https://bsky.app/profile/javi.ka0labs.net

1K posts

https://bsky.app/profile/javi.ka0labs.net

@ca0s_

@[email protected] Katılım Aralık 2010

447 Takip Edilen446 Takipçiler

https://bsky.app/profile/javi.ka0labs.net retweetledi

XBOW@Xbow·6d

“The vulnerability with the highest CVSS score in this month’s update is a critical remote code execution flaw in the Microsoft Devices Pricing Program. CVE-2026-21536 (CVSS score: 9.8), per Microsoft, has been fully mitigated [...] Artificial intelligence (AI)-powered autonomous vulnerability discovery platform XBOW has been credited with discovering and reporting the issue.” bit.ly/4s2u8vq

English

138

34.2K

https://bsky.app/profile/javi.ka0labs.net retweetledi

XBOW@Xbow·30 Eyl

🚨 Critical SQL injection in Chef Automate (CVE-2025-8868) If you're running Chef for infrastructure automation, patch immediately to version 4.13.295 or later. Full technical breakdown: xbow.com/blog/cooking-a… What XBOW found 🧵

English

6.4K

https://bsky.app/profile/javi.ka0labs.net retweetledi

XBOW@Xbow·7 Ağu

Last chance to see XBOW’s demo at #BlackHat. (1/3) Launch a comprehensive pentest in just 3 clicks. Every finding comes with a proof-of-concept exploit.

English

122

35.2K

https://bsky.app/profile/javi.ka0labs.net retweetledi

XBOW@Xbow·6 Ağu

First vulnerability of the day! We’re at Black Hat, come meet the team. 📍 Booth 3257

English

183

14.8K

https://bsky.app/profile/javi.ka0labs.net retweetledi

djurado@djurado9·4 Ağu

The new episode of @ctbbpodcast is out! Huge thanks to @Rhynorater and @rez0__ for having me. I had a great time chatting with you about XBOW and HackerOne’s Ambassador World Cup. It was a blast! 🫶🏼

Critical Thinking - Bug Bounty Podcast@ctbbpodcast

New episode is out! — youtu.be/rvA8IbyogJ0 Releasing the episode on Monday so you have something to listen to during your travel to DEFCON =) Diego Djurado joins us to discuss XBOW's architecture, hunting approach, hallucination challenges, and AI's future in bug bounty. He also shares his hacking journey and achievements.

English

4.9K

https://bsky.app/profile/javi.ka0labs.net retweetledi

XBOW@Xbow·28 Tem

XBOW pulled off the perfect digital heist: stealing files by hiding them in plain sight. Disguised arbitrary file content as satellite imagery pixels. TiTiler processed the "images" while XBOW extracted secrets from the compression data. Mission details: bit.ly/3TX1o89

English

128

29.1K

https://bsky.app/profile/javi.ka0labs.net retweetledi

XBOW@Xbow·22 Tem

⚡️XBOW found LFI where most tools would have given up. Photo download endpoint blocked all path traversal attempts. But JavaScript analysis revealed /photo/proxy?url= - vulnerable to file:// scheme access. Successfully read a password file via proxy endpoint. Technical breakdown: xbow.com/blog/xbow-phot…

English

151

40.4K

https://bsky.app/profile/javi.ka0labs.net retweetledi

Oege de Moor@oegerikus·21 Tem

Come and meet XBOW! Apart from the thing itself, also chat with some of the humans that are building it: @nicowaisman, @moyix, @pwntester, @niemand_sec, @djurado9, @ntrippar, @ca0s. I'd love to talk too!

