0xacb
@0xacb.com
Hacker grinding for L1gh7 and Fr33dφm, straight outta the cosmic realm.
Co-founder @ethiack.com
https://0xacb.com
Co-founder @ethiack.com
https://0xacb.com
When testing GraphQL APIs make sure to run graphw00f (https://github.com/dolevf/graphw00f) to fingerprint the specific GraphQL implementation the application is running. Then you can review the Threat Matrix to get likely attack vectors.
November 10, 2025 at 11:53 AM
When testing GraphQL APIs make sure to run graphw00f (https://github.com/dolevf/graphw00f) to fingerprint the specific GraphQL implementation the application is running. Then you can review the Threat Matrix to get likely attack vectors.
If you still haven't: set up a JS file monitor to send you notifications via Telegram or Slack every time your target app JavaScript gets updated, a great way to stay on top of updates 👾
https://github.com/robre/jsmon
There's also a fork with Discord support:
https://github.com/robre/jsmon
There's also a fork with Discord support:
GitHub - seczq/jsmon: a javascript change monitoring tool for bugbounties
a javascript change monitoring tool for bugbounties - GitHub - seczq/jsmon: a javascript change monitoring tool for bugbounties
github.com
November 7, 2025 at 9:38 AM
If you still haven't: set up a JS file monitor to send you notifications via Telegram or Slack every time your target app JavaScript gets updated, a great way to stay on top of updates 👾
https://github.com/robre/jsmon
There's also a fork with Discord support:
https://github.com/robre/jsmon
There's also a fork with Discord support:
If you found a package.json file in the wild, you might find some internal packages vulnerable to a dependency confusion attack 👀
Check for it quicker using this cool new tool by JSMon: https://app.jsmon.sh/tools/npm-validator 👇
Check for it quicker using this cool new tool by JSMon: https://app.jsmon.sh/tools/npm-validator 👇
November 6, 2025 at 10:07 AM
If you found a package.json file in the wild, you might find some internal packages vulnerable to a dependency confusion attack 👀
Check for it quicker using this cool new tool by JSMon: https://app.jsmon.sh/tools/npm-validator 👇
Check for it quicker using this cool new tool by JSMon: https://app.jsmon.sh/tools/npm-validator 👇
Looking into a potential SSRF or OR but the server checks against a URL whitelist?
Try the backslash trick! Due to a difference in URL specifications, some parsers will treat '\' the same as '/', while others will not.
Here's an example payload: https://<attacker-url>\@<whitelisted-url>/
Try the backslash trick! Due to a difference in URL specifications, some parsers will treat '\' the same as '/', while others will not.
Here's an example payload: https://<attacker-url>\@<whitelisted-url>/
November 4, 2025 at 9:37 AM
Looking into a potential SSRF or OR but the server checks against a URL whitelist?
Try the backslash trick! Due to a difference in URL specifications, some parsers will treat '\' the same as '/', while others will not.
Here's an example payload: https://<attacker-url>\@<whitelisted-url>/
Try the backslash trick! Due to a difference in URL specifications, some parsers will treat '\' the same as '/', while others will not.
Here's an example payload: https://<attacker-url>\@<whitelisted-url>/
Tomorrow I'll be speaking at https://lisbonai.xyz
We're building faster than ever with AI. But are we building securely?
I'll show how agents can perform penetration testing and introduce Hackian: an autonomous agent that identifies vulnerabilities before attackers do.
We're building faster than ever with AI. But are we building securely?
I'll show how agents can perform penetration testing and introduce Hackian: an autonomous agent that identifies vulnerabilities before attackers do.
November 3, 2025 at 12:37 PM
Tomorrow I'll be speaking at https://lisbonai.xyz
We're building faster than ever with AI. But are we building securely?
I'll show how agents can perform penetration testing and introduce Hackian: an autonomous agent that identifies vulnerabilities before attackers do.
We're building faster than ever with AI. But are we building securely?
