0xacb
@0xacb.com
Hacker grinding for L1gh7 and Fr33dφm, straight outta the cosmic realm.
Co-founder @ethiack.com
https://0xacb.com
Co-founder @ethiack.com
https://0xacb.com
When testing GraphQL APIs make sure to run graphw00f (https://github.com/dolevf/graphw00f) to fingerprint the specific GraphQL implementation the application is running. Then you can review the Threat Matrix to get likely attack vectors.
November 10, 2025 at 11:53 AM
When testing GraphQL APIs make sure to run graphw00f (https://github.com/dolevf/graphw00f) to fingerprint the specific GraphQL implementation the application is running. Then you can review the Threat Matrix to get likely attack vectors.
If you found a package.json file in the wild, you might find some internal packages vulnerable to a dependency confusion attack 👀
Check for it quicker using this cool new tool by JSMon: https://app.jsmon.sh/tools/npm-validator 👇
Check for it quicker using this cool new tool by JSMon: https://app.jsmon.sh/tools/npm-validator 👇
November 6, 2025 at 10:07 AM
If you found a package.json file in the wild, you might find some internal packages vulnerable to a dependency confusion attack 👀
Check for it quicker using this cool new tool by JSMon: https://app.jsmon.sh/tools/npm-validator 👇
Check for it quicker using this cool new tool by JSMon: https://app.jsmon.sh/tools/npm-validator 👇
Tomorrow I'll be speaking at https://lisbonai.xyz
We're building faster than ever with AI. But are we building securely?
I'll show how agents can perform penetration testing and introduce Hackian: an autonomous agent that identifies vulnerabilities before attackers do.
We're building faster than ever with AI. But are we building securely?
I'll show how agents can perform penetration testing and introduce Hackian: an autonomous agent that identifies vulnerabilities before attackers do.
November 3, 2025 at 12:37 PM
Tomorrow I'll be speaking at https://lisbonai.xyz
We're building faster than ever with AI. But are we building securely?
I'll show how agents can perform penetration testing and introduce Hackian: an autonomous agent that identifies vulnerabilities before attackers do.
We're building faster than ever with AI. But are we building securely?
I'll show how agents can perform penetration testing and introduce Hackian: an autonomous agent that identifies vulnerabilities before attackers do.
Just had an amazing time working with Shopify in Toronto 🍁
Thanks @hacker0x01.bsky.social for organizing such an incredible event and bringing awesome researchers together.
#togetherwehitharder #h1416 #shopify #hacking #goleafs
Thanks @hacker0x01.bsky.social for organizing such an incredible event and bringing awesome researchers together.
#togetherwehitharder #h1416 #shopify #hacking #goleafs
October 30, 2025 at 9:37 AM
Just had an amazing time working with Shopify in Toronto 🍁
Thanks @hacker0x01.bsky.social for organizing such an incredible event and bringing awesome researchers together.
#togetherwehitharder #h1416 #shopify #hacking #goleafs
Thanks @hacker0x01.bsky.social for organizing such an incredible event and bringing awesome researchers together.
#togetherwehitharder #h1416 #shopify #hacking #goleafs
Found an XSS but got blocked by the CSP?
https://cspbypass.com has a compiled list of ways to bypass the Content-Security Policy. Check out the video below 👇
https://cspbypass.com has a compiled list of ways to bypass the Content-Security Policy. Check out the video below 👇
October 21, 2025 at 9:16 AM
Found an XSS but got blocked by the CSP?
https://cspbypass.com has a compiled list of ways to bypass the Content-Security Policy. Check out the video below 👇
https://cspbypass.com has a compiled list of ways to bypass the Content-Security Policy. Check out the video below 👇
Thanks @hacker0x01.bsky.social for the amazing LHE!
Had the chance to work with TikTok and OKX and found some cool vulns, including two 0days. Will try to publish a write up once they're fixed!
Also, big congrats to the new MVH champion @corraldev.bsky.social for the huge mic-drop at this event 🤯
Had the chance to work with TikTok and OKX and found some cool vulns, including two 0days. Will try to publish a write up once they're fixed!
Also, big congrats to the new MVH champion @corraldev.bsky.social for the huge mic-drop at this event 🤯
October 2, 2025 at 11:58 AM
Thanks @hacker0x01.bsky.social for the amazing LHE!
