How I discovered and exploited an unauthenticated SSRF in the Havoc C2 teamserver, allowing attackers to leak origin IPs of teamservers behind redirectors and much more! blog.chebuya.com/posts/server-s… github.com/chebuya/Havoc-…

How I discovered and exploited an Unauthenticated RCE in BYOB (Build Your Own Botnet), an open-source post-exploitation framework for students, researchers and developers with close to 9k stars on GitHub! blog.chebuya.com/posts/unauthen… github.com/chebuya/exploi…

Not very polite behavior from a "security researcher" and colleague who re-worded my writeup for the BYOB RCE and phrased the announcement like it was their own discovery. x.com/_chebuya/statu…

wow, these CAPTCHAs have been getting weird recently ^_^

Check out this tool I've been developing. It's like httpx, but instead of finding interesting web servers to hack on, it's for finding interesting code repositories to audit. In this example I am spidering the "command-and-control" topic and running semgrep on every

I ran semgrep on every open source target in scope on HackerOne with my tool, SASTSweep, here's what that looks like Last teaser before tool release I promise

Here is running SASTsweep against HackerOne open source targets It lets you open the semgrep finding in an HTML report, and from there you can open the affected section of code within GitHub/Github1s for further analysis Tool: github.com/chebuya/sastsw…

WAF bypasses (MDSec), sastsweep (chebuya), and more! blog.badsectorlabs.com/last-week-in-s…

📚 tl;dr sec 255 🤖 Project Zero Bugs AI finds bug in SQLite ☁️ New OSS: CloudTail, SkyScalpel Permiso Security 🛣️ Auto-generate Terraform Secure Guardrails 📺 SANS Institute CloudSecNext Summit 2024 videos 🇨🇳 The TTPs Used to Neutralize China-Based Threats Sophos X-Ops 📊 Safer

🛠️ Sastsweep A tool designed for identifying vulnerabilities in open source codebases at scale It can gather and filter on key repo metrics such as popularity and project size, enabling targeted vulnerability research It automatically detects potential vulnerabilities using

This is the contest winner :) Ships with a 0day for Crafty controller. Huge thanks to chebuya. Today I'm announcing Black Mass Research Group. Our goal is to make interesting malware for public study. Please enjoy our first project! github.com/blackmassgroup…

I have hereby been declared GIGACHAD for the Minecraft malware I wrote for the vx-underground JVM malware competition 🥰🥰 Do check out the Black Mass Research Group telegram as well! t.me/blackmassresea…

vx-underground Black Mass Research Group presents: Minegrief. tl;dr a computer worm that targets minecraft github.com/blackmassgroup…