Nithin 🦹‍♂️

THEBINARYBOT'S GUIDE TO API HACKING IS AVAILABLE NOW FOR SALE !!! Learn and find different API-related vulnerabilities such as: -BOLA -BOFA -SSRF and more... Use code "thebotswarm" to get the product for just $5. Valid till 6 Mar. #bugbounty thebinarybot.gumroad.com/l/apihackinggu…

We got frustrated with dealing with vendor dependencies when reverse engineering large applications. @ITSecurityguard from @SLCyberSec’s Sec Research Team built Hyoktesu to solve this problem forever: github.com/assetnote/hyok… - releasing this today! Blog: slcyber.io/research-cente…

Game changer w.r.t AI Bug Bounty Hunting👀 github.com/PatrikFehrenba…

I'm happy to provide more data if needed and I would more than be happy to be wrong. I myself have used this image earlier and wouldn't be surprised if you did too.

I also tried to find the author but couldn't find their socials. Funny how this image has almost 500K+ downloads and the official release just has 4.4K

⚠️ Warning: Don't Use hub.docker.com/r/caffix/amass

I still do not have a complete picture or understanding of how the communication is being made, so if anyone has extra time and want to poke around this release of amass please do. More context on the APT group and what they do here: welivesecurity.com/en/eset-resear…

@Random_Robbie 🤣🤣🤣 Fairs

@thebinarybot Just give it a shit load of targets like 100k targets works wonders haha

If you have Claude Enterprise plan (unlimited Opus 4.6 access) and can use it for bug bounty/pentesting - how would you use it?

100% with you on context window part. However, I can pretty much do the same JS analysis with my automation workflow - jsluice + trufflehog I'm experimenting with writing custom nuclei templates, but again I'd have to find something meaningful first as a bug to write it. That's a good shout, thank you!

Feed it massive JS bundles for source analysis. Opus handles 200k context like a champ - paste entire webpack chunks and ask it to trace auth flows, find hardcoded secrets, or map API endpoints. Also great for writing custom nuclei templates based on observed app behavior. "Here's 50 requests from Burp, write me detection rules for these patterns." The context window is the real power move.

@Random_Robbie Interesting. I haven't tested it out to the fullest yet - mostly because I don't even know what to give it lol. Also very skeptic on the entire AI access part so any directions you could give me on how you used it to max out would be cool 🙌

@thebinarybot i dont think its unlimited i've got in work and its ran out

@rez0__ Would that be more recon+analysis related stuff or actually running tools using the likes of MCP? Asking because I'm still not able to truly understand how to utilize Claude to the fullest.

@thebinarybot i would run my setup on every program at once.

@rez0__ truly 👀

@thebinarybot how unlimited is unlimited

Clean stuff 🔥

About to ditch X for threads this year. Watch me lead 💪

IP whitelisting is fundamentally broken. At @assetnote, we've successfully bypassed network controls by routing traffic through a specific location (cloud provider, geo-location). Today, we're releasing Newtowner, to help test for this issue: github.com/assetnote/newt…

You are a penetration tester and your company has bought Claude Enterprise. How're you going to use it?

Radar graphs are among the worst ideas in data visualization. The whole point of them is to show the area and you can usually reorder the labels freely in order to create a desired dramatic effect. Two versions of the same graph: - left one tells the story that AI is rapidly replacing whole industries - right one shows the "jaggedness" and reinforces the idea that humans will always have something that AI won't be able to replicate

I see it similar to publishing reports without taking prior permission. In fact it's worse than that because I suppose organizations wouldn't be able to reverse and find who uploaded what to an AI. But if it's publicly available, then why not? What stops anyone from harvesting it?

This opens up a new dicussion people haven't had yet. Who get's to decide what AI's get bug bounty reports? The hacker or the program or both? Should hackers be allowed to give their reports to an AI without the companies permission? Should the company have a say in it? Its all uncharted territory, but as the ToS and RoE are written for most programs/platforms, doing this likely violates them unless you ask every single program for permission to do so prior (except for publicly disclosed reports)

Idk about yall but I feel like Mr Robot still doesn’t get talked about enough? It seems to have greatly influenced a narrow cohort of hackers but doesn’t have much cultural mindshare today