Had the chance to work with TikTok and OKX and found some cool vulns, including two 0days. Will try to publish a write up once they're fixed!
Also, big congrats to the new MVH champion @corraldev.bsky.social for the huge mic-drop at this event 🤯
Had the chance to work with TikTok and OKX and found some cool vulns, including two 0days. Will try to publish a write up once they're fixed!
Also, big congrats to the new MVH champion @corraldev.bsky.social for the huge mic-drop at this event 🤯
On my way to @hacker0x01.bsky.social #h165 to pop some shells on TikTok and OKX ✈️
September 28, 2025 at 7:47 PM
On my way to @hacker0x01.bsky.social #h165 to pop some shells on TikTok and OKX ✈️
How to extract endpoints from JS using @pdiscoveryio's katana 👇
September 24, 2025 at 12:22 PM
How to extract endpoints from JS using @pdiscoveryio's katana 👇
Just one week to go until hackAIcon in Lisbon! 🤖🇵🇹
Can't believe tickets have officially sold out already!
Thank you to everyone that has supported the event 🙏
I can't wait to see you all there!
Can't believe tickets have officially sold out already!
Thank you to everyone that has supported the event 🙏
I can't wait to see you all there!
September 18, 2025 at 8:48 AM
Just one week to go until hackAIcon in Lisbon! 🤖🇵🇹
Can't believe tickets have officially sold out already!
Thank you to everyone that has supported the event 🙏
I can't wait to see you all there!
Can't believe tickets have officially sold out already!
Thank you to everyone that has supported the event 🙏
I can't wait to see you all there!
If you need a list of trusted resolvers, e.g. to be used with puredns for active enumeration, @trick3st has a great one.
Just run this:
⌨️ curl https://raw.githubusercontent.com/trickest/resolvers/refs/heads/main/resolvers-trusted.txt -O
More stuff at👇
https://github.com/trickest/resolvers
Just run this:
⌨️ curl https://raw.githubusercontent.com/trickest/resolvers/refs/heads/main/resolvers-trusted.txt -O
More stuff at👇
https://github.com/trickest/resolvers
September 16, 2025 at 9:13 AM
If you need a list of trusted resolvers, e.g. to be used with puredns for active enumeration, @trick3st has a great one.
Just run this:
⌨️ curl https://raw.githubusercontent.com/trickest/resolvers/refs/heads/main/resolvers-trusted.txt -O
More stuff at👇
https://github.com/trickest/resolvers
Just run this:
⌨️ curl https://raw.githubusercontent.com/trickest/resolvers/refs/heads/main/resolvers-trusted.txt -O
More stuff at👇
https://github.com/trickest/resolvers
If you look at the AI-generated code below, you may notice that path traversal is prevented via basename functions.
Can you still exploit it?
Try here 👉 https://ai4eh.ethiack.ninja
Can you still exploit it?
Try here 👉 https://ai4eh.ethiack.ninja
September 15, 2025 at 9:03 AM
If you look at the AI-generated code below, you may notice that path traversal is prevented via basename functions.
Can you still exploit it?
Try here 👉 https://ai4eh.ethiack.ninja
Can you still exploit it?
Try here 👉 https://ai4eh.ethiack.ninja
The Hack the Agent challenge is finished.
GG to all the hackers who played! We hope you enjoyed it.
We will leave it running for those who still want to play with it at https://hacktheagent.com
Stay tuned on @ethiack socials for more challenges.
GG to all the hackers who played! We hope you enjoyed it.
We will leave it running for those who still want to play with it at https://hacktheagent.com
Stay tuned on @ethiack socials for more challenges.
September 12, 2025 at 8:37 AM
The Hack the Agent challenge is finished.
GG to all the hackers who played! We hope you enjoyed it.
We will leave it running for those who still want to play with it at https://hacktheagent.com
Stay tuned on @ethiack socials for more challenges.
GG to all the hackers who played! We hope you enjoyed it.
We will leave it running for those who still want to play with it at https://hacktheagent.com
Stay tuned on @ethiack socials for more challenges.
This one-liner by @tomnomnom.com finds all Git repos, creates a git-objects/ folder for each one and dumps every object (commits, trees, blobs, tags) into files named by their hash.
