Brut Security
15.9K subscribers
1.05K photos
90 videos
298 files
1.14K links
βœ…DM: @wtf_brut
πŸ›ƒWhatsApp: https://wa.link/brutsecurity
🈴Training: https://brutsecurity.com
πŸ“¨Mail: info@brutsec.com
Download Telegram
A tool to find open S3 buckets in AWS or other cloud providers:

- AWS
- DigitalOcean
- DreamHost
- GCP
- Linode
- Scaleway
- Custom

Source: https://github.com/sa7mon/s3scanner
πŸ”₯7❀4πŸ‘4
🚨 10 coupon codes available for the Brut Offensive Playbook V1 β€” full Web App Bug Bounty Methodology (59 pages, 20 chapters).

πŸ₯³First 10 people to reply "PLAYBOOK" get a code. Once they're claimed, offer's closed.

❀️ https://topmate.io/saumadip/2054509
Please open Telegram to view this post
VIEW IN TELEGRAM
❀1πŸ‘1
🚨Nobody owes you a cybersecurity job in 2026.

You've done 10 courses. You have zero projects. You're wondering why no one's calling back.

The industry has 4.8M+ unfilled roles globally β€” and you're still unemployed. That's not bad luck. That's a bad strategy.

In this article we break down exactly what's broken in how beginners are approaching cybersecurity careers right now β€” and the 7 steps that actually get you hired in 2026:

▢️ https://brutsecurity.medium.com/nobody-owes-you-a-cybersecurity-job-in-2026-heres-how-to-earn-one-anyway-a259005275a1

No fluff. No "just get certified." Just what actually works.

πŸŽ“ Want to build the skills this article talks about? Brut Practical Web Pentesting is open for enrollment β€” link in bio / website.

#CyberSecurity #InfoSec #CareerAdvice #PenTesting #BrutSecurity
Please open Telegram to view this post
VIEW IN TELEGRAM
❀5πŸ”₯2πŸ™2πŸ‘1
Brut Security pinned «🚨Nobody owes you a cybersecurity job in 2026. You've done 10 courses. You have zero projects. You're wondering why no one's calling back. The industry has 4.8M+ unfilled roles globally β€” and you're still unemployed. That's not bad luck. That's a bad strategy.…»
This media is not supported in your browser
VIEW IN TELEGRAM
How to manually check for CL.TE Request Smuggling Vulnerabilities:

1️⃣ See if a GET request accepts POST
2️⃣ See if it accepts HTTP/1
3️⃣ Disable "Update Content-Length"
4️⃣ Send with CL & TE headers:
POST / HTTP/1.1
Host: <HOST-URL>
Content-Length: 6
Transfer-Encoding: chunked

0

G

5️⃣ Send request twice.

If you receive a response like "Unrecognized method GPOST", you've just confirmed a CL.TE vulnerability!

Try this out for yourself in our CL.TE lab:
https://portswigger.net/web-security/request-smuggling/lab-basic-cl-te
❀9πŸ‘5πŸ”₯4
☺️Your support keeps me motivated to share more valuable content! If you found this helpful, drop a like & send stars ⭐ to help me keep going.

πŸ’¬ For queries, message me on Telegram: @wtf_brut
πŸŽ“ For course enrollment, reach out on WhatsApp: wa.link/brutsecurity
1❀11πŸ‘¨β€πŸ’»1
πŸ”₯ BRUT SECURITY β€” DAILY PENTEST DROP πŸ”₯

"403 Forbidden" doesn't always mean forbidden.

Hit a locked admin panel? Don't walk away β€” try these path tricks first:

/admin          β†’ 403
/admin/. β†’ 200 βœ…
//admin// β†’ 200 βœ…
/./admin/./ β†’ 200 βœ…
/admin/.;/ β†’ 200 βœ…
/admin%20 β†’ try it


Servers parse paths differently than WAFs filter them. That mismatch = your way in.

Bonus move:
GET /anything HTTP/1.1
Host: target.com
X-Original-URL: /admin

Some reverse proxies trust this header blindly. 200 OK where there should've been a wall.

⚠️ Always test on scope you're authorized for. This is recon, not a free pass.

πŸ’¬ Drop a like if you've ever bypassed a 403 like this in the wild.

---
❀6πŸ‘5πŸ”₯5
Old Days...
❀18😁4
🚨 Bug Bounty Tip: Password Reset Race Condition

Many applications generate a password reset token but fail to invalidate it when critical account details change. This can create a dangerous account takeover scenario.

Test Flow:
1️⃣ Request a password reset for your account.
2️⃣ Do not use the reset link yet.
3️⃣ Log in normally using your current password.
4️⃣ Change your email address (or another identifier linked to password recovery).
5️⃣ Now open the old password reset link you received before the email change.

πŸ’₯ Potential Finding:
If the old reset token still resets the password after the email change, the application isn't invalidating previously issued reset tokens. An attacker with access to an older reset email could still take over the account even after the user updates their recovery email.

What to Verify:
β€’ Is the old token still valid after changing the email?
β€’ Does the reset affect the current account owner?
β€’ Are all existing reset tokens revoked after sensitive account changes?
β€’ Does changing the password or email invalidate outstanding reset links?

🎯 Impact: High (Account Takeover) if an attacker can obtain or intercept an old password reset email.

Always test only on accounts you own or are explicitly authorized to assess.
❀4πŸ‘1
An anonymous GitHub account has begun releasing proof-of-concepts for exploits framed as undisclosed zero-days, accompanied by a note instructing readers to report the findings and claim credit for the associated CVEs themselves. πŸ›‘οΈπŸ“

https://github.com/bikini/exploitarium πŸ”—
πŸ‘4πŸ”₯4❀1
🚨 CVE-2026-20230: Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition Server-Side Request Forgery (SSRF)

Critical Vulnerability Alert!
Cisco Unified Communications Manager is affected by CVE-2026-20230.