I'll show how agents can perform penetration testing and introduce Hackian: an autonomous agent that identifies vulnerabilities before attackers do.
Reposted by 0xacb
Just had an amazing time working with Shopify in Toronto 🍁
Thanks @hacker0x01.bsky.social for organizing such an incredible event and bringing awesome researchers together.
#togetherwehitharder #h1416 #shopify #hacking #goleafs
Thanks @hacker0x01.bsky.social for organizing such an incredible event and bringing awesome researchers together.
#togetherwehitharder #h1416 #shopify #hacking #goleafs
October 30, 2025 at 9:37 AM
Just had an amazing time working with Shopify in Toronto 🍁
Thanks @hacker0x01.bsky.social for organizing such an incredible event and bringing awesome researchers together.
#togetherwehitharder #h1416 #shopify #hacking #goleafs
Thanks @hacker0x01.bsky.social for organizing such an incredible event and bringing awesome researchers together.
#togetherwehitharder #h1416 #shopify #hacking #goleafs
If you found a dangling DNS record, you might be able to take control of it 👀
Be sure to check https://github.com/EdOverflow/can-i-take-over-xyz, which has an extensive list of vulnerable services and guides on how to claim them.
Be sure to check https://github.com/EdOverflow/can-i-take-over-xyz, which has an extensive list of vulnerable services and guides on how to claim them.
GitHub - EdOverflow/can-i-take-over-xyz: "Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.
"Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records. - EdOverflow/can-i-take-over-xyz
github.com
October 29, 2025 at 10:31 AM
If you found a dangling DNS record, you might be able to take control of it 👀
Be sure to check https://github.com/EdOverflow/can-i-take-over-xyz, which has an extensive list of vulnerable services and guides on how to claim them.
Be sure to check https://github.com/EdOverflow/can-i-take-over-xyz, which has an extensive list of vulnerable services and guides on how to claim them.
Modern websites use a lot of intermediary servers - caches, load balancers, proxies, and so on. You can try to send the 'Max-Forwards' header with your request to limit the amount of servers it will reach. It's defined in HTTP specs primarily for TRACE and OPTIONS methods, though.
October 27, 2025 at 10:59 AM
Modern websites use a lot of intermediary servers - caches, load balancers, proxies, and so on. You can try to send the 'Max-Forwards' header with your request to limit the amount of servers it will reach. It's defined in HTTP specs primarily for TRACE and OPTIONS methods, though.
Reposted by 0xacb
October 24, 2025 at 8:00 PM
Recon tip: Run xnl-h4ck3r's waymore on the target you're testing. It searches for URLs from multiple sources, the Wayback Machine, Common Crawl, URLScan and more. It also provides a lot of options to filter your results.
Check it out here 👇
Check it out here 👇
GitHub - xnl-h4ck3r/waymore: Find way more from the Wayback Machine, Common Crawl, Alien Vault OTX, URLScan, VirusTotal & Intelligence X!
Find way more from the Wayback Machine, Common Crawl, Alien Vault OTX, URLScan, VirusTotal & Intelligence X! - xnl-h4ck3r/waymore
github.com
October 22, 2025 at 9:15 AM
Recon tip: Run xnl-h4ck3r's waymore on the target you're testing. It searches for URLs from multiple sources, the Wayback Machine, Common Crawl, URLScan and more. It also provides a lot of options to filter your results.
Check it out here 👇
Check it out here 👇
Found an XSS but got blocked by the CSP?
https://cspbypass.com has a compiled list of ways to bypass the Content-Security Policy. Check out the video below 👇
https://cspbypass.com has a compiled list of ways to bypass the Content-Security Policy. Check out the video below 👇
October 21, 2025 at 9:16 AM
Found an XSS but got blocked by the CSP?
https://cspbypass.com has a compiled list of ways to bypass the Content-Security Policy. Check out the video below 👇
https://cspbypass.com has a compiled list of ways to bypass the Content-Security Policy. Check out the video below 👇
Thanks @hacker0x01.bsky.social for the amazing LHE!
