HUNTER

I just published How I Hacked Intigriti’s Christmas SantaCloud CTF Admin Panel in 10 Minutes @intigriti medium.com/p/how-i-hacked…

Runtime Mobile Security (RMS) 📱🔥 ▶️ a powerful web UI, powered by @fridadotre, that helps you to manipulate Android and iOS Apps at Runtime 🖥 Github: github.com/m0bilesecurity… 🎉 Android: youtu.be/Gq0bXeRu-I0 🎉 iOS: youtu.be/EtsYHYA9ID4 #MobileSecurity by @mobilesecurity_

Google dorking is essential when performing recon! But it can easily become a tedious process... 😓 Xnldorker by @xnl_h4ck3r gathers search results from multiple search engines simultaneously, including Google, Bing, DuckDuckGo, and more! It also features concurrent anti-bot detection and automatic result deduplication! 😎 Check it out! 👇 🔗 github.com/xnl-h4ck3r/xnl…

Looking for reliable wordlists for Bug Bounty recon? Wordlists by @Assetnote delivers automated and manually curated lists, updated monthly, for content discovery, subdomain enumeration, parameter fuzzing, and API endpoint hunting. 👉 github.com/assetnote/word… #BugBountyTips

Recon Smarter: Finding Sensitive Files in Large URL Lists Most bug hunters stop at URLs. Real impact comes from what those URLs expose. This workflow combines: • high-risk file extensions • real-world secret patterns • automated URL discovery Result → fewer URLs, higher signal, better findings. Step 1: Asset discovery subfinder -d domains.com | httpx -mc 200,401,403,404 | tee domains.txt Step 2 URL extraction cat domains.txt | katana | tee urls.txt Step 3: Smart grep (FILES + SECRETS) We combine: • Sensitive file extensions • High-signal secret regex cat urls.txt | grep -aiE "\.(zip|rar|tar|gz|config|log|bak|backup|java|old|xlsx|json|pdf|doc|docx|pptx|csv|htaccess|7z)$|(?i)(?:(?:access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key|amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret|api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret|application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket|aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password|bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key|bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver|cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret|client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password|cloudflare_api_key|cloudflare_auth_key|cloudinary_api_secret|cloudinary_name|codecov_token|config|conn.login|connectionstring|consumer_key|consumer_secret|credentials|cypress_record_key|database_password|database_schema_test|datadog_api_key|datadog_app_key|db_password|db_server|db_username|dbpasswd|dbpassword|dbuser|deploy_password|digitalocean_ssh_key_body|digitalocean_ssh_key_ids|docker_hub_password|docker_key|docker_pass|docker_passwd|docker_password|dockerhub_password|dockerhubpassword|dot-files|dotfiles|droplet_travis_password|dynamoaccesskeyid|dynamosecretaccesskey|elastica_host|elastica_port|elasticsearch_password|encryption_key|encryption_password|env.heroku_api_key|env.sonatype_password|eureka.awssecretkey)[a-z0-9_.,-]{0,25})[:<>=|]{1,2}.{0,5}['\"]([0-9A-Za-z\-_=]{8,64})['\"]" #bugbounty #recon #infosec #cybersecurity #pentesting #websecurity #hacking

1/1 How to Bypass Akamai WAF Using AI What was the idea? Many researchers are afraid to test Akamai directly because you can't easily bypass it or find working payloads through Google searches. Akamai constantly blocks anything you try, so you need your own custom payloads.

⏰ It's CHALLENGE O'CLOCK! 👉 Pop an alert before Monday the 23rd of February 👉 Win €400 in SWAG prizes 👉 We'll release a tip for every 100 likes on this tweet Thanks @d3dn0v4 for the challenge 👇 challenge-0226.intigriti.io

You don’t need 20 tabs for recon. You just need a pipe. Here’s the one-liner 👇 subfinder → httpx → gau → grep Turn passive recon into real findings.

