site:example[.]com ext:log | ext:txt | ext:conf | ext:cnf | ext:ini | ext:env | ext:sh | ext:bak | ext:backup | ext:swp | ext:old | ext:~ | ext:git | ext:svn | ext:htpasswd | ext:htaccess | ext:json
Please open Telegram to view this post
VIEW IN TELEGRAM
π9β€5π€¨3π1
A tool to find open S3 buckets in AWS or other cloud providers:
- AWS
- DigitalOcean
- DreamHost
- GCP
- Linode
- Scaleway
- Custom
Source: https://github.com/sa7mon/s3scanner
- AWS
- DigitalOcean
- DreamHost
- GCP
- Linode
- Scaleway
- Custom
Source: https://github.com/sa7mon/s3scanner
π₯7β€4π4
Please open Telegram to view this post
VIEW IN TELEGRAM
topmate.io
Brut Offensive Playbook v1 with Saumadip Mandal
Pro hacker's playbook: recon, XSS, SQLi, SSRF & more
β€1π1
You've done 10 courses. You have zero projects. You're wondering why no one's calling back.
The industry has 4.8M+ unfilled roles globally β and you're still unemployed. That's not bad luck. That's a bad strategy.
In this article we break down exactly what's broken in how beginners are approaching cybersecurity careers right now β and the 7 steps that actually get you hired in 2026:
No fluff. No "just get certified." Just what actually works.
π Want to build the skills this article talks about? Brut Practical Web Pentesting is open for enrollment β link in bio / website.
#CyberSecurity #InfoSec #CareerAdvice #PenTesting #BrutSecurity
Please open Telegram to view this post
VIEW IN TELEGRAM
Medium
Nobody Owes You a Cybersecurity Job in 2026. Hereβs How to Earn One Anyway.
Letβs get one thing straight before you read another word of this: you are not entitled to a cybersecurity job just because you finished aβ¦
β€5π₯2π2π1
Brut Security pinned Β«π¨ Nobody owes you a cybersecurity job in 2026. You've done 10 courses. You have zero projects. You're wondering why no one's calling back. The industry has 4.8M+ unfilled roles globally β and you're still unemployed. That's not bad luck. That's a bad strategy.β¦Β»
This media is not supported in your browser
VIEW IN TELEGRAM
How to manually check for CL.TE Request Smuggling Vulnerabilities:
1οΈβ£ See if a GET request accepts POST
2οΈβ£ See if it accepts HTTP/1
3οΈβ£ Disable "Update Content-Length"
4οΈβ£ Send with CL & TE headers:
POST / HTTP/1.1
Host: <HOST-URL>
Content-Length: 6
Transfer-Encoding: chunked
0
G
5οΈβ£ Send request twice.
If you receive a response like "Unrecognized method GPOST", you've just confirmed a CL.TE vulnerability!
Try this out for yourself in our CL.TE lab: https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te
1οΈβ£ See if a GET request accepts POST
2οΈβ£ See if it accepts HTTP/1
3οΈβ£ Disable "Update Content-Length"
4οΈβ£ Send with CL & TE headers:
POST / HTTP/1.1
Host: <HOST-URL>
Content-Length: 6
Transfer-Encoding: chunked
0
G
5οΈβ£ Send request twice.
If you receive a response like "Unrecognized method GPOST", you've just confirmed a CL.TE vulnerability!
Try this out for yourself in our CL.TE lab: https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te
β€9π5π₯4
βΊοΈYour support keeps me motivated to share more valuable content! If you found this helpful, drop a like & send stars β to help me keep going.
π¬ For queries, message me on Telegram: @wtf_brut
π For course enrollment, reach out on WhatsApp: wa.link/brutsecurity
π¬ For queries, message me on Telegram: @wtf_brut
π For course enrollment, reach out on WhatsApp: wa.link/brutsecurity
Telegram
Saumadip Mandal
Founder & Mentor of Brut Security
1β€11π¨βπ»1
π₯ BRUT SECURITY β DAILY PENTEST DROP π₯
"403 Forbidden" doesn't always mean forbidden.
Hit a locked admin panel? Don't walk away β try these path tricks first:
Servers parse paths differently than WAFs filter them. That mismatch = your way in.
Bonus move:
Some reverse proxies trust this header blindly. 200 OK where there should've been a wall.
β οΈ Always test on scope you're authorized for. This is recon, not a free pass.
π¬ Drop a like if you've ever bypassed a 403 like this in the wild.
---
"403 Forbidden" doesn't always mean forbidden.
Hit a locked admin panel? Don't walk away β try these path tricks first:
/admin β 403
/admin/. β 200 β
//admin// β 200 β
/./admin/./ β 200 β
/admin/.;/ β 200 β
/admin%20 β try it
Servers parse paths differently than WAFs filter them. That mismatch = your way in.
