Tur.js

Blind Insecure Direct Object Reference (IDOR) On Instagram. Write-up: nobugescapes.com/blog/blind-ins… #bugbountytips #bugbounty #p2 #bugcrowd #meta

iOS syscall trace in Wireshark

@Zuby_Tech 💙

One of the best logos ever made! #PlayStationNetwork #PSN

Spent the day expanding my agent to target additional security vulnerabilities. I also refactored parts of its design and implemented support for discovering and exploiting NoSQL injection attacks. The results were successful, and I’m very satisfied with the outcome. This is the same open source application I previously tested for XSS. I did not provide the agent with source code or any hints about how the backend queries are structured. I’m happy with the results, as the parameter was not present in requests generated by the search form. The agent discovered it in a JavaScript file and leveraged it in crafted requests. Next, I plan to extend the agent to detect XPath injection, which is something I haven’t explored or targeted before Below is a summary generated from one of the test runs: It first attempted authentication bypass by injecting database operators into the login request. These attempts were rejected due to strict input type validation, confirming that authentication bypass is not possible. The agent then moved on to testing API endpoints that accept query parameters. It discovered that one endpoint passes user-supplied filter objects directly to the database without sanitizing operators. By injecting comparison and pattern-matching operators into the filter, the agent observed variations in response sizes under different conditions—confirming that the database was executing the injected queries. To validate this, the agent performed multiple reproductions: a true condition returned full results, an exclusion operator reduced the count by exactly one, a pattern match returned only relevant records, and an impossible condition returned zero results. Each variation produced a distinct response size, demonstrating that boolean-blind data extraction is possible. Finally, the agent determined that the vulnerable parameter is not exposed through the user interface. While the frontend only sends basic sorting options, the backend accepts additional filter parameters with raw database operators. This indicates a combination of hidden parameter abuse and NoSQL injection. #BugBounty #ai

@0X_saif_ Thank you

@Tur24Tur Awesome 👏

Hello, the agent found multiple XSS on an open source project on GitHub i deployed it locally on Docker and set up one account. After the agent found the XSS, I told him to write the steps he followed to be shared with everyone. It was an interesting one how he navigated the website step by step and linked the pieces together to achieve an exploit Whenever I find any interesting results, I'll make sure to share them. Finding Stored XSS in a CMS — An Automated Agent's Approach TLDR - Target: a modern CMS using Vue.js frontend - Found 2 stored XSS in 22 minutes (157 tool calls) - Root cause: asset title rendered via v-html without escaping - Impact: session hijacking (no HttpOnly cookie), admin takeover How It Went 1. Logged in, checked headers — no CSP, no HttpOnly on session cookie. Vue.js frontend means auto-escaping by default, so I needed to find where the app opts out. 2. Downloaded all JS files and grepped for dangerous sinks: innerHTML, v-html, insertAdjacentHTML. Most were sanitized or safe. One file stood out — the asset field renderer built raw HTML with template literals and fed it into v-html. 3. Tested many surfaces that did NOT work: model names, content fields, WYSIWYG editor, login redirects, API errors, color/tag fields — all escaped or stripped. 4. Found the gap: asset titles go into the render function unsanitized. Uploaded a text file, set the title to `` (29 chars, fits the 30-char truncation limit). Linked it to a content item. Visited the items list — alert fired. 5. Confirmed impact: document.cookie is readable (no HttpOnly), no CSP blocking inline scripts. Any user with asset permissions can plant the payload, and it fires when any admin views the page. Key Takeaways 1. Source code analysis beats blind fuzzing — reading JS files and finding the exact sink saved hours. 2. v-html is the Vue XSS keyword — every v-html that touches user data is a potential bug. 3. Template literals are just string concatenation — they do not escape HTML. 4. Asset metadata is an overlooked input surface — most testers focus on content fields and URL params. 5. Truncation is not sanitization — 29 characters is plenty for an XSS payload. #BugBounty #AgenticAI #InfoSec

PS3 system software update 4.93 is available now✨ Please check our page for the latest system software features and how to update. 💡PS3 system software update playstation.com/support/hardwa…

PS4 emulation just made a huge leap. The shadPS4 emulator released version 0.15.0. And yes… Some real PS4 games already run or boot. Including: • Bloodborne • Dark Souls Remastered • Red Dead Redemption • Yakuza 0 • Driveclub The emulator is completely open source and works on: • Windows • Linux • macOS Recent improvements include: • GPU shader recompiler updates • better system library emulation • improved audio and controller support • stability and compatibility fixes • kernel and filesystem improvements Important: Games require firmware modules dumped from your own PS4 console. It’s still very experimental, but development is moving fast. PS4 emulation is finally starting to become real.

@MouhannadlrX0 Thank you

@Tur24Tur Cool and thanks for sharing!