Full Vulnerability Details & Analysis at DarkEye:
πŸ”— https://darkeye.org/vuln/cve/CVE-2026-20230

πŸ” Identify Targets via ZoomEye:

Filter: vul.cve="CVE-2026-20230"
Search Dork: app="Cisco Unified Communications Manager"
Exposure: 5k instances identified globally.

ZoomEye Search Link:
πŸ‘‰ https://www.zoomeye.ai/searchResult?q=YXBwPSJDaXNjbyBVbmlmaWVkIENvbW11bmljYXRpb25zIE1hbmFnZXIi&t=all&utm_source=telegram&utm_medium=community&utm_campaign=cve_ops_20260626
❀1πŸ‘1
☺️Your support keeps me motivated to share more valuable content! If you found this helpful, drop a like & send stars ⭐ to help me keep going.

πŸ’¬ For queries, message me on Telegram: @wtf_brut
πŸŽ“ For course enrollment, reach out on WhatsApp: wa.link/brutsecurity
πŸ‘7❀2
πŸ” Detailed Bug Bounty Tip: Publicly Exposed Firebase Config β†’ Unauthorized Data Uploads

Found a juicy misconfiguration during a recon phase!

### Vulnerability:
Many web/mobile apps use Firebase Realtime Database (Google) and leave the configuration exposed in client-side JavaScript or source code. When the database security rules are not properly set (often left as default "true" for testing), anyone can read and write data without authentication.

This leads to unauthorized data injection, tampering, or even full database takeover.

### How to Test:
1. Hunt for Firebase config in JS files, source code, or APK (look for firebaseConfig, apiKey, databaseURL, projectId etc.)
2. Identify the database URL (usually `https://<project-id>.firebaseio.com`)
3. Test write access with a simple PUT request

### Exploitation Command:
curl -X PUT "https://your-project-id.firebaseio.com/poc.json" \
-d '{"POC": "Successful upload by Bug Hunter", "timestamp": "2026"}'


Replace your-project-id with the actual one. If successful, you'll be able to inject arbitrary data into the database.

Proof of Concept Result:
The database accepted the PUT request and stored the attacker-controlled JSON data.

### Impact:
- Data pollution / poisoning
- Injecting malicious content (e.g., XSS payloads, fake user data, phishing links)
- Potential account takeover or business logic abuse depending on how the app uses the data
- In severe cases β†’ complete database compromise

### How to Report & Fix (for devs):
- Set proper Firebase Realtime Database Security Rules (deny read/write by default)
- Use Firebase Authentication
- Avoid exposing sensitive config in client-side code when possible
- Use Firestore with stricter rules instead (if applicable)

Pro Tip: Always check .js files and network tab for firebaseio.com during recon. Many programs pay well for this!

#BugBounty #BugBountyTips #Firebase #WebAppSec #HackerOne #Bugcrowd #Pentesting #CyberSecurity
❀9πŸ‘7
πŸ˜†πŸ˜†
❀1
πŸ›‘οΈ Bug Bounty Tip: Test IDOR + Web Cache Deception Together

When hunting IDORs, always check for web cache deception on the same endpoints:

1. As User A, access a sensitive resource like /api/invoices/123 (also try appending .css or `.js`).
2. As User B, repeat the exact same URL with identical headers.
3. Only change the Cookie/Auth token.

If User B receives User A's 200 OK response from cache β†’ you've likely found a critical vulnerability!

This combo can lead to account takeover-level impacts.

#BugBounty #AppSec #WebSecurity #IDOR #Pentesting
❀12πŸ‘4πŸ”₯1
Forwarded from Brut Security 2.0
This media is not supported in your browser
VIEW IN TELEGRAM
πŸ”΄ Another serious security vulnerability has been discovered in Redis 8.8.0, and no POC has been released yet for this bidirectional RCE found by v12sec.
❀7πŸ”₯3
This media is not supported in your browser
VIEW IN TELEGRAM
πŸ’₯TORLINK: A torrent finder that runs right from your terminal with zero setup and nothing to configure.

One search checks a small curated list of sources at once. Pick what you want, and it downloads directly to your computer.

GitHub: https://github.com/baairon/torlink
❀6πŸ‘1
This media is not supported in your browser
VIEW IN TELEGRAM
πŸ”₯ Chrome RCE PoC: CVE-2026-6307

A working renderer RCE Proof of Concept for CVE-2026-6307 β€” a V8 type-confusion bug (JS-to-Wasm deoptimization) patched in Chrome 147.0.7727.101.

βœ… Full primitives (addrof/fakeobj, out-of-cage, in-cage r/w)
βœ… No-ASLR RCE that patches JIT code to pop xcalc
βœ… Based on Nebula Security writeup
βœ… Heavily improved with frontier LLMs + human direction (4-day experiment)

This is renderer-only and still far from fully weaponized, but great for learning and research.

πŸ“₯ PoC + scripts:
https://github.com/0xsha/CVE-2026-6307

#Chrome #V8 #Exploit #CVE #SecurityResearch
❀3πŸ”₯2
☺️Your support keeps me motivated to share more valuable content! If you found this helpful, drop a like & send stars ⭐ to help me keep going.

πŸ’¬ For queries, message me on Telegram: @wtf_brut
πŸŽ“ For course enrollment, reach out on WhatsApp: wa.link/brutsecurity
1❀5πŸ‘3