Bonus move:
GET /anything HTTP/1.1
Host: target.com
X-Original-URL: /admin
Some reverse proxies trust this header blindly. 200 OK where there should've been a wall.
β οΈ Always test on scope you're authorized for. This is recon, not a free pass.
π¬ Drop a like if you've ever bypassed a 403 like this in the wild.
---
β€6π5π₯5
π¨ Bug Bounty Tip: Password Reset Race Condition
Many applications generate a password reset token but fail to invalidate it when critical account details change. This can create a dangerous account takeover scenario.
Test Flow:
1οΈβ£ Request a password reset for your account.
2οΈβ£ Do not use the reset link yet.
3οΈβ£ Log in normally using your current password.
4οΈβ£ Change your email address (or another identifier linked to password recovery).
5οΈβ£ Now open the old password reset link you received before the email change.
π₯ Potential Finding:
If the old reset token still resets the password after the email change, the application isn't invalidating previously issued reset tokens. An attacker with access to an older reset email could still take over the account even after the user updates their recovery email.
What to Verify:
β’ Is the old token still valid after changing the email?
β’ Does the reset affect the current account owner?
β’ Are all existing reset tokens revoked after sensitive account changes?
β’ Does changing the password or email invalidate outstanding reset links?
π― Impact: High (Account Takeover) if an attacker can obtain or intercept an old password reset email.
Always test only on accounts you own or are explicitly authorized to assess.
Many applications generate a password reset token but fail to invalidate it when critical account details change. This can create a dangerous account takeover scenario.
Test Flow:
1οΈβ£ Request a password reset for your account.
2οΈβ£ Do not use the reset link yet.
3οΈβ£ Log in normally using your current password.
4οΈβ£ Change your email address (or another identifier linked to password recovery).
5οΈβ£ Now open the old password reset link you received before the email change.
π₯ Potential Finding:
If the old reset token still resets the password after the email change, the application isn't invalidating previously issued reset tokens. An attacker with access to an older reset email could still take over the account even after the user updates their recovery email.
What to Verify:
β’ Is the old token still valid after changing the email?
β’ Does the reset affect the current account owner?
β’ Are all existing reset tokens revoked after sensitive account changes?
β’ Does changing the password or email invalidate outstanding reset links?
π― Impact: High (Account Takeover) if an attacker can obtain or intercept an old password reset email.
Always test only on accounts you own or are explicitly authorized to assess.
β€4π1
An anonymous GitHub account has begun releasing proof-of-concepts for exploits framed as undisclosed zero-days, accompanied by a note instructing readers to report the findings and claim credit for the associated CVEs themselves. π‘οΈπ
https://github.com/bikini/exploitarium π
https://github.com/bikini/exploitarium π
π4π₯4β€1
π¨ CVE-2026-20230: Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition Server-Side Request Forgery (SSRF)
Critical Vulnerability Alert!
Cisco Unified Communications Manager is affected by CVE-2026-20230.
Full Vulnerability Details & Analysis at DarkEye:
π https://darkeye.org/vuln/cve/CVE-2026-20230
π Identify Targets via ZoomEye:
Filter: vul.cve="CVE-2026-20230"
Search Dork: app="Cisco Unified Communications Manager"
Exposure: 5k instances identified globally.
ZoomEye Search Link:
π https://www.zoomeye.ai/searchResult?q=YXBwPSJDaXNjbyBVbmlmaWVkIENvbW11bmljYXRpb25zIE1hbmFnZXIi&t=all&utm_source=telegram&utm_medium=community&utm_campaign=cve_ops_20260626
Critical Vulnerability Alert!
Cisco Unified Communications Manager is affected by CVE-2026-20230.
Full Vulnerability Details & Analysis at DarkEye:
π https://darkeye.org/vuln/cve/CVE-2026-20230
π Identify Targets via ZoomEye:
Filter: vul.cve="CVE-2026-20230"
Search Dork: app="Cisco Unified Communications Manager"
Exposure: 5k instances identified globally.
ZoomEye Search Link:
π https://www.zoomeye.ai/searchResult?q=YXBwPSJDaXNjbyBVbmlmaWVkIENvbW11bmljYXRpb25zIE1hbmFnZXIi&t=all&utm_source=telegram&utm_medium=community&utm_campaign=cve_ops_20260626
β€1π1
βΊοΈYour support keeps me motivated to share more valuable content! If you found this helpful, drop a like & send stars β to help me keep going.
π¬ For queries, message me on Telegram: @wtf_brut
π For course enrollment, reach out on WhatsApp: wa.link/brutsecurity
π¬ For queries, message me on Telegram: @wtf_brut
π For course enrollment, reach out on WhatsApp: wa.link/brutsecurity
Telegram
Saumadip Mandal
Founder & Mentor of Brut Security
π7β€2
π Detailed Bug Bounty Tip: Publicly Exposed Firebase Config β Unauthorized Data Uploads
Found a juicy misconfiguration during a recon phase!
