Phil Winwood

I made a /goal command for claude code: github.com/jthack/claude-…

Figure taught two robots to make a bed together - fully autonomous Honestly, they’re better at it than most humans

We are back, with a brand new venue! h1.community/events/details… #HackerOne

Important free resource that teaches you how to rotate secrets on lots of different platforms. Seems we're in the everyone leaking secrets phase of supply chain attacks lately. Keep this handy. Thanks @trufflesec! howtorotate.com

🚀 RECOX is open source now. Built it because every recon tutorial says "install 5 CLI tools" , but most of my bug bounty students start on Chromebooks or phones. RECOX gives them the same recon primitives in a browser. Zero install, zero signup. Code → github.com/zack0x01/recox Live → recox.hackerz.space Star it if it helps ⭐

Every JWT writeup online covers 2–3 attacks and stops. I got tired of jumping between 40 blog posts, so I wrote the whole thing. All in one place. rmrf.tips/en #infosec #appsec #bugbounty #websec #jwt

Chained CSPT into full account takeover using a 2FA bypass technique I hadn't seen used in bug bounty before. whoareme.com/blog/cspt-acco…

Agent harnesses aren't the black magic many of y'all seem to think they are. To prove it, I built one.

This 2 hour Stanford lecture will teach you more about how LLMs like ChatGPT & Claude are built than most people working at top AI companies learn in their entire careers. Bookmark this & give 2 hours today, no matter what. It'll be the most productive thing you do this week.

Veritasium Exposes a Tap To Pay Flaw That Lets a Payment Terminal Steal $10,000 From a Locked iPhone

Been a minute. I went dark for about 6 weeks on purpose, chasing a time-sensitive opportunity building an autonomous bug-bounty system, and so far, it has paid off: Top 60 on HackerOne over the last 90 days, top 5 in the US. I've learned a ton in these last few weeks about scaling AI systems. Not sharing everything yet, but maybe soon. A new Disclosed issue drops tomorrow to catch up on everything I missed. getdisclosed.com

Read: workers.io/blog/autonomou…

A write-up about an interesting SSRF chain I found earlier this year eib.hashnode.dev/crafting-a-ful…

You can now find almost every OSINT tool in one place. Someone compiled a massive repository of tools for penetration testing and information gathering. It’s basically a god mode for information gathering. tracking, digging, analyzing.. it is all here. 100% free to use.

Ok so.. they left their CDN exposed. If you ping the domain, you get this ip: 151.101.129.49 It turns out this is a fastly.com IP . I had never heard of fastly but it looked to be something similar to vercel, so I figured maybe they had custom deployment links like vercel does. Tried a few different combos and BINGO: btc.day.global.prod.fastly.net This took me to this: d325bmwzjz2yc7.cloudfront.net That’s their CDN bucket on AWS. They currently have it setup so that any invalid endpoints redirect back to index.html I went on a hunch and figured that they’d probably already have their production app stored somewhere in the CDN ready for deployment I used SECLISTs (github.com/danielmiessler… )and ffuf to try out over 20k different combinations on this URL. After some sleuthing, BINGO!! I found these two files: > live.html > .DS_STORE The important one here that immediately caught my eye was “live.html”. That sounded like a prod deployment. And sure enough, it was! This is what the btc.day site will look like on the day the faucet goes live: d325bmwzjz2yc7.cloudfront.net/live.html d325bmwzjz2yc7.cloudfront.net/bitkey.html It turns out the entire faucet will be revealed to just be a promotion scheme to get you to buy a bitkey and use cash app. There is no faucet - at least in the sense most were expecting.

Race conditions in OAuth flows can still happen in custom implementations. Here's how to find it: During the token exchange, the server is supposed to treat an authorization code as single-use. If you race the token endpoint by sending parallel requests with the same code simultaneously, vulnerable implementations may issue multiple valid access tokens and some won't properly revoke all of them. Tools like Turbo Intruder or even a simple multi-threaded script sending concurrent requests to the callback URL with different tokens may trigger it. Further reading here: blog.avuln.com/article/4

We open sourced the tool used to detect the Axios supply chain compromise! I built it Friday after a red eye home from RSAC. Also, wrote up the full story, including the hectic moments after that first critical alert github.com/elastic/supply…

🚨 Screen Studio charges $89 for this. Someone open sourced the entire thing for free. It's called OpenScreen. 8,400+ GitHub stars. You record your screen. It automatically transforms it into a polished, professional demo video. Auto-zoom into clicks. Smooth cursor animations. Motion blur. Custom backgrounds with wallpapers, gradients, and shadows. Webcam overlays. Annotations. Timeline editing. Export in any aspect ratio. The exact workflow that Screen Studio sells for $89 and Loom sells as a subscription. Free. No watermarks. No accounts. No subscriptions. Here's what you get out of the box: → Full screen or window capture with system audio and mic → Automatic zoom that follows your cursor and clicks → Manual zoom with customizable depth and timing → Smooth motion blur on pan and zoom transitions → Animated cursor rendering with motion effects → Webcam bubble overlay with drag-and-drop positioning → Wallpapers, solid colors, gradients, or custom backgrounds → Text and arrow annotations layered over recordings → Timeline trimming and variable speed segments → Crop, resize, and export in any resolution or aspect ratio → Save and reopen projects anytime Here's the wildest part: A developer forked it and built an even more advanced version called Recordly. Full cursor animation pipeline. Native macOS and Windows recording. Zoom behavior that mirrors Screen Studio frame-for-frame. Audio tracks. Webcam overlays with zoom-reactive scaling. Both are free. Both are MIT licensed. Both work on Windows, macOS, and Linux. Download. Record. Export. Done. 100% Open Source. MIT License. (Link in the comments)

Analysis of the macho malware used in the Axios supply chain compromise gist.github.com/joe-desimone/f…

We asked Claude to find a bug in Vim. It found an RCE. Just open a file, and you’re owned. We joked: fine, we’ll switch to Emacs. Then Claude found an RCE there too. Full story: blog.calif.io/p/mad-bugs-vim…