Had the chance to work with TikTok and OKX and found some cool vulns, including two 0days. Will try to publish a write up once they're fixed!
Also, big congrats to the new MVH champion @corraldev.bsky.social for the huge mic-drop at this event 🤯
Had the chance to work with TikTok and OKX and found some cool vulns, including two 0days. Will try to publish a write up once they're fixed!
Also, big congrats to the new MVH champion @corraldev.bsky.social for the huge mic-drop at this event 🤯
October 2, 2025 at 11:58 AM
Thanks @hacker0x01.bsky.social for the amazing LHE!
Had the chance to work with TikTok and OKX and found some cool vulns, including two 0days. Will try to publish a write up once they're fixed!
Also, big congrats to the new MVH champion @corraldev.bsky.social for the huge mic-drop at this event 🤯
Had the chance to work with TikTok and OKX and found some cool vulns, including two 0days. Will try to publish a write up once they're fixed!
Also, big congrats to the new MVH champion @corraldev.bsky.social for the huge mic-drop at this event 🤯
Need to search through JSON output?
Make JSON greppable with @tomnomnom's gron 👇
Make JSON greppable with @tomnomnom's gron 👇
GitHub - tomnomnom/gron: Make JSON greppable!
Make JSON greppable! Contribute to tomnomnom/gron development by creating an account on GitHub.
github.com
September 30, 2025 at 2:05 PM
Need to search through JSON output?
Make JSON greppable with @tomnomnom's gron 👇
Make JSON greppable with @tomnomnom's gron 👇
On my way to @hacker0x01.bsky.social #h165 to pop some shells on TikTok and OKX ✈️
September 28, 2025 at 7:47 PM
On my way to @hacker0x01.bsky.social #h165 to pop some shells on TikTok and OKX ✈️
How to extract endpoints from JS using @pdiscoveryio's katana 👇
September 24, 2025 at 12:22 PM
How to extract endpoints from JS using @pdiscoveryio's katana 👇
Just one week to go until hackAIcon in Lisbon! 🤖🇵🇹
Can't believe tickets have officially sold out already!
Thank you to everyone that has supported the event 🙏
I can't wait to see you all there!
Can't believe tickets have officially sold out already!
Thank you to everyone that has supported the event 🙏
I can't wait to see you all there!
September 18, 2025 at 8:48 AM
Just one week to go until hackAIcon in Lisbon! 🤖🇵🇹
Can't believe tickets have officially sold out already!
Thank you to everyone that has supported the event 🙏
I can't wait to see you all there!
Can't believe tickets have officially sold out already!
Thank you to everyone that has supported the event 🙏
I can't wait to see you all there!
If you need a list of trusted resolvers, e.g. to be used with puredns for active enumeration, @trick3st has a great one.
Just run this:
⌨️ curl https://raw.githubusercontent.com/trickest/resolvers/refs/heads/main/resolvers-trusted.txt -O
More stuff at👇
https://github.com/trickest/resolvers
Just run this:
⌨️ curl https://raw.githubusercontent.com/trickest/resolvers/refs/heads/main/resolvers-trusted.txt -O
More stuff at👇
https://github.com/trickest/resolvers
September 16, 2025 at 9:13 AM
If you need a list of trusted resolvers, e.g. to be used with puredns for active enumeration, @trick3st has a great one.
Just run this:
⌨️ curl https://raw.githubusercontent.com/trickest/resolvers/refs/heads/main/resolvers-trusted.txt -O
More stuff at👇
https://github.com/trickest/resolvers
Just run this:
⌨️ curl https://raw.githubusercontent.com/trickest/resolvers/refs/heads/main/resolvers-trusted.txt -O
More stuff at👇
https://github.com/trickest/resolvers
If you look at the AI-generated code below, you may notice that path traversal is prevented via basename functions.