### Vulnerability:
Many web/mobile apps use Firebase Realtime Database (Google) and leave the configuration exposed in client-side JavaScript or source code. When the database security rules are not properly set (often left as default "true" for testing), anyone can read and write data without authentication.
This leads to unauthorized data injection, tampering, or even full database takeover.
### How to Test:
1. Hunt for Firebase config in JS files, source code, or APK (look for
2. Identify the database URL (usually `https://<project-id>.firebaseio.com`)
3. Test write access with a simple PUT request
### Exploitation Command:
Replace
Proof of Concept Result:
The database accepted the PUT request and stored the attacker-controlled JSON data.
### Impact:
- Data pollution / poisoning
- Injecting malicious content (e.g., XSS payloads, fake user data, phishing links)
- Potential account takeover or business logic abuse depending on how the app uses the data
- In severe cases β complete database compromise
### How to Report & Fix (for devs):
- Set proper Firebase Realtime Database Security Rules (deny read/write by default)
- Use Firebase Authentication
- Avoid exposing sensitive config in client-side code when possible
- Use Firestore with stricter rules instead (if applicable)
Pro Tip: Always check
#BugBounty #BugBountyTips #Firebase #WebAppSec #HackerOne #Bugcrowd #Pentesting #CyberSecurity
Found a juicy misconfiguration during a recon phase!
### Vulnerability:
Many web/mobile apps use Firebase Realtime Database (Google) and leave the configuration exposed in client-side JavaScript or source code. When the database security rules are not properly set (often left as default "true" for testing), anyone can read and write data without authentication.
This leads to unauthorized data injection, tampering, or even full database takeover.
### How to Test:
1. Hunt for Firebase config in JS files, source code, or APK (look for
firebaseConfig, apiKey, databaseURL, projectId etc.)2. Identify the database URL (usually `https://<project-id>.firebaseio.com`)
3. Test write access with a simple PUT request
### Exploitation Command:
curl -X PUT "https://your-project-id.firebaseio.com/poc.json" \
-d '{"POC": "Successful upload by Bug Hunter", "timestamp": "2026"}'
Replace
your-project-id with the actual one. If successful, you'll be able to inject arbitrary data into the database.Proof of Concept Result:
The database accepted the PUT request and stored the attacker-controlled JSON data.
### Impact:
- Data pollution / poisoning
- Injecting malicious content (e.g., XSS payloads, fake user data, phishing links)
- Potential account takeover or business logic abuse depending on how the app uses the data
- In severe cases β complete database compromise
### How to Report & Fix (for devs):
- Set proper Firebase Realtime Database Security Rules (deny read/write by default)
- Use Firebase Authentication
- Avoid exposing sensitive config in client-side code when possible
- Use Firestore with stricter rules instead (if applicable)
Pro Tip: Always check
.js files and network tab for firebaseio.com during recon. Many programs pay well for this!#BugBounty #BugBountyTips #Firebase #WebAppSec #HackerOne #Bugcrowd #Pentesting #CyberSecurity
β€9π6
This media is not supported in your browser
VIEW IN TELEGRAM
π21πΏ3β€1
π‘οΈ Bug Bounty Tip: Test IDOR + Web Cache Deception Together
When hunting IDORs, always check for web cache deception on the same endpoints:
1. As User A, access a sensitive resource like
2. As User B, repeat the exact same URL with identical headers.
3. Only change the Cookie/Auth token.
If User B receives User A's 200 OK response from cache β you've likely found a critical vulnerability!
This combo can lead to account takeover-level impacts.
#BugBounty #AppSec #WebSecurity #IDOR #Pentesting
When hunting IDORs, always check for web cache deception on the same endpoints:
1. As User A, access a sensitive resource like
/api/invoices/123 (also try appending .css or `.js`).2. As User B, repeat the exact same URL with identical headers.
3. Only change the Cookie/Auth token.
If User B receives User A's 200 OK response from cache β you've likely found a critical vulnerability!
This combo can lead to account takeover-level impacts.
#BugBounty #AppSec #WebSecurity #IDOR #Pentesting
β€12π4π₯1
Forwarded from Brut Security 2.0
This media is not supported in your browser
VIEW IN TELEGRAM
π΄ Another serious security vulnerability has been discovered in Redis 8.8.0, and no POC has been released yet for this bidirectional RCE found by v12sec.
β€6π₯3
This media is not supported in your browser
VIEW IN TELEGRAM
π₯TORLINK: A torrent finder that runs right from your terminal with zero setup and nothing to configure.
One search checks a small curated list of sources at once. Pick what you want, and it downloads directly to your computer.
GitHub: https://github.com/baairon/torlink
One search checks a small curated list of sources at once. Pick what you want, and it downloads directly to your computer.
GitHub: https://github.com/baairon/torlink
β€6π1