André Baptista
@0xacb
Hacker grinding for L1gh7 and Fr33dφm, straight outta the cosmic realm. Co-founder @ethiack
Tal vez te guste
Looking into a potential SSRF or OR but the server checks against a URL whitelist? Try the backslash trick! Due to a difference in URL specifications, some parsers will treat '\' the same as '/', while others will not. Here's an example payload:…
Tomorrow I'll be speaking at @lisbonai_! We're building faster than ever with AI. But are we building securely? I'll show how agents can perform penetration testing and introduce Hackian: an autonomous agent that identifies vulnerabilities before attackers do. See you there:…
As attack surfaces grow exponentially, driven by AI-accelerated development and increasing technical debt, security must scale accordingly. We've been intensely focused on building the future of security, and our Co-founder, André Baptista (@0xacb) is pulling back the curtain on…
Just had an amazing time working with @ShopifyEng in Toronto 🍁 Thanks @Hacker0x01 for organizing such an incredible event and bringing awesome researchers together. #togetherwehitharder #h1416 #shopify #hacking #goleafs
The BsidesLisbon CTF Qualifiers are officially closed! Huge congrats to the Top 10 teams who will be moving on to the intense onsite finals. See the final rankings on the scoreboard here👉 quals.bsideslisbon.org/scoreboard
If you found a dangling DNS record, you might be able to take control of it 👀 Be sure to check github.com/EdOverflow/can…, which has an extensive list of vulnerable services and guides on how to claim them.
Here's a quick little hacking tip that's landed me some interesting bugs. When you see an ID parameter, give it a little manual fuzz and see what happens: - Positive integer - Negative integer - Decimal points - Letters - Symbols - Really big number - 0 (Yeah, this one dumped…
I found out that you can use "ftp::" to convert a limited Dom Clobering situation into a full CSPT. Then, while talking about it with @LooseSecurity, he found that we can also use "https::" This can be used to prevent URL parsing of href, allowing us to hit other endpoints
Modern websites use a lot of intermediary servers - caches, load balancers, proxies, and so on. You can try to send the 'Max-Forwards' header with your request to limit the amount of servers it will reach. It's defined in HTTP specs primarily for TRACE and OPTIONS methods,…
🚨@BsidesLisbon CTF Quals starts now! 🔓Join at: quals.bsideslisbon.org #CTF #BSidesLisbon
Prototype pollution is often missed. Here's how to find it. Prototype pollution is a powerful client-side vulnerability that can lead to XSS. The main requirements to exploit it are: - Unsafe parsing of user-controlled objects (via URL parameters, JSON, postMessages, etc.) - A…
As a homage to the work of @Blaklis_, our Security Researcher @softpoison_ debuts his first research post on reverse engineering a critical unauthenticated RCE in Magento (SessionReaper) CVE-2025-54236 at @SLCyberSec: slcyber.io/assetnote-secu…
Proud to announce that @ethiack will host this year’s #BSidesLisbon CTF! Test your offensive security skills in realistic challenges and compete against top hackers. 🗓️ Quals start Friday, 9PM Register now 👉 quals.bsideslisbon.org #CTF #Cybersecurity #OffensiveSecurity
Recon tip: Run xnl-h4ck3r's waymore on the target you're testing. It searches for URLs from multiple sources, the Wayback Machine, Common Crawl, URLScan and more. It also provides a lot of options to filter your results. Check it out here 👇 github.com/xnl-h4ck3r/way…
As someone technical, you know that hacking systems is not necessarily a bad thing. It can actually be a good thing to detect vulnerabilities and correct them before someone with bad intentions explores it. @0xacb has spent over a decade hacking and understanding cybersecurity.…
Found an XSS but got blocked by the CSP? cspbypass.com has a compiled list of ways to bypass the Content-Security Policy. Check out the video below 👇
If your hacking method looks like everyone else’s, so will your findings. My advice is to get weird. Bug bounty wins come from being different. Everyone checks the basics. You need to hunt the edges, the overlooked, the strange. Go past the checklist, and you'll land what others…
A mini research I did about escalating an XSS using 414 and 431 server size limit errors, and how I escalated an XSS to account takeover using a Salesforce URL Limit Gadget on a Ecommerce website. Hope you enjoy it castilho.sh/scream-until-e…
United States Tendencias
- 1. Cowboys 69.8K posts
- 2. Nick Smith Jr 12.9K posts
- 3. Kawhi 4,613 posts
- 4. #LakeShow 3,562 posts
- 5. Cardinals 31.5K posts
- 6. #WeTVAlwaysMore2026 912K posts
- 7. Jonathan Bailey 32.9K posts
- 8. #WWERaw 64.9K posts
- 9. Jerry 46.1K posts
- 10. Kyler 8,798 posts
- 11. #River 5,072 posts
- 12. No Luka 3,868 posts
- 13. Logan Paul 10.7K posts
- 14. Blazers 8,411 posts
- 15. Valka 5,088 posts
- 16. Jacoby Brissett 5,892 posts
- 17. #AllsFair N/A
- 18. Dalex 2,739 posts
- 19. Pacers 13.7K posts
- 20. Pickens 6,749 posts
Tal vez te guste
-
Frans Rosén
@fransrosen -
Joel Margolis (teknogeek)
@0xteknogeek -
Brett Buerhaus
@bbuerhaus -
James Kettle
@albinowax -
mohammed eldeeb
@malcolmx0x -
Yassine Aboukir 🐐
@Yassineaboukir -
Nicolas Grégoire
@Agarri_FR -
Geekboy
@emgeekboy -
Tanner
@itscachemoney -
spaceraccoon | Eugene Lim
@spaceraccoonsec -
todayisnew
@codecancare -
Julien | MrTuxracer 🇪🇺
@MrTuxracer -
Th3g3nt3lman
@Th3G3nt3lman -
Hussein Daher
@HusseiN98D -
Patrik Fehrenbach
@ITSecurityguard
Something went wrong.
Something went wrong.