André Baptista's banner
André Baptista's profile picture

André Baptista

@0xacb19,091 subscribers

Hacker grinding for L1gh7 and Fr33dφm, straight outta the cosmic realm. Co-founder @ethiack

Shorts

A researcher found an Instagram vuln letting anyone access Note videos with audio that should've been silent by default. Just by paying attention and using Devtools :) Meta paid $1000 for this finding. Video credits: i12gocaj

A researcher found an Instagram vuln letting anyone access Note videos with audio that should've been silent by default. Just by paying attention and using Devtools :) Meta paid $1000 for this finding. Video credits: i12gocaj

62,609 views

DMARC can reveal more domains associated with a target. allows you to find domains using the same DMARC record. Check it out 👇 There's also a python tool:

DMARC can reveal more domains associated with a target. allows you to find domains using the same DMARC record. Check it out 👇 There's also a python tool:

66,250 views

When testing GraphQL APIs make sure to run graphw00f ( to fingerprint the specific GraphQL implementation the application is running. Then you can review the Threat Matrix to get likely attack vectors.

When testing GraphQL APIs make sure to run graphw00f ( to fingerprint the specific GraphQL implementation the application is running. Then you can review the Threat Matrix to get likely attack vectors.

38,468 views

Manually hunting for endpoints and hidden parameters in web apps? Another nice tool from / XNL -н4cĸ3r (and @xnl-h4ck3r in the new Sky) is xnLinkFinder that crawls targets, extracts links, discovers secrets, and builds target-specific wordlists. All from Burp files, ZAP exports, HAR files, or URLs. Try it out 👇

Manually hunting for endpoints and hidden parameters in web apps? Another nice tool from / XNL -н4cĸ3r (and @xnl-h4ck3r in the new Sky) is xnLinkFinder that crawls targets, extracts links, discovers secrets, and builds target-specific wordlists. All from Burp files, ZAP exports, HAR files, or URLs. Try it out 👇

14,312 views

RFC 2047 "encoded-word" is crazy! It lets you smuggle encoded payloads into email addresses and the craziest thing is that some parsers decode it before validation 👇 Shout out to Gareth Heyes \u2028 for this 🔥

RFC 2047 "encoded-word" is crazy! It lets you smuggle encoded payloads into email addresses and the craziest thing is that some parsers decode it before validation 👇 Shout out to Gareth Heyes \u2028 for this 🔥

32,444 views

We won the MVH title at #h1702 🔥 Ben Sadeghipour Alex Chapman

We won the MVH title at #h1702 🔥 Ben Sadeghipour Alex Chapman

38,965 views

If you need to generate a target-specific wordlist, make sure to check out / XNL -н4cĸ3r (and @xnl-h4ck3r in the new Sky) GAP extension. It will scan for sus parameters and generate you a complete wordlist with one click of a button. See it in action 👇

If you need to generate a target-specific wordlist, make sure to check out / XNL -н4cĸ3r (and @xnl-h4ck3r in the new Sky) GAP extension. It will scan for sus parameters and generate you a complete wordlist with one click of a button. See it in action 👇

13,253 views

Videos

LIVE
1.2k

Anya Rossi

sweetdream.ai

SweetDream.aiSponsoredLivecam
Streaming Now

Watch Anya Live

Anya is streaming live right now! Join her private show and enjoy exclusive content.

HD live stream
Exclusive private shows
1.2k viewers online

Free preview available • Premium content

Found an XSS but got blocked by the CSP? has a compiled list of ways to bypass the Content-Security Policy. Check out the video below 👇
0:25
0xacb's profile picture

Found an XSS but got blocked by the CSP? has a compiled list of ways to bypass the Content-Security Policy. Check out the video below 👇

André Baptista

47,844 views • 7 months ago

Our pentesting agent found a 1-click ATO to RCE in Gateway Control UI in under 2 hours. Local instances can also be exploited with one click. Patched in main, update now. Watch the exploit 👇
0:23
0xacb's profile picture

Our pentesting agent found a 1-click ATO to RCE in Gateway Control UI in under 2 hours. Local instances can also be exploited with one click. Patched in main, update now. Watch the exploit 👇

André Baptista

23,744 views • 4 months ago

Hidden or disabled fields are commonly overlooked, but they can still open the door to some cool bugs. Try creating a bookmarklet to instantly reveal these fields. Here are some quick examples you can copy and paste: 🔖 Enable all disabled or readonly fields: javascript:(function(){document.querySelectorAll('[disabled],[readonly]').forEach(el=>{el.removeAttribute('disabled');el.removeAttribute('readonly');});})(); 🔖 Unhide elements styled with display: none: javascript:(function(){document.querySelectorAll('[style*="display: none"]').forEach(el=>{
0:23
0xacb's profile picture

