🇪🇬Mahmoud samaha🇵🇸 🔻 🪂

السلام عليكم يا شباب @Eyax0 بلغني انكم محتاجين roadmap واضحة لل web3 security. ان شاء الله ال thread دا هيكون roadmap بالانجليزي و العربي لل security في ethereum EcoSystem عشان نبدء من غير تشتت.لو حد عنده اي استفسار يقدر يعمل بوست او يبعتلي. بالتوفيق😇

هذا هو شعب غزة، الشعب الذي لا يعرف المستحيل، الذي يكسر كل معادلة كتبها العدو على أرضنا. يعود النازحون إلى شمال غزة وكأنهم جيشٌ من الأمل، قلوبهم أقوى من الركام، وأرواحهم أعلى من كل جدران الحصار. أي جنون هذا الذي يجعل شعبًا كهذا لا ينكسر؟ أي قوة تلك التي تجعله يعود إلى أرض فقد فيها المنازل والأحباب وكأنما يعلن: “هذه أرضنا ولن نغادرها أبدًا”؟ نفتخر بشعب ينهض من تحت الرماد، يقاوم الألم بالحب، والدمار بالبناء، والتهجير بالعودة. هذا الصمود ليس عاديًا، إنه بطولة خالصة. لكم المجد يا أبطال غزة، ولأرضكم السلام.

Finally made it to the Apple Hall of Fame! 🎉 Got a great bounty 🌟. Grateful to be acknowledged by Apple for my contribution! Check it out here: Apple Security Acknowledgments

تنشر الصديقة وعد أبو زاهر هذا السؤال .. لتكن تلك ردود للناجيين المؤلمة .

التذكير اليومي بخطورة اللحظة : لو انتصرت إسرائيل والأنظمة المتحالفة معها هتتصهينوا غصب، دينكم هيتغير ومناهج أطفالكم هتتغير وأنتم نفسكم هتتغيروا ولن تكونوا إلا رعايا لإسرائيل تتصرف فيكم كيف شائت لو انهزمت إسرائيل والأنظمة فمن المرجح أن تنال المنطقة مكانتها الطبيعية في العالم

حط هنا يوتيوب تشانل حلوه او بلاي ليست حلوه او حتي فيديو ممتع اي حاجه ع يوتيوب يعني حلوه .

شعرت تل أبيب بالقلق على طبق السلَطة فسيّروا لها جسورًا من الخيار والبندورة.. ثم استغاثت غزة من الموت جوعًا، فصموا آذانهم! وشعرت تل أبيب بالأرق من ليلة المسيّرات فأطلقوا الدفاعات تعترضها وتطمئنهم.. ثم صرخت غزة من الموت حرقًا، فغمّوا عيونهم! وشعرت تل أبيب بالذعر على نفسها فحاربوا المظاهرات وأغلقوا طرق الحدود.. ثم استجارت غزة من الذبح وحيدةً بلا ناصر، فسدّوا أفواههم! من أعطى هؤلاء كتاب التاريخ بالمقلوب؟

يا جماعة حدا يشيلها من راسي .. ♥️

احد اعظم مشاهد القسام ضد الاليات الإسرائيلية خلال حرب طوفان الاقصى. مشاهد من شرق رفح

ست شهور من وباسم الله نلتحم نمزقكم وننتقم اتى يوم الحساب * اتينا الحرب اسرابا لنصر الله طلابا عليكم ندخل البابا وإنا غالبون وإنا غالبون الله يعز المقاومة الفلسطينية 🔻🫡 #طوفان_الاقصى

انا نزلت فيديو جديد بشرح فيه ايه هي ثغرات الprivilege escalation فالابلكيشنز اسهل طريقه فعلًا تجيب بيها فلوس وابسط مايمكن، هي الـprivilege escalation وموجوده في مواقع كتير ومش كتير كذلك بيتكلم عنها لينك: youtu.be/IcOEURCXRHM?si… يارب الفيديو يفيدكم باي معلومه جديده ❤️ #cyberbugs #privilege_escalation

@jobertabma 👋🏼

Hackers, our closed beta for Hai (our conversational AI) will start next week. This version is primarily focused on customer use cases. I’m looking for a few more folks that want to be included on the H1 spot check that we’ll run on it. Raise your hand if we should consider you!

🔐Secrets no one will share with you - Here's a technique that might grant you access to takeover other users' accounts using "Login with Facebook": Are you working on a target site that supports "Login with Facebook"? Disable email sharing during Facebook login and be ready for unusual design flows that could enable you to take over other users' accounts. Here's how to disable email sharing when using "Login with Facebook": 1️⃣ Log in with Facebook on any app. 2️⃣ Click "Edit Access." 3️⃣ Uncheck the email address checkbox. 4️⃣ Click Continue. Here are some scenarios of account takeovers I've reported based on different target app behaviors: Account Takeover via Linking Facebook Flow: 1️⃣ Went to http://example[.]com, used "Login with Facebook" (Uncheck share email on Facebook). 2️⃣ The target site asked to enter an email to link my FB account as no email was shared from FB. Entered victim@example.com, a confirmation link was sent to the victim's email to bind the account. 3️⃣ Repeated the same steps on the target site using the same FB account, this time choose to link attacker@example.com on target site – received the same link as step (2) on the attacker controlled email! 4️⃣ Knowing this, repeated the same steps again to link victim@example.com, and used earlier link which was received on attacker@example.com to takeover victim@example.com account. Direct Account Takeover via Login with Facebook: 1️⃣ Went to http://example[.]com, used "Login with Facebook" (Uncheck share email on Facebook). 2️⃣ The target site prompted me to enter an email to link the FB account to an existing account since no email was shared from FB. Entered victim@example.com. It directly logged me into victim@example.com without any further verification, leading to a complete account takeover. Pre-Account Takeovers: Do you have a target app that heavily relies on a user's email domain to grant access to organizations or critical features based on whitelisted domains? Using this technique can help you bypass email verification requirements, allowing you to claim any email. Consequently, you may be able to access critical features of other organizations permitted for emails with the same domain. Lesson: Always test unusual login flows by logging in with a 3rd party provider without sharing email with the target site. These designs can be flawed and lead to nice bounties! 💰 #BugBounty #CyberSecurity #HackerOne #bugcrowd #securitytips #bugbountytips

فيديو جديد عاليوتيوب من ساعه بعنوان: AI Will Automate The IDORs بنتكلم فيه عن فكرة أوتوميشن الأيدورز بمساعدة chatGPT لينك: youtu.be/vi_7rPYhPPg #cyberbugs #IDORs #automation #bugbountytips

Lots of talk about what didn't happen on October 7th. 🚨Let's talk about what DID happen🚨 THIS IS WHAT THEY DON'T WANT YOU TO KNOW

Bug Bounty Tips: Penetration Testing Android/iOS Apps? 📱 Today, I'd like to introduce a valuable open source tool that I frequently rely on: Mobile Security Framework (MobSF), an all-in-one mobile app pen-testing and security assessment tool. It works seamlessly with various mobile app formats, and offers dynamic analysis capabilities. The best part? You can try it out without installation! Experience MobSF directly at mobsf.live. If you prefer to install and run your own local version, you can do so via github.com/MobSF/Mobile-S…. While MobSF offers a range of features, here's the list of things I use it for: 📥 Easy to use: Easily analyze your APK with straightforward drag-and-drop functionality, eliminating the need for multiple tool installations. This is specifically good for beginners because they don't have to rely on complex installation of 5 different tools for testing an app 🔑 Identifying Hardcoded Secrets: The tool helps flag hardcoded credentials, aiding in validation and reporting. I've had some quick wins through this module with sensitive tokens/API keys disclosed ☕ Reviewing Java Source Code: I mostly use it to examine Java source code for my target, uncovering API endpoints, design flaws, or reverse engineering possibilities to overcome jailbreak detection, etc.. 🕵️ Reverse Engineering: It helps with reverse engineering, including de-compilation, disassembly, and debugging. 🔄 Dynamic Analysis: It Integrates with Genymotion to inspect HTTP traffic while navigating through the app, effectively detecting endpoints. I use it at times to get a quick Idea of what HTTP calls are being made when Initially navigating through my target It's worth noting that I still use other tools like Burp Suite, MITM, and Charles Proxy. However, I usually run my target apps through MobSF first as It gives me a nice overview of the target and some quick wins. Give it a try and enhance your mobile app security assessments! 💪🔍 #BugBounty #MobileSecurity #PenTesting #Cybersecurity #HackerOne #BugCrowd #InfoSec #BugBountyTips

فيديو جديد عاليوتيوب 😍 youtu.be/1228cGGa4E4?si… #cyberbugs #logics

🚀Question of the day: How to Identify & exploit race condition Issues? 🏁 I've reported 30+ race condition Issues, and it's been quite the profitable journey! 🤑 Despite their prevalence, these vulnerabilities often fly under the radar. 📚 Real-World Scenarios: Let's dive into some real-world examples where race condition Issues can be a goldmine: 1️⃣ Daily Bonus Claim: Beat the "once a day" limit via a race condition attack to claim multiple bonuses. 2️⃣ Limited Seats: Exceed the allocated seats per account by inviting more users than allowed. 3️⃣ Order Cancellation: Exploit race condition Issues on order cancellations to receive multiple refunds for the same order. 4️⃣ License Limitations: Overcome app restrictions that limit actions per license through a race condition attack. 5️⃣ Daily Action Limit: If there's a daily limit on an activity, use a race condition attack to show that the limit can be bypassed. Exploitation in Action: 1️⃣🔍 Identifying Race Condition Vulnerabilities: Start by identifying functions that are restricted by limitations. The examples I've mentioned are just the tip of the iceberg, and there could be similar functions within your target. 2️⃣ Intercept: Use tools like Burp Suite to intercept and send request to Turbo Intruder 2️⃣ Send Multiple Payloads: Send 30-50 payloads in within a short timeframe. This overload can lead to unexpected outcomes as the system struggles to handle concurrent requests. Race conditions are a treasure of opportunities, and the potential for profit is substantial. Takeaways: Don't underestimate the power of race condition Issues. Include them in your checklist for bug hunting, and you might just land some lucrative bounties. Remember, these principles apply not only to traditional web applications but also to the exciting realm of Web3 security. 🌐💰 #CyberSecurity #BugBounty #HackerOne #bugbountytips #securitytips #bugcrowd