hAPI_hacker

🛡 🔨 🛡 🔨 🛡 🔨 🛡 🔨 Since the release of Hacking APIs, I've wanted to create a way for you to demonstrate your API hacking skills to yourself and to others. I'd like to introduce you to the API Security Certified Professional (ASCP)!

If you are just starting to realize using AI in cybersecurity and offensive security is going to be a pervasive mandatory requirement… it’s ok. You’re not too behind. You can still master the tool before the tool masters you. I’ve been teaching these topics for 2 years now as part of “Red Blue Purple AI” and “Attacking AI” I’ve been through capability changes, all of frameworks, hype, doomers, all of it. I’ve consulted with fortune 100 companies on breaking their AI systems as well as scaling their security teams with AI. The capabilities that everyone is amazed by has come really only in the last 6 months for most people. No-code agent skills in Claude, cron, program of thought, better models, auto run, research loops, etc. You have time… but be early. Don’t wait too much longer to change your attitude.

This is actually terrifying Google's docs explicitly states certain API keys should NOT be treated as a secret and should be placed into HTML. Without warning, these *public* credentials were suddenly used for the Gemini API meaning anyone can access Gemini and uploaded data.

If Claude is capable of fixing security issues in code why can't he write secure code from the start?

The recording of my conversation with @Steph3nSims is available here. If you're interested in seeing how to exploit kubernetes, give it a watch. Would love any and all feedback youtube.com/live/jTbANtMWU…

This is going to be a blast, hope to see you there! I'll be covering why I think Kubernetes is an under explored attack surface and demoing the some fun vulnerabilities (with a lab you can mess around in!)

@HackingDave The first Skynet Civil War has begun.

😂😂

Excited to disclose my research allowing RCE in Kubernetes It allows running arbitrary commands in EVERY pod in a cluster using a commonly granted "read only" RBAC permission. This is not logged and and allows for trivial Pod breakout. Unfortunately, this will NOT be patched.

"写真はイメージです" might just be my favourite Japanese phrase, ngl.

That’s a wrap on Burp on Tour 2025! 🌎 From university campuses and grassroots meetups to major global stages, we’ve been on the road connecting with the passionate minds shaping the future of Application Security. Read the full journey of Burp on Tour 2025 👉 portswigger.net/blog/burp-on-t… #BurpOnTour2025

It’s the final day at Future of Software Technologies in Paris, and we’re not slowing down yet! 🇫🇷 Today at 12:30pm, Burp AI developer Daniel Allen will be taking the stage with his talk, Agents at the Gate: How Agentic AI is changing the security landscape. Check out a few highlights from the event so far... #FOST #FOSTParis #APIDays #BurpSuite #DAST #BurpAI

🚨 WARNING: A new attack can trick Perplexity’s Comet browser into deleting your Google Drive. Just one normal-looking email with hidden cleanup instructions can make the AI agent erase real files — no exploit, no warning. 🔗 Details here → thehackernews.com/2025/12/zero-c…

React2Shell (CVE-2025-55182 / 66478) detection is now available in Burp Suite. Update/install ActiveScan++ v2.0.8 → bit.ly/4rCSeNp or use the Custom scan check → bit.ly/4pfkK6l #React2Shell #AppSec #BurpSuite

⚠️ URGENT: A 10.0-severity bug just hit React Server Components and Next.js. It lets anyone run code on your server — even without logging in. 🔗 Details → thehackernews.com/2025/12/critic… ⚙️ Fix: update to patched versions now.

"Burp AI can bring up a new generation of hackers faster and more effectively.​​​​​​" In his new article, @hAPI_hacker explores how Burp AI: 🔬 Analyzes requests and adapts when attacks fail. 💬 Explains findings in clear language. 💪 Enhances human decision-making. 👉 portswigger.net/blog/hacking-w…

You've learned SQL injection, but have you learned NoSQL injection? This learning path covers the detection, exploitation, and prevention of NoSQL injection vulnerabilities. You’ll learn: 🔶 The core principles behind NoSQL injection and the different types of attacks. 🔶 How to perform both syntax and operator injection to read and manipulate data. 🔶 How to extract data from a database after you've successfully injected a query. 🔶 How to use timing-based injection to find vulnerabilities when a server doesn't provide a direct response. 🔶 Learning to secure your applications against these types of attacks. Begin your journey: portswigger.net/web-security/l…

@qht_4IT Choose your own adventure: APIsecU (free): apisecuniversity.com/courses/api-pe… Hacking APIs book: nostarch.com/hacking-apis Hacking APIs Conference: hackingapiconference.io

@hAPI_hacker Study material?

🛡 🔨 🛡 🔨 🛡 🔨 🛡 🔨 Since the release of Hacking APIs, I've wanted to create a way for you to demonstrate your API hacking skills to yourself and to others. I'd like to introduce you to the API Security Certified Professional (ASCP)!

What's DOM XSS and how do you find it? Here is how👇 ( With @InsiderPhD )

Somehow this old bug class keeps popping up in modern web apps! Path traversal is the gift that keeps on giving 😁 This learning path covers path traversal vulnerabilities, teaching you how to perform attacks, circumvent common obstacles, and prevent them in your applications. You’ll learn: 🔶 What path traversal is and how it can be used to read arbitrary files on a server. 🔶 How to carry out a basic path traversal attack against a server. 🔶 Learning how to bypass common obstacles like blocked traversal sequences and file extension validation. 🔶 How to implement robust defensive measures to protect against path traversal attacks. Master path traversal attacks now: portswigger.net/web-security/l…