zseano
@zseano
#1 Amazon Security Researcher. full time hacking team with @jonathanbouman @fransrosen @avlidienbrunn
another amazon event win :D had lots of fun with @JonathanBouman @fransrosen @avlidienbrunn , DREAM TEAM :)) can't wait for the next one!
28 researchers. 9 days. 45 valid critical or high severity issues uncovered. @amazon's first-ever In-Person Challenge brought together top security researchers to test its systems. A HackerOne Challenge is more than just a bug bounty—it’s an invite-only, time-bound offensive…
bug bounty industry is so fucking good these days… so many programs, good payouts, wide scopes. We are truly blessed 😇 get stuck in, there are bugs out there, and lots of them ! (And no AI isn’t close to replacing us, it’s helping us more than ever)
i have a big love hate relationship when it comes to bug bounties. i love it but i also fucking hate it
I know many of you aren’t fans of the new HackerOne dark mode. I’ve built a small Chrome extension to bring back the old look. There are still a few bugs (some purple elements remain), but I’ll be working on it more tonight. For now, it’s already a big improvement over the…
When applying for a job at McDonald's, over 90% of franchises use "Olivia," an AI-powered chatbot. We (@iangcarroll and I) discovered a vulnerability that could allow an attacker to access the over 64 million chat records using the password "123456". ian.sh/mcdonalds
Sometimes the most illogical approach wins. XBOW discovered XSS in Salesforce Aura by testing aura.format=JSON - which counterintuitively returns text/html content type instead of JSON. The kind of discovery that comes from systematic testing without assumptions. Full hunt…
Today was my last day as a pentester at Bsecure, and it feels a bit surreal. After a three-year journey of hunting on the side, I’m finally ready to go all-in as a full-time bug bounty hunter. To celebrate this milestone, I've written an article sharing the full story. It’s a…
Nginx normalizes paths (/../, %2e, etc.) before applying access rules like: location = /admin { deny all; } But backends like Node.js or PHP handle decoding again, and differently. Requesting /;admin or /admin%2f..%2f might bypass Nginx’s block, but get normalized to /admin by…
Even mature products hide critical flaws – and @XBOW just found another one. CVE-2025-49493: XXE in Akamai CloudTest discovered during our climb to #1 on HackerOne. A complete technical breakdown from an error-based detection to a full exfiltration by @djurado9…
@rez0__ is right about hackbots. I've starting to work on tailored AI Agents to expand coverage on specific bugs. But we will need tooling and sharing amongst researchers, so I'll try to document and share as I progress : ) First thing I wanted to do was to provide it access to…
Mikhail Khramenkov just contributed a new dangling markup vector on the latest Chrome. Live now on our XSS cheat sheet. Link to vector👇
My new research Escalation of Self-XSS to XSS using modern browser capabilities. blog.slonser.info/posts/make-sel…
I'm thrilled to announce "HTTP/1 Must Die! The Desync Endgame" is coming to #DEFCON33! This talk will feature multiple new classes of desync attack, mass exploitation spanning multiple CDNs, and over $200k in bug bounties. See you there!