Mahmoud Abd Alkarim

March results: 7 vulnerabilities reported in @Swisscom * 2 Account Takeover (OAuth)+2 fix bypasses * 1 SSRF (internal systems) * 1 Broken Access Control (delete any account) * 1 Stored XSS * 1 Reflected XSS * 1 Credential Disclosure Thanks to Swisscom security team #bugbounty

@albinowax Congrats 🎊

I've just submitted my latest research to Black Hat USA! This one has been cooking since last June, can't wait to share it with the world... in fact I'm quite excited just to see the community reaction to the title reveal.

@albinowax @vulnverse0 How many 😂

@vulnverse0 Many :)

Any update? --> × Any update before world war 3 --> ✓

Lately, I don’t have the patience to read long articles anymore. Instead, I collect multiple articles on a single topic (like SSRF vulnerabilities), feed them into #NotebookLM, and it generates an audio discussion with two speakers. This feels absolutely insane 🤯

🚀 Built GoTel Cloud - a free platform for devs & security researchers to capture, inspect & analyze web requests in real-time. Now in beta → gotel.cloud

@samwcyo So Interested

Coming back from a bit of a hacking break and have a few blog post drafts written up. Would anyone be interested in reading about hacking online gambling companies, even if the bugs are super simple? So many actuators/easy findings with crazy impact, but nothing very complicated.

@tbbhunter @intigriti You can use this tool: github.com/maldevo/origin…

Bypassing Reverse Proxies: How to identify the origin IP intigriti.com/researchers/bl… @intigriti #bugbounty

@FlEx0Geek جميل جدا, مقاله مفيده. عاااااش

I was working on a device in Egypt that allowed me to control a car using this device. Here are the details: كنت شغال علي جهاز ف مصر منه كنت بقدر اتحكم ف العربية اللي بتستخدم الجهاز دة ودي التفاصيل: fahemsec.com/blog/devicex-s…

@albinowax Good luck with your next move 👏🏼

This research forcibly taught me just how valuable collaboration is! You probably already knew that but it was eye opening for me! Excited to try more in future…

The whitepaper is live! Learn how to win the HTTP desync endgame... and why HTTP/1.1 needs to die: http1mustdie.com

@BSidesCbr @infosec_au Good luck 🤞🏼

KEYNOTE: Not All Vulnerabilities Are The Same 10 years ago, @infosec_au spoke at the first BSidesCbr. Now Australia’s top bug bounty hunter, he’s back to unpack enterprise zero-days, building Assetnote’s team, and what makes a vuln actually matter. cfp.bsidescbr.com.au/bsides-canberr…

@djurado9 @Xbow A game changer! to be honest the future is scary :D

I still see a lot of people who think anything involving AI is just marketing hype. Over the past few weeks, I’ve seen @Xbow exploit RCEs (among other critical bugs) in core production apps across many top-tier bug bounty programs. And I’m not talking about random targets, these are the kind of programs that pay huge bounties for critical vulnerabilities. I’ve been in the bug bounty scene for a long time, and honestly, this is mind-blowing. It's hard to see this level of success even among well-known hackers. If you want to learn more, come find us next week at @BlackHatEvents (Booth #3257) and @BugBountyDEFCON/@defcon. We will be more than happy to showcase some cool traces and talk more about AI and security!

@intigriti Hello, You can easily use this python tool, It will return the potential origin ip github.com/maldevo/origin…

You've identified a possible SQLi 🤑 But Cloudflare WAF is in the way... 😓 What if you could just entirely bypass this firewall and get your payload through? 🤠 In our latest article, we documented several ways to identify the origin IP of your target behind popular CDNs and firewalls! Read the article today! 👇 intigriti.com/researchers/bl…

@0xLupin Hello, You can easily use this python tool, It will return the potential origin ip github.com/maldevo/origin…

In a few hours I'm going to release my first video on Youtube ! 🔥 The title: Bypassing a WAF by Finding the Origin IP Hope you'll enjoy the video 🤟

@Xbow impressive!

XBOW is now the #1 hacker on HackerOne, globally. For the first time, our autonomous AI pentester tops the worldwide leaderboard. Next week at #BlackHat, we’re taking it live: We’ll run real-time on HackerOne programs—come see XBOW find vulnerabilities. 📍 Booth 3257

Give it a try you will love it, It open new attack surface. @GodfatherOrwa @haxor31337 @NahamSec @0x_rood @sl4x0 @Melotover @lu3ky13 @KN0X55 @jayesh25 @Mohamed87Khayat @SirBagoza

#OriginIP: is a powerful recon tool for uncovering real IP addresses behind domains protected by Web Application Firewalls (WAFs) or CDNs such as Cloudflare, Akamai, and others. Link: github.com/maldevo/origin…

@albinowax @WebSecAcademy Good luck 🤞🏼

Not at Black Hat / DEF CON? You can still join the mission to kill HTTP/1.1: - Watch the livestream from #DEFCON at 16:30 on 8th - Read the whitepaper on our website - Grab the HTTP Request Smuggler update & @WebSecAcademy lab Follow for updates & links. It's nearly time!