roughwire

I am not a frequent bugbounty hunter. I am a pentester with some years of experience in infosec. I started bugbounties in March2020 on weekly basis. Today I have bought this baby with my bounties. A big thanks to @Hacker0x01

@pxmme1337 Haha that New Delhi guy 🤣🤣

« I respectfully asked you to disclosure my report and you moron mother fucker deducted my Reputation Point .... Bloody Mother Fucker..................... TAXI DRIVER..... »

This is the first public release of Burp AI Agent. Expect rough edges. If something isn’t clear after reading the docs or you hit a bug, feel free to open an issue. Feedback and improvements are very welcome. Repo: github.com/six2dez/burp-a… Docs: burp-ai-agent.six2dez.com

Somebody built an AI agent to audit smart contracts and managed to find a $250k bug on Immunefi 🤯 kritt.ai/technical-revi… Are you still sleeping on AI anon? #bugbounty #bugbountytips

Datr cookie theft and AI leading to Facebook account takeover ($24,000) ysamm.com/uncategorized/… Two-click Facebook account takeover via FXAuth ($30,000) ysamm.com/uncategorized/… Self-XSS in Facebook payments flow leads to account takeovers ($62,500) ysamm.com/uncategorized/…

IDOR Trick: If you're dealing with a UUID-based IDOR, try this: 00000000-0000-0000-0000-000000000000 This might expose default objects or unintended access.

If you found a package.json file in the wild, you might find some internal packages vulnerable to a dependency confusion attack 👀 Check for it quicker using this cool new tool by JSMon: app.jsmon.sh/tools/npm-vali… 👇

Brief info and POC for this week's Apple 0click iOS 18.6.1 RCE bug CVE-2025-43300 github.com/b1n4r1b01/n-da…

bugcrowd.com/disclosures/d5… Super-nice technique! Something refreshing to see in the AI-everything era :)

If you're learning about vibe hacking, here's a cool article demonstrating how @mattrkeeley used AI to create a working exploit for CVE-2025-32433 before any public PoCs existed! Worth a read 👇 platformsecurity.com/blog/CVE-2025-…

💡 Tip! Injecting Log4Shell payloads is also possible in PDF files! eelyvy has a dedicated GitHub repository showing exactly how to craft your PDF payload file! 😎 🔗 github.com/eelyvy/log4jsh…

Have you checked out @hadriansecurity's subwiz? It's a recon tool that uses ML to predict and resolve subdomains👇

Ready to explore how AI is transforming Ethical Hacking? We've put together some introductory hands-on examples including: 🔍 Recon & Discovery Contextual subdomain enum, screenshot analysis, and content discovery ⚡ Exploit Development Automated vulnerability detection 🤖 Hackbots Using and extending open-source AI agents, leveraging Burp AI 🧠 Integrations & Plugins MCP servers for Burp Suite and Ghidra, Caido Shift Plugin and custom tool orchestration 🏆 CTF Challenges 3 simple scenarios to test your skills This repository contains a workshop guide, educational tools and scripts for learning how AI can be applied in offensive security. Check it out: github.com/ethiack/ai4eh

DMARC can reveal more domains associated with a target. dmarc.live/info/<target-domain> allows you to find domains using the same DMARC record. Check it out 👇 There's also a python tool: github.com/Tedixx/dmarc-s…

A cool recon trick to find more targets is to check out CSP policies for juicy assets. csprecon can do this for you 👉 github.com/edoardottt/csp…

New writeup: Early last month, @samwcyo, @sshell_, and I found a Django ORM injection in an online shooter game that let us steal cryptocurrency from the game's wallet. Read the blog post here: blog.p1.gs/writeup/2025/0…

Many don’t realize they already have a powerful, fully autonomous, free hackbot on their computer. If you’re using Cursor, you’ve got it. Here's Cursor solving a @PortSwigger webacademy SQL injection lab! #bugbounty

back to work with @zhero___ and a new vulnerability on @nextjs that led to CVE-2025-49826 both routers are impacted: app router: framework's cache is directly impacted on ISR pages, regardless of the presence of a CDN pages router: SSR pages only + requires a misconfigured CDN

Gemini CLI can automate your computer using MCP 🔥 Add Windows MCP (or macOS MCP) to Gemini CLI and you can tell it what to do autonomously. Gemini then takes control of your entire system to achieve the goal you've set. Links below

We’re cooked, guys. A new vulnerability has been discovered in sudo and you don’t even need to be in the sudo group to get root. I just tried it 👇