Piyush Kumar

We tested another mail client, Roundcube this time. The agents found a Stored Self-XSS vulnerability that could really only be exploited with Cookie Tossing. Scary for password reset tokens... Blog post below: aikido.dev/blog/roundcube…

Every JWT writeup online covers 2–3 attacks and stops. I got tired of jumping between 40 blog posts, so I wrote the whole thing. All in one place. rmrf.tips/en #infosec #appsec #bugbounty #websec #jwt

HAProxy HTTP/3 -> HTTP/1 Desync: Cross-Protocol Smuggling via a Standalone QUIC FIN (CVE-2026-33555) r3verii.github.io/cve/2026/04/14…

I'm thrilled to announce "Can AI Do Novel Security Research? Meet the HTTP Terminator" will premiere at @BlackHatEvents #BHUSA! Check out the abstract:

The #FCSC2026 ended today, and my write-ups are now available here: mizu.re/post/fcsc-2026… 🚩 I'm really happy with the challenges I managed to create this year! It would be too long to list everything, so here's a little teaser 👇 1/2

Last year I found a MXSS (dream) bug in a Mail app,it involved bypassing 2 consecutive sanitizers recursive Dompurify calls plus CKEditor.Hope you will like it sudistark.github.io/2026/04/07/mxs… All thanks to @kevin_mizu for putting such great content around mxss and those bypasses🙇‍♀️

Mutation XSS in a Mail Application via DOMPurify Misconfiguration and CKEditor CDATA Parsing Bug A nice write-up by @sudhanshur705 sudistark.github.io/2026/04/07/mxs…

The Dot-Dot-Slash That Frameworks Hand You: CSPT Across Every Major Frontend Framework. Great deep-dive into the URL decoding pipelines of major frontend framewoks leading to XSS via CSPT, by @xssdoctor lab.ctbb.show/research/the-d…

Always test for CSPT with %252F, not %252f. See the latest @ctbbpodcast episode with @xssdoctor to find out why.

I follow Inbox Zero, and for me, it is genuinely a way to build trust with the people I work with. Here's how... The idea is simple: every email gets acted on, delegated, scheduled, or cleared. Nothing sits there "for later." My inbox is a queue. Of course, I am not talking about notification emails from Jenkins, GitHub, general groups, etc. :) The first benefit I get is reliability. Nothing important gets buried. I have the confidence that if something reaches my inbox, I have seen it and made a decision - even if that decision is to ignore it. There is also a trust angle with managers and teammates. When I respond consistently, without being nudged, people notice. It reduces follow-ups and signals that I am on top of things. More than anything, it removes the mental tax of uncertainty. One practical thing: not all emails deserve equal attention. I route the noise out of the inbox, like CI/CD alerts, GitHub notifications, and automated reports. To me, Inbox Zero is about staying on top of human communication (we can say that now, I guess). It is not about an OCD for a clean inbox - but about making sure nothing important slips through the cracks, and I always know what's going on.

Two things @rez0__'s been running in his Claude Code setup worth stealing: 1. Self-improving CLAUDE .md loop Add this somewhere in your file: "Anytime I get frustrated, anytime I have to re-explain something you didn't understand, or anytime you try a command and it fails repeatedly, add that lesson to the Applied Learning section in your CLAUDE .md" Next time the same situation comes up, it already knows where your session files live, which commands work on your system, whatever it had to figure out the hard way. Saves you time, usage and frustration. 2. Discord as a remote Claude Code interface He got tired of Claude RC not supporting --dangerously-skip-permissions so he built a Discord bot. Each task spawns its own thread as a session, tool calls render as diff blocks with green for additions, red for removals. There's also a resume command at the top of every thread so he can jump back in from a VPS. Takes voice messages and attachments. He uses it to validate findings, check logs, host files, all from his phone without touching his laptop.

Do you remember when you joined X? I do! #MyXAnniversary

We got frustrated with dealing with vendor dependencies when reverse engineering large applications. @ITSecurityguard from @SLCyberSec’s Sec Research Team built Hyoktesu to solve this problem forever: github.com/assetnote/hyok… - releasing this today! Blog: slcyber.io/research-cente…

XS-Leaks challenges just got harder. Chrome shipped Socket Pool Randomization which should hopefully make it much harder to learn about opened sockets! chromestatus.com/feature/649675…

Someone: While I was sleeping, my AI agent found 50 bugs. The bugs it found 👇

Breaking: 🚨 Iran Says Strait Of Hormuz Open For India, Closed For US, Israel & Europe

Just a few days later, there's the next blog post for @AikidoSecurity! Another framework-level vulnerability this time affecting Astro, resulting in SSRF if an unvalidated connection can be made to the webserver. Read the details here: aikido.dev/blog/astro-ful…

We just cancelled our Cybersecurity subscriptions. CrowdStrike. Cloudflare. Okta. All gone. We save over 4M/yr as a company. Instead I just use Claude Code to handle all security measures. We just gave up all our sensitive user data. I am being personally sued by the FTC and am writing this from an undisclosed location.

My first disclosed vulnerability since joining @AikidoSecurity, and it's a banger! SvelteKit + Vercel = Cache Deception. This shows how AI agents can find framework-level vulnerabilities, and that caching will continue to cause headaches. Enjoy :) aikido.dev/blog/sveltespi…

Testing APIs? Stop guessing what's running under the hood. Use InQL's Engine Fingerprinter in Burp to identify the #GraphQL stack in seconds and save yourself the trial and error. blog.doyensec.com/2025/12/02/inq… github.com/doyensec/inql #doyensec #appsec #inql #security #bugbountytips