Hidden or disabled fields are commonly overlooked, but they can still open the door to some cool bugs. Try creating a bookmarklet to instantly reveal these fields. Here are some quick examples you can copy and paste: 🔖 Enable all disabled or readonly fields: javascript:(function(){document.querySelectorAll('[disabled],[readonly]').forEach(el=>{el.removeAttribute('disabled');el.removeAttribute('readonly');});})(); 🔖 Unhide elements styled with display: none: javascript:(function(){document.querySelectorAll('[style*="display: none"]').forEach(el=>{

André Baptista

47,088 views • 1 year ago

If you found a package.json file in the wild, you might find some internal packages vulnerable to a dependency confusion attack 👀 Check for it quicker using this cool new tool by JSMon: 👇
0:25
0xacb's profile picture

If you found a package.json file in the wild, you might find some internal packages vulnerable to a dependency confusion attack 👀 Check for it quicker using this cool new tool by JSMon: 👇

André Baptista

22,953 views • 6 months ago

Somehow, Chrome 130+ started parsing the hostname from javascript URLs again and this can be used for a constrained XSS 🤯 This was the second solution for the recent CTF challenge.
0:30
0xacb's profile picture

Somehow, Chrome 130+ started parsing the hostname from javascript URLs again and this can be used for a constrained XSS 🤯 This was the second solution for the recent CTF challenge.

André Baptista

24,966 views • 1 year ago

Just released a new recollapse version thanks to Ryan Barnett (B0N3) and Angel Hacker after their talk in Black Hat today. What’s new? 💥Mode 6: Fuzz case folding/upper/lower 💥 Mode 7: Fuzz byte truncations 💥 Recollapse is now available to use as a python library and available on Python Package Index Check it out 👇
0:38
0xacb's profile picture

Just released a new recollapse version thanks to Ryan Barnett (B0N3) and Angel Hacker after their talk in Black Hat today. What’s new? 💥Mode 6: Fuzz case folding/upper/lower 💥 Mode 7: Fuzz byte truncations 💥 Recollapse is now available to use as a python library and available on Python Package Index Check it out 👇

André Baptista

17,278 views • 10 months ago

This is how DOM clobbering works. When you create an element with an id, the browser automatically creates a global variable for that ID: Now points to that single element. But when you create multiple elements with the same id: Now becomes an HTMLCollection, not a single element. Add a name attribute: And now points to that element (works in Chromium/WebKit browsers, but not Firefox). Now combine that with a common JS pattern like: var someObject = window.someObject || {}; This is meant to provide a fallback if the global doesn't exist. However, if window.someObject has been clobbered by injected HTML, the fallback silently trusts a DOM object instead of a real JS object. Now imagine this JS logic: let imgSrc = someObject.avatar; If an attacker clobbered someObject.avatar with: If HTML is set via innerHTML or similar, then this could render as: Which triggers XSS! Here's a quick walkthrough of the DOM clobbering Web Security Academy lab👇 Try this lab:
1:12
0xacb's profile picture

This is how DOM clobbering works. When you create an element with an id, the browser automatically creates a global variable for that ID: Now points to that single element. But when you create multiple elements with the same id: Now becomes an HTMLCollection, not a single element. Add a name attribute: And now points to that element (works in Chromium/WebKit browsers, but not Firefox). Now combine that with a common JS pattern like: var someObject = window.someObject || {}; This is meant to provide a fallback if the global doesn't exist. However, if window.someObject has been clobbered by injected HTML, the fallback silently trusts a DOM object instead of a real JS object. Now imagine this JS logic: let imgSrc = someObject.avatar; If an attacker clobbered someObject.avatar with: If HTML is set via innerHTML or similar, then this could render as: Which triggers XSS! Here's a quick walkthrough of the DOM clobbering Web Security Academy lab👇 Try this lab:

André Baptista

16,631 views • 11 months ago

JS, Python & Ruby all disagree on this regex rule 🤔👇
2:12
0xacb's profile picture

JS, Python & Ruby all disagree on this regex rule 🤔👇

André Baptista

17,284 views • 1 year ago

Need help writing reports? Check out JS0N Haddix's Bounty Plz GPT ✍️ Just give it a host name and a brief description of your finding and it will do the rest! (🔗 in comments)
0:20
0xacb's profile picture

Need help writing reports? Check out JS0N Haddix's Bounty Plz GPT ✍️ Just give it a host name and a brief description of your finding and it will do the rest! (🔗 in comments)

André Baptista

16,431 views • 1 year ago

No more content to load