Luke Stephens (hakluke)

I built hakrawler to do one thing well: crawl URLs and spit them to stdout. Unix philosophy. Now that same tool is being used by AI agents! Crazy times.

Keep your eyes peeled on these endpoints. 👀 /login ➡️ authentication bugs /reset-password ➡️ATO /upload ➡️ RCE /api/v1/user/1001 ➡️ BOLA /search?q=query ➡️ Injection bugs /view?file= ➡️ SSRF /admin ➡️ internal access Which endpoint have you found the most bugs on? 👇

@NahamSec @hackinghub_io Oh my gosh yesssssss me too

@hackinghub_io /actuator/heapdump

@mertistaken Yes mert! Still killing it 💪

shut out the noise and focus on what you do best. 🙌🏻

Your first bug bounty report will probably be terrible. Submit it anyway. My first few were genuinely embarrassing. You learn more from one bad submission than from six months of tutorials.

@VolkisAU @CrikeyCon

I've just submitted my latest research to Black Hat USA! This one has been cooking since last June, can't wait to share it with the world... in fact I'm quite excited just to see the community reaction to the title reveal.

Is it just me or does claude code actually get excited when it's getting close to nailing a bug down?

New blog - this one is a very personal one. No cyber here sorry not sorry. hakluke.com/honesty-intens…

@mubix That's an interesting question! Most people are thinking about it the opposite way, i.e. how many *good* ideas never happened because they were too difficult to build. Maybe it all evens out in the end.

Honest question: How many bad ideas at your company only didn’t happen because they were too hard to build? For all the positive new development supported by Ai, the opposite side of that coin is “citizen developers” now have power tools with no idea where the sharp end is..

Are you testing for authorization bypass or header-based access controls? It can be tedious to manually edit every request, but you don't have to. Try using Match & Replace in Burp Suite to automate request modifications on the fly. Add headers, swap tokens, or tweak parameters across all traffic. Set the rule once, and let Burp handle it.

AI is making CEOs delusional

Yea probably top partner lawyers will remain in high demand because the system just requires humans to be present in court etc. but these lawyers will be able to leverage ai to do most of the tasks that their underlings do (contract reviews, edits, etc.). I recently made contract edits and did a contract review without a lawyer for the first time since I’ve been in business. Saved me about $500, and it did a better job imo.

You could be right, but I just read an article that software engineering jobs are up 11% over this time last year. Companies still need software engineers, because the software engineering role is adapting to use AI and now companies can develop faster than before, but they still need humans to guide the process. Lawyers and other jobs will likely adapt too.

Lawyers being rated a 9/10 risk at being replaced by AI tells you everything you need to know about this "research".

@NahamSec absolutely loved this. i'm obsessed with one-bag travel content. it was nice to combine that with hacking! I might even make a similar video showing what I pack for travelling while hacking / running a business

Did somethign a little different this time and recorded something a bit non-hacking related with 10+ essentials that I do day to day youtu.be/1Fd6ZjfAeHE

New Hub: Naham CRM 🕶️ This bug was worth $15,000, but the exploit isn't just about a payload. You have to understand the logic of how applications talk to each other, and exactly where that communication breaks. Watch the full video and get started. 👇 app.hackinghub.io/hubs/nahamcrm

@rez0__ Y'know what - I kept thinking about this, and I'm not so sure. I mean sure if you had these top models in 2012 you'd have a huge advantage, but also $10M means that you don't need an advantage.

@rez0__ Yeah I'd 100% take ChatGPT in 2012!

This is a really great question. I think ChatGPT. (If it’s current models)

@stokfredrik Hey STÖK! Hope you're good mate! It's simpler than it seems - all you need is to spin up a VPS on your favourite cloud provider, SSH in, and run the command from the quickstart: code.claude.com/docs/en/quicks…

What is the most efficient and easy way to setup a solution today for Claud code segmentation/sandboxing, without loosing to much performance? What I want : - a secure way to run Claud code + tools with full access to a shell on laptop (independent of the os) I want it to be able to install apps, dependencies you name it on the fly inside its ”home”. - egress over network, so it can send / route traffic through a proxy like burp/caido for logging purposes, passive audits and manual evaluations. But no other host / access, findings will be sent back into the workflow for validation. - files / memory / context dumps synced over git, rsync or similar, - a easy snapshot functionality so I’m able to roll back and get em back up running fast when it eats itself. Any ideas? I could easily ask the llm, but I want some human input around it.

@caseyjohnellis Someone said “she’ll be right”

@hakluke lol, no - not my car. and ya that’s audley

#hmaslexus 2021 #neverforget