Spent the last few weeks building an XSS hunting agent using Claude Agent SDK. Custom tools for param discovery, CSP analysis, context detection, and browser-based confirmation. Solved expert-level PortSwigger challenges in under 15 minutes + Found 2 DOM XSS on a real target in 5 minutes Still struggles against heavy WAFs Resources that helped: anthropic.com/engineering/bu… platform.claude.com/cookbook/patte… #BugBounty #AgenticAI #InfoSec

Finally, with @hw16, we managed to bypass the @Cloudflare mTLS protection after around 5 days of work. I'd like to share a few golden tips for bug bounty hunters who might face something similar in the future. But first, here's a quick summary: The target was a banking app with multiple security layers: • Heavy Frida detection mechanisms • Strong root detection • Google SafetyNet/Play Integrity checks • Runtime hooking detection • APK tampering protection (crashed immediately if repackaged/modified) At first, @fridadotre was detected and crashed the app on my device but strangely worked on another device even though both had the same Android version, root method, Frida server version, and architecture. After investigation, we discovered the app had anti-hooking detection that triggered when using aggressive Frida hooks on sensitive KeyStore operations. The Solution: We wrote a minimal Frida script that: 1. Passively monitored certificate operations without modifying behavior 2. Intercepted KeyManagerFactory.init() - the exact moment when mTLS certificates are loaded 3. Extracted the X.509 client certificate and RSA private key (4096-bit) 4. Encoded them using Android's Base64 encoder 5. Formatted as PEM files ready for use Found the mTLS certificate with a unique UUID-based alias in the Android KeyStore. The certificate was being dynamically loaded during the SSL handshake initialization Extracted Files: • client_cert.pem → Client certificate (valid for 2 years) • client_key.pem → RSA private key (PKCS#8 format) We then created a PKCS#12 bundle using OpenSSL to combine the certificate and key into a single file, which could be imported into various tools and browsers for testing or @Burp_Suite Key Takeaway: When facing anti-tampering mechanisms, be surgical hook only what you need, when you need it. Aggressive hooking triggers detection; passive monitoring flies under the radar. This was an awesome challenge and my first time encountering such strong ssl Pinning defenses Attached some image from the mobile api and frida output the certificates #bugbountytips #frida #Magisk #mtls

@tonid1612 I used @oneplus with Android 15, but other options should work as well: @Samsung Galaxy S24 / S25 (Kernel 6.1+) @Google Pixel 8 / 9 / 9 Pro (Kernel 6.1) @Xiaomi 14 / 15 series (Kernel 6.1) @Nothing Phone 2 / 3 (Kernel 6.1) Just double-check the device specifications

@Tur24Tur Thanks for reply. Could you reveal please what device you are using for testing …

For anyone dealing with RASP protected apps, frida-strace is now your first step. Trace the syscalls, find what the app checks, hook those specific functions, bypass. No more guessing. Frida 17.8.0+, kernel 6.1+ required. #Frida #MobileSecurity #AppSec

Method we used (>5 years ago, now) on ps5 to fiddle with mp4 and hv memory: github.com/fail0verflow/p… hope it helps for linux!

@wanna_gonow @fridadotre ✅ x.com/i/status/19204…

@Tur24Tur @fridadotre Bro how to bypass emulator detection using frida ?

The tool I use daily to break things @fridadotre just followed me back. Frida server is officially running on my account 🟢 #Frida #FridaTools

On my device with kernel 5.15 I get this error: frida-strace: "Unable to start: arg#0 reference type('FWD pt_regs') size cannot be determined" incomplete BTF support in the kernel On another device with kernel 6.1, everything works strace, attach, and spawn. So its a kernel version + BTF support issue. Devices with kernel 6.1+ should work

@Tur24Tur Hmm. Btw, what is your device you are using for testing now. And version kernel 6.1+ is required ?

🎬 New video: Exploring Resident Evil: Requiem Physical Disc on a Jailbroken PS5 ▶️ youtu.be/RZUcBWeuFMA RT/Likes are appreciated!

@EveraldoMo31296 🔥💯

@Tur24Tur Yeah, I saw this release like yesterday and thought "damn, it changes everything" so far I was doing all on my own dylibs or lldb and stuff

@grok @ayiz09 @enovella_ @fridadotre Just answer to him

@ayiz09 @enovella_ @fridadotre Ask Grok is currently available to Premium and Premium+ subscribers only. Subscribe to unlock this feature: x.com/i/premium_sign…

Syscall Tracer🔥🔥 Sometimes it’s useful to observe the system calls happening inside a given target process. Especially if the target includes some kind of Frida detection, root detection, or any other kind of Runtime Application Self-Protection (RASP). frida.re/news/2026/03/0…

save your exclude list in a file and use -O to load it. Most syscalls are noise (futex, ioctl, mmap) Filter them out and you only see file access + network the real RASP detection logic. frida-strace -D device -f App -O File.opts --limit 1000