webhak

@garethheyes Awesome! I can confirm that it is working for me on the latest version. Thank you

@webhak BTW forgot to mention you need to go to Hackvertor->Settings->Allow tags in WebSockets to enable it

Hey @garethheyes is there a way to make hackvertor tags work when sending a websocket request to repeater? It only sends the actually tag, not replacing it with a value on the latest Burp :(

Pretty neat Pre-Auth RCE in Oracles identity manager, good read slcyber.io/research-cente…

Is your target leaking CSP violations left and right? Mikhail Khramenkov reveals how to hijack the onsecuritypolicyviolation event to trigger JS in hidden inputs - when unsafe-inline is in play and styles are blocked. Now live on our XSS cheat sheet. Link to vector👇

I'm happy to release a script gadgets wiki inspired by the work of @slekies, @kkotowicz, and @sirdarckcat in their Black Hat USA 2017 talk! 🔥 The goal is to provide quick access to gadgets that help bypass HTML sanitizers and CSPs 👇 gmsgadget.com 1/4

We are super excited to share that we acquired the Shift Plugin (shiftplugin.com) and we are making it free to Caido paid users 🚀 Shift is a Caido plugin that is a smart AI companion for your hacking. It can craft payloads, Match&Replace rules, HTTPQL queries and much more. All details here: caido.io/blog/2025-07-1…

🚀 New on the BApp Store: UnUnicode 🔍 Automatically decode nested Unicode sequences in requests, responses, and WebSocket messages. 🧩 Custom tab for viewing unescaped content, enhancing visibility for manual inspection. 📄 Includes "pretty print" functionality for JSON content

When applying for a job at McDonald's, over 90% of franchises use "Olivia," an AI-powered chatbot. We (@iangcarroll and I) discovered a vulnerability that could allow an attacker to access the over 64 million chat records using the password "123456". ian.sh/mcdonalds

How do we turn bad SSRF (blind) into good SSRF (full response)? The @assetnote Security Research team at @SLCyberSec used a novel technique involving HTTP redirect loops and incremental status codes that leaked the full HTTP resp. It may work elsewhere! slcyber.io/assetnote-secu…

Love this! Have to step up my dependency confusion game - landh.tech//blog/20250610…

After @0xLupin's great article on dependency confusion on Netflix, some people suggested that I added a detector for npm packages in jxscout. I think this will be a great addition, I'll make a new pro release soon with this detector! Original article: landh.tech/blog/20250610-…

Did you know an input can use the form attribute to link to a form by ID letting it submit with the form even if it’s placed outside of it!? 👀  In this PHP example, an input outside the form adds a URL argument and only the second parm value (1337) is echoed. S/O to @encodeart and @ctbbpodcast! 🔥

AI is so hot right now that in a short while, specializing in AI will be about as common as specializing in software development. Everyone SHOULD learn how to adapt to it, but also everyone WILL learn it. Find a way to keep your skillset niche and unique.

@jobertabma @NahamSec @stokfredrik @Hacker0x01 webhak

Hey hackers! We're running a beta for Hai for Hackers, our AI security agent. If you're interested, please reply with your HackerOne username (we will probably limit to ~100 hackers for now). After it's been enabled, you can start using it by clicking the Hai button in the top right corner of the app. It’s free to use (with a limited daily budget for now). It is like any other AI you’ve interacted with, with the added benefit that it has access to a whole bunch of HackerOne data, like reports and programs. We’re shipping improvements to Hai almost every day. Here are some neat use cases: - “take all the learnings from STÖK, jhaddix, and nahamsec's recon strategy and build one for me!” - “write a python script for a typical recon process” - “i need an XSS payload that doesn’t use single or double quotes” - “my XXE payload doesn't call back to my server, what could go wrong?” - “write a response for report #133337” The beta also comes with Hai Plays for you, which allows you to build your own security agents in HackerOne. You can create them at hackerone.com/settings/hai_p…. Some of the cool use cases we’ve seen so far are: - write reports with minimal input from you (efficiency++!) - convert reports into blogposts with a single prompt - AI mentor to give feedback about your communication and increase the likelihood of a reward In the background we’ve been working on agentic behavior, which we expect will soon come to Hai for Hackers as well. These AI agents can act like your hacking buddy and hack alongside you. We’ll keep you in the loop on our progress.

“Please limit your traffic to 2 requests per second when testing” my brother in planet earth, a legit website browsing would generate more requests per second

I just built a custom action to let you test for race conditions with a single click! No tab groups required, and it uses the cutting edge single-packet attack under the hood.

💡 Tip! When looking for subdomain takeover vulnerabilities, don't just examine the CNAME records... 👀 Inspect the HTTP response too, as it can reveal more accurate signs of a third-party service that might be susceptible to subdomain takeovers! 😎

I've recently put more work into my ffuf fork, uff, and I think every ffuf user should at least give it a try - and maybe even switch to it. Here's why, in a #bugbounty 🧵

Sharon Brizinov made ~$64k by recovering secrets from deleted files in public Git repos. Even after using git rm, files remain in the history stored in the .git/objects dir until garbage collection runs. Here's the command to use: