allowing 'unsafe-inline' or wildcard sources"
nuclei -list targets.txt -ai "Detect pages leaking JWT tokens in URLs or cookies"
nuclei -list targets.txt -ai "Identify overly verbose error messages revealing framework or library details"
nuclei -list targets.txt -ai "Find application endpoints with verbose stack traces or source code exposure"
nuclei -list targets.txt -ai "Find sensitive information in HTML comments (debug notes, API keys, credentials)"
nuclei -list targets.txt -ai "Find exposed .env files leaking credentials, API keys, and database passwords"
nuclei -list targets.txt -ai "Find exposed configuration files such as config.json, config.yaml, config.php, application.properties containing API keys and database credentials."
nuclei -list targets.txt -ai "Find exposed configuration files containing sensitive information such as credentials, API keys, database passwords, and cloud service secrets."
nuclei -list targets.txt -ai "Find database configuration files such as database.yml, db_config.php, .pgpass, .my.cnf leaking credentials."
nuclei -list targets.txt -ai "Find exposed Docker and Kubernetes configuration files such as docker-compose.yml, kubeconfig, .dockercfg, .docker/config.json containing cloud credentials and secrets."
nuclei -list targets.txt -ai "Find exposed SSH keys and configuration files such as id_rsa, authorized_keys, and ssh_config."
nuclei -list targets.txt -ai "Find exposed WordPress configuration files (wp-config.php) containing database credentials and authentication secrets."
nuclei -list targets.txt -ai "Identify exposed .npmrc and .yarnrc files leaking NPM authentication tokens"
nuclei -list targets.txt -ai "Identify open directory listings exposing sensitive files"
nuclei -list targets.txt -ai "Find exposed .git directories allowing full repo download"
nuclei -list targets.txt -ai "Find exposed .svn and .hg repositories leaking source code"
nuclei -list targets.txt -ai "Identify open FTP servers allowing anonymous access"
nuclei -list targets.txt -ai "Find GraphQL endpoints with introspection enabled"
nuclei -list targets.txt -ai "Identify exposed .well-known directories revealing sensitive data"
nuclei -list targets.txt -ai "Find publicly accessible phpinfo() pages leaking environment details"
nuclei -list targets.txt -ai "Find exposed Swagger, Redocly, GraphiQL, and API Blueprint documentation"
nuclei -list targets.txt -ai "Identify exposed .vscode and .idea directories leaking developer configs"
nuclei -list targets.txt -ai "Detect internal IP addresses (10.x.x.x, 192.168.x.x, etc.) in HTTP responses"
nuclei -list targets.txt -ai "Find exposed WordPress debug.log files leaking credentials and error messages"
nuclei -list targets.txt -ai "Detect misconfigured CORS allowing wildcard origins ('*')"
nuclei -list targets.txt -ai "Find publicly accessible backup and log files (.log, .bak, .sql, .zip, .dump)"
nuclei -list targets.txt -ai "Find exposed admin panels with default credentials"
nuclei -list targets.txt -ai "Identify commonly used API endpoints that expose sensitive user data, returning HTTP status 200 OK."
nuclei -list targets.txt -ai "Detect web applications running in debug mode, potentially exposing sensitive system information."
⚡Automated red-team toolkit for stress-testing LLM defences - Vector Attacks on LLMs
✅https://github.com/MrMoshkovitz/gandalf-llm-pentester
Google 🔍 Engineer dropped a book. A comprehensive guide to building agentic AI systems.
Key points:Concepts: Prompt chaining, routing, memory, planning, safety, and evaluation.
✅Patterns: Design methods for multi-agent setups, tool-using agents, and autonomous workflows.
✅Hands-on: Code samples for implementing these patterns in real-world apps.
✅Goal: Help developers build reliable, scalable, and safe intelligent agents.
Think of it as a playbook for advanced AI agent design.
#Tech_book
"Advanced Python for Cybersecurity:
Techniques in Malware Analysis, Exploit Development, and Custom Tool Creation", 2024.
// By integrating Python into your cybersecurity arsenal, you can automate repetitive tasks, enhance your analytical capabilities, forge custom tools tailored to specific threats, and ultimately fortify your defenses against an ever-evolving adversary
🔖 Application Programming Interface (API):
Vulnerabilities and Risks", Special Report
🌘 2024
// This report describes 11 common vulnerabilities and 3 risks related to APIs, providing suggestions about how to fix or reduce their impact. Recommendations include using a standard API documentation process, using automated testing, and ensuring the security of the identity and access management system
See also:
]-> API Specification Parser
]-> Tool to detect API auth weaknesses
]-> API Security Vulnerability Scanner
🧩 #AppSec #Whitepaper
🧩 #Threat_Research
https://xmind.app/mindmap/zseanos-methodology/TidUQd/?from=gallery#
Читать полностью…
#AIOps
#MLSecOps
"Security Attacks on LLM-based Code Completion Tools", v.4, AAAI 2025.
]-> example code and attack samples
// LLM-based Code Completion Tools (LCCTs) often rely on proprietary code datasets for training, raising concerns about the potential exposure of sensitive data. We exploit these distinct characteristics of LCCTs to develop targeted attack methodologies on two critical security risks: jailbreaking and training data extraction attacks
BB Target- https://www.nooks.ai/responsible-disclosure-process
🔥Fresh BB Target - https://www.computerwaard.nl/.well-known/security.txt
Читать полностью…
DomLoggerpp by @kevin_mizu is a simple web extension that helps you identify JavaScript DOM sinks that could lead to DOM-based vulnerabilities (such as XSS)! 😎
Check it out! 👇
🔗 https://github.com/kevin-mizu/domloggerpp