Donato Scaramuzzo

📌 My Top Burp Suite Extension 1. Autorize 2. JS Miner 3. Param Miner 4. Reshaper (just discovered) 5. 403 Bypasser 6. HTTP Request Smuggler 7. Wsdler 8. Backslash Powered Scanner #pentesting #cybersecurity #burpsuite #BugBounty

The OSAI+ syllabus is finally here! Every module includes hands-on labs designed to mirror how real AI systems are built, integrated, and attacked in production environments ⚔️ And if you haven't already heard: OSAI+ is available now in pre-sale, with an exclusive pre-release offer on our [Extended] Course & Certification Bundle. Get 120 days of course + lab access for the price of 90 for a limited time only. Offer ends March 30 when bundle returns to 90 days of access. 💸 Purchase through pre-sale: portal.offsec.com/checkout/produ… 🔍 Learn more: offsec.com/courses/OSAI/

I have been doing bug bounty since 2011 and ran a program for a multinational bank. Put everything I've learned into bugbounty.info. Target selection, recon pipelines, chain patterns, report templates, the business side. Free, no paywall, no course upsell.

This is huge for iOS pentesting and #bugbounty hunting. You no longer need iPhones with specific older versions for jb. Which was a major PITA.

AI won't replace the human intuition needed to find bugs, but it will amplify the hackers who use it. If you are new to this, start small with n8n to remove friction from your workflow.👇

Captures Android network traffic without proxies or certificates github.com/ProxymanApp/at…

how to build a bootstrapped startup without funding: 1. pick a problem you personally have. if you don't use your own product daily, quit now 2. skip the pitch deck. open your code editor. ship something ugly in a weekend 3. charge money from day 1. free users give you nothing but support tickets 4. use boring tech. PHP, SQLite, vanilla JS. frameworks are a trap that mass waste your time 5. host on cheap VPS ($5-20/mo). not AWS. you don't need kubernetes for 1,000 users 6. do customer support yourself. it's the fastest product feedback loop that exists 7. automate everything you do more than twice. cron jobs > employees. 8. grow on Twitter/X by building in public. your journey IS the marketing 9. keep your burn rate near zero so you never need to raise. ramen profitable > series A 10. say no to investors, cofounders, and "advisors" who want equity for intros i've been doing this for 10+ years now. no employees, no funding, no board meetings the entire VC game is designed to make you think you need permission to start you don't

Here's a freebie tip on building agents in any AI framework: Mindmap your agent flow. Order of operations, tools, variables, file paths, backup workflows... all has to be documented in .md or prompts to make them repeatable and amazing.

claude cowork crash course in 49 seconds for building out your ideas

Static JS analysis just got smarter. jsluice is a Go-based tool that parses JavaScript using ASTs to extract endpoints, secrets, and interesting artifacts — no noisy regex scraping. 🔗source: github.com/BishopFox/jslu… Perfect for bug bounty hunters who actually read JS instead of just grepping it. 🔎⚡ If you’re serious about client-side recon, this deserves a spot in your toolkit. #BugBounty #AppSec #JavaScript #Recon

Each of the big 3 (Gemini, Anthropic, ChatGPT) have 3 different ways they want you to use AI. ChatGPT wants to keep you inside a chatbox. That's their entire goal. That's why they are putting ads in chat, instead of trying to connect ChatGPT to everything. Anthropic wants you to connect claude to everything you own. They want to become the center of your AI world. Plus, they want to become the platform everyone uses to build. Think "The AI OS". That's why they built MCP, Agents and Cowork. It's also why they don't have a really good "Talk to Claude" feature. At least on par with ChatGPT or Gemini Google on the other hand, does not actually want you to use the Gemini App. They want you to use Gemini in their other products. Gmail, Google Search, Google Docs, Excel, etc. This is why each of them excels at different things. ChatGPT will double down on trying to make the best possible chatting experience. They will try to get you to experience the inteenet from inside a chatbot Claude will try to get you to use them to build anything. Skills, Agents, MCP...the whole shebang. Gemini will try to get you to use different products with the same account. Opal, Antigravity, NoteBookLM, Gemini in Meet, Excel, Drive, etc. They don't even have a dedicated projects folder ffs, and their chatbot is meh. So, depending on what you are trying to do, pick the best one.

AI wrapped 2025: – MCP became the USB port for AI – vibe coding is now the default method to build software – more agents: we started letting AI "work" for us – AI learned how to "think" before it speaks – programming changed forever – OpenAI, Anthropic, and Google are in a race – context windows got massive as now you can give an AI a 2,000-page book or a whole folder of videos – we ran out of internet to train on – we have enough chips, but we don't have enough electricity – RLVR > RLHF – we haven't achieved AGI yet

THC Release 💥: The world’s largest IP<>Domain database: ip.thc.org All forward and reverse IPs, all CNAMES and all subdomains of every domain. For free. Updated monthly. Try: curl ip.thc.org/1.1.1.1 Raw data (187GB): ip.thc.org/docs/bulk-data… (The fine work of messede 👌)

instead use this way~ cat domains.txt | httpx-toolkit -silent -sc -td | grep -Ei "Next\.js|React" cat domains.txt | httpx-toolkit -silent -sc -td | grep -Ei "Next\.js|React" | awk '{print $1}' | nuclei -t .local/nuclei-templates/http/cves/2025/CVE-2025-55182.yaml -silent after this use manual payloads+bypass methods or simply use extension..

🚩 #React2Shell 🌐📡 → Censys (+270K assets): services.http.response.headers: (key: `Vary` and value.headers: `RSC, Next-Router-State-Tree`) → Shodan (+380K assets): "Vary: RSC, Next-Router-State-Tree"

⚠️ URGENT: A 10.0-severity bug just hit React Server Components and Next.js. It lets anyone run code on your server — even without logging in. 🔗 Details → thehackernews.com/2025/12/critic… ⚙️ Fix: update to patched versions now.

You’ll know how to build an Android #BugBounty lab if you read the first article in our Android hacking series 📱 Part two has now landed: an in-depth guide to performing recon on your mobile targets! 👇 yeswehack.com/learn-bug-boun…

wtff my jaw is on the floor...did Gemini-3 just successfully one-shot my request to turn Nano Banana into a time machine?! it has a working global map and can render a realistic image of any place (real or fictional) in any year (past or future) in a matter of seconds! crazy times we're living in 🤯