Can you still exploit it?
Try here 👉 https://ai4eh.ethiack.ninja
Can you still exploit it?
Try here 👉 https://ai4eh.ethiack.ninja
September 15, 2025 at 9:03 AM
If you look at the AI-generated code below, you may notice that path traversal is prevented via basename functions.
Can you still exploit it?
Try here 👉 https://ai4eh.ethiack.ninja
Can you still exploit it?
Try here 👉 https://ai4eh.ethiack.ninja
The Hack the Agent challenge is finished.
GG to all the hackers who played! We hope you enjoyed it.
We will leave it running for those who still want to play with it at https://hacktheagent.com
Stay tuned on @ethiack socials for more challenges.
GG to all the hackers who played! We hope you enjoyed it.
We will leave it running for those who still want to play with it at https://hacktheagent.com
Stay tuned on @ethiack socials for more challenges.
September 12, 2025 at 8:37 AM
The Hack the Agent challenge is finished.
GG to all the hackers who played! We hope you enjoyed it.
We will leave it running for those who still want to play with it at https://hacktheagent.com
Stay tuned on @ethiack socials for more challenges.
GG to all the hackers who played! We hope you enjoyed it.
We will leave it running for those who still want to play with it at https://hacktheagent.com
Stay tuned on @ethiack socials for more challenges.
This one-liner by @tomnomnom.com finds all Git repos, creates a git-objects/ folder for each one and dumps every object (commits, trees, blobs, tags) into files named by their hash.
Effectively exporting the raw Git database into human-readable files, repo by repo!
Effectively exporting the raw Git database into human-readable files, repo by repo!
September 10, 2025 at 11:22 AM
This one-liner by @tomnomnom.com finds all Git repos, creates a git-objects/ folder for each one and dumps every object (commits, trees, blobs, tags) into files named by their hash.
Effectively exporting the raw Git database into human-readable files, repo by repo!
Effectively exporting the raw Git database into human-readable files, repo by repo!
Bypassing WAFs with traditional payloads is getting harder.
Here's how clever payload splitting can bypass them 👇
Here's how clever payload splitting can bypass them 👇
Bypassing WAFs for Fun and JS Injection with Parameter Pollution
Technical deep dive into bypassing a strict Web Application Firewall using HTTP Parameter Pollution, leveraging multi-parameter payload splitting to achieve JavaScript injection and evade detection.
blog.ethiack.com
September 8, 2025 at 8:08 AM
Bypassing WAFs with traditional payloads is getting harder.
Here's how clever payload splitting can bypass them 👇
Here's how clever payload splitting can bypass them 👇
Some thoughts from @rez0__ on the future of bug bounty and AI 🔥
As someone working on hackbots, I agree that human + AI symbiosis will likely be more effective than either alone.
As someone working on hackbots, I agree that human + AI symbiosis will likely be more effective than either alone.
This Is How They Tell Me Bug Bounty Ends
Exploring the transformation and future of bug bounty hunting with automation and AI.
josephthacker.com
September 5, 2025 at 9:14 AM
Some thoughts from @rez0__ on the future of bug bounty and AI 🔥
As someone working on hackbots, I agree that human + AI symbiosis will likely be more effective than either alone.
As someone working on hackbots, I agree that human + AI symbiosis will likely be more effective than either alone.
Want to put your AI model hacking skills to the test?
See if you can solve all the challenges in our Hack The Agent challenge!
Try it at: https://hacktheagent.com
See if you can solve all the challenges in our Hack The Agent challenge!
Try it at: https://hacktheagent.com
September 2, 2025 at 8:23 AM
Want to put your AI model hacking skills to the test?
See if you can solve all the challenges in our Hack The Agent challenge!
Try it at: https://hacktheagent.com
See if you can solve all the challenges in our Hack The Agent challenge!
Try it at: https://hacktheagent.com