I was reconning earlier today and "accidentally" found an #XSS in crt.sh😂

your old Android phones are a better agent server than a Mac mini. while most users spend $600+ on dedicated hardware for @openclaw, the real efficiency is hiding in your junk drawer. i saw some developers use Termux and Node.js to turn 3 watt devices into constant research hubs. by running npm install -g clawdbot, these discarded screens handle market monitoring and Telegram summaries without a break. 3 phones can roughly match the output of a Mac mini for almost 0 cost. this setup runs Clawdbot 24/7 to pipe private signal alerts directly to a primary device. i suspect the hardware bottleneck for autonomous agents is already dead. compute is now so cheap that our junk phones is sufficient!

@Bugcrowd 8

One thing we hear over and over from this community: “Consistency pays off.” 💪 How long have you been in the game? No wrong answers.

Kimmy K2.5 just launched a local cloud model. And it runs Open Claw for FREE forever. No API costs. No token limits. No subscriptions. Here's the setup 👇 → Download Ollama at ollama.com. → Install Kimmy K2.5 cloud model. → Launch Open Claw with one command. → Runs locally but uses cloud processing. → Zero laptop slowdown. → Works on older machines perfectly. I just set it up in under 2 minutes. Zero configuration. Zero technical skills. Want the commands? DM me.

Exploiting information disclosure vulnerabilities! 🤠

The Complete AI Builder stack: Useful General Agent: @ManusAI General AI Productivity: @claudeai Building Mobile Apps: @v_computer Experimental Agent: @openclaw Advanced Vibe Coding: Claude Code Database: @convex Creative APIs: @fal LLM APIs: @openrouter Search API: @ExaAILabs Build an Agent: @claudeai Agent SDK

the best 20 accounts to follow in AI: @karpathy = LLMs king @steipete = built openclaw @gregisenberg = startup ideas king @rileybrown = vibecode king @corbin_braun = cursor king @jackfriks = solo apps king @levelsio = solo startups king @marclou = solo startups king @EXM7777 = AI ops + systems king @eptwts = AI money twitter king @godofprompt = prompt king @vasuman = AI agents king @AmirMushich= AI ads king @0xROAS = AI UGCs king @egeberkina = AI images king @MengTo= AI landing pages king @rryssf_ = automations king @kloss_xyz = systems architecture king @emollick = AI science king @Hesamation = AI/ML king follow them all and learn.

Web security isn't just for security practitioners. It's essential for everyone involved in the web ecosystem. 🌐 Explore the world of web security and learn about real-world vulnerabilities! 30+ Topics, 100+ Labs. portswigger.net/web-security/a…

The wait is over - online reg for DEF CON Singapore is open! It’s all happening at the Marina Bay Sands, April 28-30. You can learn all about it at defcon.org/html/defcon-si… Online registration will be open until April 24, but if you secure your spot before February 15 there’s an Early Bird discount available, along with a Student discount. DEF CON Singapore Training registration is open as well! Join us before the conference (April 26-27) if you’re looking to level up your skills with some intense, hands-on education from our world class trainers. Sessions and pricing are online at training.defcon.org. Tickets for the conference and the trainings are waiting for you at sg.shop.defcon.org. See you in Singapore!

Most hackers limit themselves to only using proxy interceptor, repeater, and intruder... 🤠 But these 8 unpopular Burp Suite features can save you hours of testing time (and find you more vulnerabilities)! 🤑 A thread! 🧵👇

Want to find more vulnerabilities using BurpSuite match & replace rules? 🤑 Open this thread! 🧵 👇

403 on /get_all_users 404 on /get_all_userz Then @Rhynorater fuzzed until a double-encoded “S” slipped past the NGINX filter. Result: 4.5M users' PII dumped. Bounty: $15K–$20K Full talk → youtu.be/PXqlHAoF2wc #BugBounty #DEFCON #BBV #AppSec #WebSecurity