Mat Rollings

Gecko 1.6.0 is released! @stealthcopter added the Ignore Patterns feature and a Docker build! chromewebstore.google.com/detail/gecko/m…

@busf4ctor "security on demand" 🤣

ok, I need to get this off my chest. I'm hacking on this target, and I found something crazy. It should not work. The question is: WHY did the developers make CSP a feature flag you can disable???? LOL

Thank you so much for the great feedback on the XSS-LABS! I dropped a new version that adds "completed" checks and keeps levels solved when you re-enter them. Thank you to @stealthcopter for adding Docker Support and constructive feedback on checks! artsec.me/projects

@monkehack subscribe 🍿

@stealthcopter My friend, you are not ready for the dumb shit I will get up to

I am conflicted between working on things that are useful for my career, and just building the dumbest shit I can think of for the hell of it

@dropn0w @PinkDraconian It's somewhat common in app dev to have a cloud config to pull your API keys from rather than hardcoding them. Firebase Remote Config is the one I'm aware of. Also generally in mobile dev a google maps api key is tied to the app's signature. So it's less of an issue.

@PinkDraconian Difficult to say. In mobile apps many API keys like those are exposed, but in more mature apps you don’t usually see the API key directly. they still use it somewhere. From a black box perspective this looks like a middleware layer, but I can’t confirm that.

I still don't understand Google Maps API keys. If you're showing a map on your website, the API key is in your client-side code. An attacker can use this API key to send millions of requests and you're paying for it. There's no way to secure it?

That time of year again, another totally human Black Friday / Cyber Monday for PortDroid: 💸>50% off Lifetime 🔍Port Scanner for Android 👨‍💻I wrote it 🍺Share it somewhere useful and I'll buy you a drink Buy it, capitalism demands it. Or don't portdroid.net/bf-25

@flourish29732 Scam.

@peacedeborah11 Scam.

Since starting my training I've lost over 7kg, dropped 6% body fat, got 4 new Hawaiian shirts, and taken >5mins off my 5k time. Am I ready? No. But I'll get through it by thinking about the post-run takeaway and bubble bath 🛀 Last chance to donate🙏 justgiving.com/page/oh-no-25k…

REGEXSS: How .* Turned Into over $6k in Bounties Overly-greedy regex replacements can break HTML sanitisation & lead to XSS. Includes a live demo you can try exploiting it yourself! sec.stealthcopter.com/regexss #BugBounty #BugBountyTips #XSS #AppSec

@0xTib3rius It was before vibe-coding kicked off but I've seen SECRET_KEY="uuid" in the wild 🙃

Been playing around with vibe-coding a little recently. I'd be willing to bet there's probably quite a few vibe-coded Flask apps running on the Internet with a secret key of "your-secret-key-here".

@0xbeven Nice work! 🥳

@stealthcopter thanks for the platform, time and a welcoming heart wpctf.org

@hamidonsolo Nope, this was simple regex bugs on content. Working on a blog post for it 🙂 coming soon ™

@stealthcopter Postmessage xss ?

Last week I found two regex bugs using regex → unauth XSS → 2× $2k = $4k in bounties 🥳 If you’ve been putting it off, learn regex. Seriously. /regex\+xss/\$4k/ #BugBounty #BugBountyTips

@AatankBadb16659 This was using regex to find overly greedy regex replacements that could be abused to get XSS

@stealthcopter Its awesome , So you use regex for finding xss sinks or source ?

@AatankBadb16659 Yeah, I'll do a blog post towards the end of the month when I've got a few more examples 🙂

@stealthcopter Any reference ?

Physically & emotionally drained after the rollercoaster that was @yeswehack’s #LHE at #NullconBerlin2025 @TeamViewer was a tough target & I nearly gave up but pushed through to snag 10th place overall 🥳 Thanks to @yeswehack for the support & awesome hosting! #BugBounty

aww yis 🥳thanks @yeswehack, pretty sure it was the vuln title that did it 😉

@carbonmanx Sweet, I just got my ticket too 🥳

@stealthcopter Yeah I am, figured it's also an excuse to see Lisbon as I've not been before! Tickets bought 👍

Really enjoyed these AI hacking challenges by HackAIcon, the last one had some fun little twists: hacktheagent.com #ctf