Behi

@0xShyron embracethered.com/blog/

@Behi_Sec bro I am learning promt injection it will be great if you can share some resources like from where you studied

This is a very clear guide on how to use AI agents:

@denisyurchak Use this Claude skill to secure your apps: github.com/BehiSecc/VibeS…

My startup was hacked! I launched my own travel eSIM service, eSIMPal It started making money, the users were happy, and all was good, but today I woke up to a hacked website Somebody managed to get three 50 (!) GB eSIMs for Kuwait and Saudi Arabia for free, and we started using them heavily I wired up Claude, and we discovered the issue: the user could pass a parameter from the client to the server and make the eSIM cost 0 dollars I fixed the issue and blocked this user, and he only managed to use 5 GB worth of data The internet is full of sharks, boys – triple test all the payment-related code, make sure different LLMs cross-check each other's work Now I'm writing code with GPT-5.4 and making Opus 4.6 review everything for vulnerabilities And my hacker bro, if you are reading this, I'll get you your Saudi eSIM, don't worry Use the promo code IHACKEDESIMPAL for 10% off and chill

@Xplo8E github.com/bwya77/vscode-…

@Behi_Sec Is this apple liquid glass?

My VS Code set up beats yours😈

Use this prompt for a thorough JS analysis: You are an expert JavaScript reverse engineer and code analyst. I will provide you with a JavaScript file. Perform a structured analysis with the following objectives: ## 1. High-Level Overview - What is this code's purpose? - Architecture pattern - Key dependencies and frameworks used - Execution flow: how does the code initialize and what is the main entry path? ## 2. Attack Surface & Endpoints Extract and list ALL of the following in structured tables: | Category | Examples to look for | |-----------------------|---------------------------------------------------------| | API routes/endpoints | paths, HTTP methods, route patterns | | Parameters | query params, body fields, URL params, headers expected | | Auth mechanisms | tokens, cookies, session logic, OAuth flows, API keys | | WebSocket events | event names, channels, message schemas | | External calls | fetch/axios URLs, third-party APIs, webhook targets | ## 3. Hidden & Interesting Artifacts Look beneath the surface for: - Hardcoded strings: URLs, IPs, hostnames, ports, internal service names - Environment variables referenced (process.env.*) - Database schemas, table/collection names, field names - Role names, permission levels, feature flags - Debug/admin/test routes or commented-out functionality - Error messages that reveal internal structure - Regex patterns (what are they validating/extracting?) - File system paths (uploads, logs, configs, temp dirs) ## 4. Data Flow Map Trace how user input moves through the code: - Entry point (where does external data come in?) - Transformations (parsing, validation, sanitization, or lack thereof) - Storage (where does it end up: DB, file, cache, external service?) - Output (what gets returned/rendered to the user?) ## Formatting Rules - Use tables for structured data (endpoints, params, env vars) - Use code snippets with line references for each finding - Flag anything that seems intentionally obscured or unusual - If the code is minified/obfuscated, note patterns and attempt to identify the original framework or library --- Here is the code:

No one will get rich just by using AI in their workflows. But, you will probably lose to the competition if you do not leverage it.

@darylginn Man, such a beautiful UI!

visitors.now finally hit 99 paying customers.

If you don't tell Claude how to secure your app, it won't do it And if your app gets hacked, you'll lose everything. Use the VibeSec skill to secure your apps for free: github.com/BehiSecc/VibeS…

@yz9yt This is cool, thanks!

@Behi_Sec You can do it automatically and better. youtu.be/Hw0RYXs5cP8?is…

Nothing is more energy-consuming than starting on a new bug bounty program. AI is fixing that. Simply ask Claude in Chrome to browse the entire application and provide you with a review of its attack surface.

@Geocapri I will once it’s fixed.

@Behi_Sec Congratulations. Is this from Google AI VRP? If so could you make a writeup ?

Google just rewarded me with a $12,000 bounty😃 Now, I'm closer to my $1m goal. Tip: Always validate your assumptions, as there are always exceptions.

@EvanKlein338226 Recon

@Behi_Sec $12k from Google is insane congrats! 🔥 Curious about your OpenClaw automation setup - what parts of your workflow are you automating? Recon, report writing, or something else?

Weekly Update:🗓️ - Gained 5 more customers for VibeSec.sh, bringing my total to 10. - Earned a $12,000 bounty from Google. - Finally figured out how to automate my workflow using OpenClaw effectively. What did you do this week?

@Adeel0352293644 Sort of enough.

@Behi_Sec Are the labs from portswiger enough to learn bug bounty, or are other resources also necessary?

The only app that I would like to see having issues is “GitHub Copilot”. It's basically giving me free requests😆

Good morning, guys🌇 Let us work hard and bring our dreams to reality. My plan for the week: - Getting started on the GitLab bug bounty program - Building a new application - Fixing VibeSec.sh issues - Tracking all of my tasks to identify parts that I can automate What's your plan?

OK, what's your favorite AI IDE:

The more time you spend on a target, the higher your chances of finding bugs. However, very few people are willing to spend weeks or even months just to understand how an application truly works.

Bug Bounty Tool: Nikto, my old friend, is a reliable, go-to web server scanner. I still use it whenever I see an old-looking domain. github.com/sullo/nikto

I believe AI is significantly more helpful when you break down your tasks into micro-steps. If you provide curated rules and filters for each stage of the process, the outcome will improve magically.