If you're pentesting and the scope includes CI/CD, it's always worth checking what the runners can access. Build servers may have deploy keys, cloud credentials, and production secrets available as environment variables.

Even without path traversal, many CI/CDs let pipeline configs reference scripts, pull artifacts, or set env vars. If an attacker can modify the pipeline (through a PR, a compromised dependency, or a writable config), the build server executes what they want with whatever credentials the runner has.

With AFW, you can create a cronjob, /etc/ld.so.preload, __init__.py, a shell profile etc, and you may be able to have RCE. I've seen some isolated for outbound, so doing a "sleep 100" is always worth it for blind RCE.

CI/CD pipelines provide a lot of juicy attack surface.

One common pattern: a build system lets you specify an output path for artifacts. If that path isn't sanitized, a ../ sequence lets you write files anywhere on the build server.

We still have deterministic tools to detect these, like Angr, which can also solve how to reach a specific function in specific cases, but LLMs can reason about context, where data comes from and how it flows, which makes them faster and complementary for larger binaries or libraries.

Here's what I usually ask:

- Find unsafe memory operations like strcpy, memcpy and check for overflows
- How to reach the vulnerable function?
- Build a simple PoC to attempt to trigger it (or generate fuzzing inputs)

Reverse engineering MCPs like IDA Pro MCP or Ghidra MCP are really powerful to find memory corruption 0days or reversing CVEs.

A couple more common OAuth 2.0 vulnerabilities TL;DR The couple of bugs described below are common across different OAuth 2.0 implementations. The bugs may allow a malicious application to maintain an access to victim's account even after access revocation performed by the victim.

Race conditions in OAuth flows can still happen in custom implementations.

Tools like Turbo Intruder or even a simple multi-threaded script sending concurrent requests to the callback URL with different tokens may trigger it.

Further reading here:

GitHub - Sicks3c/hackerone-mcp-server: Unofficial MCP server for accessing your HackerOne reports, programs, scope, and earnings from Claude Code Unofficial MCP server for accessing your HackerOne reports, programs, scope, and earnings from Claude Code - Sicks3c/hackerone-mcp-server

Hackerone MCP Server (unofficial).

An MCP server that gives you quick access to your HackerOne reports, programs, earnings, and scope data.

Very useful tool by @OriginalSicksec for anyone that's automating but bounty hunting.

GitHub repo 👇

Super cool work by @s3bsrt

HTTP trailers can be a blind spot. Proxies usually ignore them, but backend servers will happily merge them into the main headers, letting you sneak payloads right past security filters.

Blog link 👇

GitHub - s0md3v/Arjun: HTTP parameter discovery suite. HTTP parameter discovery suite. Contribute to s0md3v/Arjun development by creating an account on GitHub.

Find hidden API parameters in seconds, not hours. 

Arjun scans 25,890 parameter names with just 50-60 requests in under 10 seconds.

GitHub - bee-san/RustScan: 🤖 The Modern Port Scanner 🤖 🤖 The Modern Port Scanner 🤖. Contribute to bee-san/RustScan development by creating an account on GitHub.

Scanning 65,000 ports in just a few seconds with the power of Rust! 🦀

SOAPwn: Pwning .NET Framework Applications Through HTTP Client Proxies And WSDL Welcome back! As we near the end of 2025, we are, of course, waiting for the next round of SSLVPN exploitation to occur in January (as it did in 2024 and 2025). Weeeeeeeee. Before then, we want to clear the decks and see how much research we can publish. This

WontFix can be an RCE Goldmine

SOAPwn by chudyPB

#5 in PortSwigger Web Hacking Techniques of 2025

Blog link 👇

Cross-Site ETag Length Leak | XS-Spin Blog A novel XS-Leak technique that turns ETag length differences into a cross-site oracle via 431 errors and History API.

The ETag Oracle

Cross-Site ETag Length Leak by @arkark_

This technique weaponizes 1-byte ETag length variations to trigger 431 header overflows, detectable via Chromium's history API.

Blog here👇

XSS-Leak: Leaking Cross-Origin Redirects In this post, I will introduce XSS-Leak (“Cross-Site-Subdomain Leak”), a technique for Chromium-based browsers that leaks cross-origin redirects, …

A really nice Cross-Site Leak writeup by salvatoreabello

For client-side hackers, you would love this in your arsenal because it relies on browser architecture. Since Google marked it "WAI", this vector is still open.

Blog 👇

upCTF

I may have organized a challenge (or two) for upCTF by @xstf_team, starting in 14 hours!