Effectively exporting the raw Git database into human-readable files, repo by repo!
Effectively exporting the raw Git database into human-readable files, repo by repo!
September 10, 2025 at 11:22 AM
This one-liner by @tomnomnom.com finds all Git repos, creates a git-objects/ folder for each one and dumps every object (commits, trees, blobs, tags) into files named by their hash.
Effectively exporting the raw Git database into human-readable files, repo by repo!
Effectively exporting the raw Git database into human-readable files, repo by repo!
Want to put your AI model hacking skills to the test?
See if you can solve all the challenges in our Hack The Agent challenge!
Try it at: https://hacktheagent.com
See if you can solve all the challenges in our Hack The Agent challenge!
Try it at: https://hacktheagent.com
September 2, 2025 at 8:23 AM
Want to put your AI model hacking skills to the test?
See if you can solve all the challenges in our Hack The Agent challenge!
Try it at: https://hacktheagent.com
See if you can solve all the challenges in our Hack The Agent challenge!
Try it at: https://hacktheagent.com
HackAICon is just around the corner!
If you wanna join us in Lisbon and haven't got your ticket yet, grab one here: https://hackaicon..com
Or try to win a ticket! (🔗 link in comments)
If you wanna join us in Lisbon and haven't got your ticket yet, grab one here: https://hackaicon..com
Or try to win a ticket! (🔗 link in comments)
August 28, 2025 at 8:50 AM
HackAICon is just around the corner!
If you wanna join us in Lisbon and haven't got your ticket yet, grab one here: https://hackaicon..com
Or try to win a ticket! (🔗 link in comments)
If you wanna join us in Lisbon and haven't got your ticket yet, grab one here: https://hackaicon..com
Or try to win a ticket! (🔗 link in comments)
Time to reveal what I was doing with @teknogeek.io back in '19.
All the hard work and sleepless nights have paid off!
All the hard work and sleepless nights have paid off!
August 26, 2025 at 9:02 AM
Time to reveal what I was doing with @teknogeek.io back in '19.
All the hard work and sleepless nights have paid off!
All the hard work and sleepless nights have paid off!
The AI-powered hacking space is moving fast.
CAI was already pretty solid, and Strix just dropped last week.
Strix: https://github.com/usestrix/strix
CAI: https://github.com/aliasrobotics/cai
Anyone tried these yet?
CAI was already pretty solid, and Strix just dropped last week.
Strix: https://github.com/usestrix/strix
CAI: https://github.com/aliasrobotics/cai
Anyone tried these yet?
August 25, 2025 at 9:47 AM
The AI-powered hacking space is moving fast.
CAI was already pretty solid, and Strix just dropped last week.
Strix: https://github.com/usestrix/strix
CAI: https://github.com/aliasrobotics/cai
Anyone tried these yet?
CAI was already pretty solid, and Strix just dropped last week.
Strix: https://github.com/usestrix/strix
CAI: https://github.com/aliasrobotics/cai
Anyone tried these yet?
Want to win a ticket to HackAICon, @caido.io licenses or even a @ctbbpodcast.bsky.social discord subscription?
We're currently running a simple 5-level LLM CTF Challenge. Complete all levels to enter our weekly raffles.
Good luck! Start hacking: https://hacktheagent.com
We're currently running a simple 5-level LLM CTF Challenge. Complete all levels to enter our weekly raffles.
Good luck! Start hacking: https://hacktheagent.com
August 21, 2025 at 8:34 AM
Want to win a ticket to HackAICon, @caido.io licenses or even a @ctbbpodcast.bsky.social discord subscription?
We're currently running a simple 5-level LLM CTF Challenge. Complete all levels to enter our weekly raffles.
Good luck! Start hacking: https://hacktheagent.com
We're currently running a simple 5-level LLM CTF Challenge. Complete all levels to enter our weekly raffles.
Good luck! Start hacking: https://hacktheagent.com
August 16, 2025 at 10:01 AM
How to turn iframes and window.open into weapons for XSS.
From origin manipulation to sandbox escape, this paper by Huli is stacked with juicy info.
Read at: https://blog.huli.tw/2022/04/07/en/iframe-and-window-open
From origin manipulation to sandbox escape, this paper by Huli is stacked with juicy info.