XBOW@Xbow

Meet the #1 AI Pentester in America at BlackHat! We're bringing XBOW to Vegas — join us at booth #3257 to see it in action. #BlackHat2025

English

3.9K

https://bsky.app/profile/javi.ka0labs.net retweetledi

XBOW@Xbow·17 Tem

What if two AI models could collaborate without knowing it? Our Head of AI, Albert Ziegler developed "model alloys" - alternating between different LLMs in a single conversation. Sonnet handles some steps, Gemini others, but neither knows about the switch. Result: 55% solve rate vs 40% with single models. xbow.com/blog/alloy-age…

English

12.2K

https://bsky.app/profile/javi.ka0labs.net retweetledi

XBOW@Xbow·14 Tem

When simple attack vectors fail, XBOW doesn't give up. ⚡️New discovery: Arbitrary file read in WordPress Ninja Tables plugin. Hidden in plain JavaScript sight, protected by nonce validation, but XBOW pieced together the exact request format needed. Technical breakdown here: xbow.com/blog/xbow-ninj…

English

23.5K

https://bsky.app/profile/javi.ka0labs.net retweetledi

XBOW@Xbow·10 Tem

When standard SQL injection vectors fail, dig deeper. ⚡️New XBOW discovery: Z-Push vulnerability hidden in Basic Authentication username field. Response timing differences revealed PostgreSQL time-based injection where obvious targets were clean. Full analysis: xbow.com/blog/xbow-gaij…

English

163

25.7K

https://bsky.app/profile/javi.ka0labs.net retweetledi

XBOW@Xbow·7 Tem

Sometimes the most illogical approach wins. XBOW discovered XSS in Salesforce Aura by testing aura.format=JSON - which counterintuitively returns text/html content type instead of JSON. The kind of discovery that comes from systematic testing without assumptions. Full hunt analysis by @djurado9 xbow.com/blog/xbow-sale…

English

308

49.9K

https://bsky.app/profile/javi.ka0labs.net retweetledi

XBOW@Xbow·30 Haz

Even mature products hide critical flaws – and @XBOW just found another one. CVE-2025-49493: XXE in Akamai CloudTest discovered during our climb to #1 on HackerOne. A complete technical breakdown from an error-based detection to a full exfiltration by @djurado9 xbow.com/blog/xbow-akam…

English

238

47.2K

https://bsky.app/profile/javi.ka0labs.net retweetledi

XBOW@Xbow·24 Haz

For the first time in history, the #1 hacker in the US is an AI. (1/8)

English

145

675

255.1K

https://bsky.app/profile/javi.ka0labs.net retweetledi

Bug Bounty Village@BugBountyDEFCON·21 Nis

AI isn’t replacing bug bounty hunters anytime soon, but it’s getting surprisingly close. In this DEF CON talk, Joel Noguera & Diego Jurado (@xbow) show how they built agents that exploit real-world XSS, JWT, and CSRF bugs autonomously youtu.be/YDsHI2acEVA #BugBounty #DEFCON

YouTube

English

210

17.9K

https://bsky.app/profile/javi.ka0labs.net retweetledi

XBOW@Xbow·20 Ara

Just in time for the holidays: how XBOW found an arbitrary file download (CVE-2024-53982) in ZOO-Project, protecting Santa's critical geospatial processing infrastructure from attackers! xbow.com/blog/xbow-zoo-…

English

11.4K

https://bsky.app/profile/javi.ka0labs.net retweetledi

XBOW@Xbow·17 Ara

While developing XBOW over the past three months, we played around with using it for bug bounties and ended up at #11 in the US on HackerOne:

English

238

104.1K

https://bsky.app/profile/javi.ka0labs.net retweetledi

XBOW@Xbow·22 Kas

Here’s the walkthrough: xbow.com/blog/xbow-2fau…

XBOW@Xbow

XBOW bypasses a MIME-type filter, abusing an OTP icon preview feature in 2FAuth to exploit an SSRF and discover CVE 2024-52598. Affected users should apply the patch and read about all the details in our blog post this Friday.

English

10.5K

https://bsky.app/profile/javi.ka0labs.net retweetledi

XBOW@Xbow·20 Kas

English

31.4K

https://bsky.app/profile/javi.ka0labs.net retweetledi

Adrián Marcos@MARCOSCARS02·19 Kas

Last year, I was working on a project about designing and building an electric racing motorcycle from scratch. You can check it out here: blog.ms02.es/posts/building…

English

3.8K

Keşfet

@ctbbpodcast @Rhynorater @rez0__ @nicowaisman @moyix @pwntester @niemand_sec @djurado9