Register now for a chance to win cool prizes 🥷

This blog site of @samm0uda is a treasure trove of everything Meta (Facebook, Instagram, Oculus) hacking 👇

Black Hat USA 2025 | Lost in Translation: Exploiting Unicode Normalization As web applications evolve, so do their data processing pipelines—handling Unicode normalization, encoding, and translation before storing or executing user ...

Lost in Translation: Exploiting Unicode Normalization

With this research, ryancbarnett and 4ng3lhacker added another layer of understanding to this area. They introduced a lot of very interesting techniques.

Check it out 👇

Playing with HTTP/2 CONNECT - Flomb Blog In HTTP/1, the CONNECT method instructs a proxy to establish a TCP tunnel to a requested target. Once the tunnel is up, the proxy blindly forwards raw traffic in both directions. This mechanism is most commonly used to tunnel TLS traffic through forwarding proxies. While digging through the HTTP/2 s...

Playing with HTTP/2 CONNECT by @fl0mb.bsky.social 

This research explores how HTTP/2 CONNECT can be utilized for port scanning. It may also bypass traditional network inspection tools, which opens up a lot of possibilities.

Check the blog👇

The ultimate beginner’s guide to Android hacking | @Bugcrowd These are the droids you’re looking for.

Many people overlook Android hacking due to the challenges associated with configuring emulators and proxies.

Thankfully, there's a comprehensive guide from @bugcrowd.com that walks you through the setup process.

Tired of hitting 403 errors during your security testing? 

NoMore403 by @devploit automates bypass techniques to get past those pesky restrictions. 

Try it at 👇
github.com/devploit/nomore403

GitHub - jthack/cewlai: ai-based domain name generation ai-based domain name generation. Contribute to jthack/cewlai development by creating an account on GitHub.

CewlAI by @rez0__ takes your domains, learns the naming patterns, and generates new variations using Gemini, OpenAI, WhiteRabbitNeo, or a local Ollama model.

It's great to expand recon and improve permutations👇

GitHub - spaceraccoon/vulnerability-spoiler-alert-action: GitHub Action to alert on security patches before the CVE drops. GitHub Action to alert on security patches before the CVE drops. - spaceraccoon/vulnerability-spoiler-alert-action

Vulnerability Spoiler Alert Action by @spaceraccoonsec

It monitors repositories and uses Claude to detect patching of security vulns. This early warning can give security teams more time to patch before the CVE drops.

GitHub repo👇

Hackian and the Ghosts in Your Business Logic: When Your App’s Rules Are the Real Vulnerability | Ethiack — Autonomous Ethical Hacking for continuous security Hackian managed to exploit app rules logic in SonarQube by simply thinking outside the box - and got access to projects it wasn't supposed to. Curious? Read the full article.

Hackian uncovered interesting business logic flaws in SonarQube and n8n.

Blog post by @pcuco92👇

Replace "cross-site-scripting" with any other vulnerability type and your feed will be updated each time someone publishes an article with that tag.

Then, you can also combine this with AI/n8n etc to classify a post as interesting/novel and post to a Discord webhook, so you get notified about it.

Did you know that you can subscribe to topics using RSS on Medium?

For example, if you want to receive updates about cross-site scripting, simply use this link: 

https://medium[.]com/feed/tag/cross-site-scripting

GitHub - projectdiscovery/asnmap: Go CLI and Library for quickly mapping organization network ranges using ASN information. Go CLI and Library for quickly mapping organization network ranges using ASN information. - projectdiscovery/asnmap

ASN/CIDR lookups are massively underrated for recon.

Start with a company name. Find all their assets. Get instant ASN to CIDR lookups, IP/DNS/ORG resolution, and JSON/CSV output 👇

Build software better, together GitHub is where people build software. More than 150 million people use GitHub to discover, fork, and contribute to over 420 million projects.

ASN/CIDR lookups are massively underrated for recon.

Start with a company name. Find all their assets. Get instant ASN to CIDR lookups, IP/DNS/ORG resolution, and JSON/CSV output 👇

Agentic ProbLLMs: Exploiting AI Computer-Use and Coding Agents | Johann Rehberger | HackAICon 2025 Read the complete article:https://ethiack.com/news/blog/agentic-problems-and-zombie-aiFollow Johann Rehberger:https://x.com/wunderwuzzi23https://embracethere...

Agentic ProbLLMs: Exploiting AI Computer-use and Coding Agents - by @wunderwuzzi23