Read at: https://blog.huli.tw/2022/04/07/en/iframe-and-window-open
August 15, 2025 at 9:15 AM
How to turn iframes and window.open into weapons for XSS.
From origin manipulation to sandbox escape, this paper by Huli is stacked with juicy info.
Read at: https://blog.huli.tw/2022/04/07/en/iframe-and-window-open
From origin manipulation to sandbox escape, this paper by Huli is stacked with juicy info.
Read at: https://blog.huli.tw/2022/04/07/en/iframe-and-window-open
What happens after Black Hat and Defcon?
HackAIcon 2025.
We're hosting a conference dedicated to combining AI and ethical hacking in Lisbon! And we have some incredible speakers lined up for you.
Early Bird tickets are available!
Get your ticket: https://hackaicon.com
HackAIcon 2025.
We're hosting a conference dedicated to combining AI and ethical hacking in Lisbon! And we have some incredible speakers lined up for you.
Early Bird tickets are available!
Get your ticket: https://hackaicon.com
August 14, 2025 at 9:03 AM
What happens after Black Hat and Defcon?
HackAIcon 2025.
We're hosting a conference dedicated to combining AI and ethical hacking in Lisbon! And we have some incredible speakers lined up for you.
Early Bird tickets are available!
Get your ticket: https://hackaicon.com
HackAIcon 2025.
We're hosting a conference dedicated to combining AI and ethical hacking in Lisbon! And we have some incredible speakers lined up for you.
Early Bird tickets are available!
Get your ticket: https://hackaicon.com
And that's a wrap 🎰
First time with @ethiack.com at #hackersummercamp
This year I didn't participate in any Live Hacking Events, so I pivoted to the OSINT competition from Recon Village. I'm now an uncertified geoguesser📍
See y'all next year!
First time with @ethiack.com at #hackersummercamp
This year I didn't participate in any Live Hacking Events, so I pivoted to the OSINT competition from Recon Village. I'm now an uncertified geoguesser📍
See y'all next year!
August 12, 2025 at 10:59 AM
And that's a wrap 🎰
First time with @ethiack.com at #hackersummercamp
This year I didn't participate in any Live Hacking Events, so I pivoted to the OSINT competition from Recon Village. I'm now an uncertified geoguesser📍
See y'all next year!
First time with @ethiack.com at #hackersummercamp
This year I didn't participate in any Live Hacking Events, so I pivoted to the OSINT competition from Recon Village. I'm now an uncertified geoguesser📍
See y'all next year!
Just released a new recollapse version thanks to @ryancbarnnet and @4ng3lhacker after their talk in BlackHat today.
What’s new?
💥Mode 6: Fuzz case folding/upper/lower
💥 Mode 7: Fuzz byte truncations
💥 Recollapse can now be used as a python library and is available on PyPI
Check it out 👇
What’s new?
💥Mode 6: Fuzz case folding/upper/lower
💥 Mode 7: Fuzz byte truncations
💥 Recollapse can now be used as a python library and is available on PyPI
Check it out 👇
August 8, 2025 at 1:38 AM
Just released a new recollapse version thanks to @ryancbarnnet and @4ng3lhacker after their talk in BlackHat today.
What’s new?
💥Mode 6: Fuzz case folding/upper/lower
💥 Mode 7: Fuzz byte truncations
💥 Recollapse can now be used as a python library and is available on PyPI
Check it out 👇
What’s new?
💥Mode 6: Fuzz case folding/upper/lower
💥 Mode 7: Fuzz byte truncations
💥 Recollapse can now be used as a python library and is available on PyPI
Check it out 👇
Want to learn how to hack LLMs? The research team at
@ethiack.com just launched a 5-level CTF.
And we’ll be handing prizes to top performers every week, including @caido.io licenses!
👉 hacktheagent.com
@ethiack.com just launched a 5-level CTF.
And we’ll be handing prizes to top performers every week, including @caido.io licenses!
👉 hacktheagent.com
August 6, 2025 at 5:26 PM
Want to learn how to hack LLMs? The research team at
@ethiack.com just launched a 5-level CTF.
And we’ll be handing prizes to top performers every week, including @caido.io licenses!
👉 hacktheagent.com
@ethiack.com just launched a 5-level CTF.
And we’ll be handing prizes to top performers every week, including @caido.io licenses!
👉 hacktheagent.com