Burp MCP + Codex CLI
This guide shows how to connect Burp Suite MCP Server to Codex CLI so that Codex can reason directly on your real HTTP traffic — no API keys, no scanning, no fuzzing.
https://pentestbook.six2dez.com/others/burp#burp-mcp?codex-cli
This guide shows how to connect Burp Suite MCP Server to Codex CLI so that Codex can reason directly on your real HTTP traffic — no API keys, no scanning, no fuzzing.
https://pentestbook.six2dez.com/others/burp#burp-mcp?codex-cli
Six2Dez
Burp Suite | Pentest Book
❤20
Burp MCP Agents
Practical setup guides and helpers to connect Burp Suite MCP Server to multiple AI backends
https://github.com/six2dez/burp-mcp-agents
Practical setup guides and helpers to connect Burp Suite MCP Server to multiple AI backends
https://github.com/six2dez/burp-mcp-agents
GitHub
GitHub - six2dez/burp-mcp-agents: Practical setup guides and helpers to connect Burp Suite MCP Server to multiple AI backends (Codex…
Practical setup guides and helpers to connect Burp Suite MCP Server to multiple AI backends (Codex, Gemini, Ollama, ...). - six2dez/burp-mcp-agents
❤13
Multiple XSS in Meta Conversion API Gateway Leading to Zero-Click Account Takeover
https://ysamm.com/uncategorized/2025/01/13/capig-xss.html
https://ysamm.com/uncategorized/2025/01/13/capig-xss.html
1🔥18❤3🤩2👍1👎1🤔1
CodeBreach: Infiltrating the AWS Console Supply Chain and Hijacking AWS GitHub Repositories via CodeBuild
https://www.wiz.io/blog/wiz-research-codebreach-vulnerability-aws-codebuild
https://www.wiz.io/blog/wiz-research-codebreach-vulnerability-aws-codebuild
wiz.io
CodeBreach: Supply Chain Vuln & AWS CodeBuild Misconfig | Wiz Blog
Wiz Research discovered CodeBreach, a critical vulnerability that risked the AWS Console supply chain. Learn how to secure your AWS CodeBuild pipelines.
❤4
Multiple XSS in Meta Conversion API Gateway Leading to Zero-Click Account Takeover
https://ysamm.com/uncategorized/2026/01/13/capig-xss.html
https://ysamm.com/uncategorized/2026/01/13/capig-xss.html
❤3👍2
Self-XSS in Facebook payments flow leads to Instagram and Facebook account takeovers
https://ysamm.com/uncategorized/2026/01/15/self-xss-facebook-payments.html
https://ysamm.com/uncategorized/2026/01/15/self-xss-facebook-payments.html
❤3👍2
Datr cookie theft and AI leads to Facebook account takeover via trusted device recovery
https://ysamm.com/uncategorized/2026/01/15/steal-dtsg-cookie.html
https://ysamm.com/uncategorized/2026/01/15/steal-dtsg-cookie.html
❤3👍2
Two-click Facebook account takeover via FXAuth token and blob theft
https://ysamm.com/uncategorized/2026/01/15/steal-fxauth-leads-instagram-ato.html
https://ysamm.com/uncategorized/2026/01/15/steal-fxauth-leads-instagram-ato.html
❤5👍1
Multiple cross-site leaks disclosing Facebook users in third-party websites
https://ysamm.com/uncategorized/2026/01/16/cross-site-leaks.html
https://ysamm.com/uncategorized/2026/01/16/cross-site-leaks.html
❤5
Instagram account takeover via Meta Pixel noscript abuse
https://ysamm.com/uncategorized/2026/01/16/leaking-fbevents-ato.html
https://ysamm.com/uncategorized/2026/01/16/leaking-fbevents-ato.html
❤4
Leaking Meta FXAuth Token leading to 2 click Account Takeover
https://ysamm.com/uncategorized/2026/01/16/leaking-fxauth-token.html
https://ysamm.com/uncategorized/2026/01/16/leaking-fxauth-token.html
Youssef Sammouda (sam0) personal blog
Leaking Meta FXAuth Token leading to 2 click Account Takeover
Introduction FXAuth is Meta’s shared authentication system used across Facebook, Instagram, and Meta (Horizon / VR). It is used by Accounts Center for account linking, re-authentication, and sensitive action confirmation.
❤5
Account Takeover in Facebook mobile app due to usage of cryptographically unsecure random number generator and XSS in Facebook JS SDK
https://ysamm.com/uncategorized/2026/01/17/math-random-facebook-sdk.html
https://ysamm.com/uncategorized/2026/01/17/math-random-facebook-sdk.html
❤12
Iframe Sandbox Trick
Triggering Authentication Dialogs Without allow-popups
https://phor3nsic.github.io/2026/01/21/trick-iframe-sandbox.html
Triggering Authentication Dialogs Without allow-popups
https://phor3nsic.github.io/2026/01/21/trick-iframe-sandbox.html
Phor3nsic Security Research
Iframe Sandbox Trick
Home About Posts
❤5👍2
GatewayToHeaven: Finding a Cross-Tenant Vulnerability in GCP's Apigee
https://omeramiad.com/posts/gatewaytoheaven-gcp-cross-tenant-vulnerability/
https://omeramiad.com/posts/gatewaytoheaven-gcp-cross-tenant-vulnerability/
Omeramiad
GatewayToHeaven: Finding a Cross-Tenant Vulnerability in GCP's Apigee | Omer Amiad's Blog
A technical step-by-step writeup about finding CVE-2025-13292, a cross-tenant vulnerability in Google Cloud's Apigee. This vulnerability allowed an attacker to gain read/write access to verbose cross-tenant access logs and analytics data that could contain…
❤9👍1
Evaluating and mitigating the growing risk of LLM-discovered 0-days
https://red.anthropic.com/2026/zero-days/
https://red.anthropic.com/2026/zero-days/
❤3👎1🤔1
Forwarded from Android Security & Malware
Understanding and Experimenting with Apple's Pointer Authentication Codes (PAC) on iOS
https://blog.reversesociety.co/blog/2026/pointer-authentication-code-for-ios
https://blog.reversesociety.co/blog/2026/pointer-authentication-code-for-ios
❤2
TRUSTING CLAUDE WITH A KNIFE: UNAUTHORIZED PROMPT INJECTION TO RCE IN ANTHROPIC’S CLAUDE CODE ACTION
https://johnstawinski.com/2026/02/05/trusting-claude-with-a-knife-unauthorized-prompt-injection-to-rce-in-anthropics-claude-code-action/
https://johnstawinski.com/2026/02/05/trusting-claude-with-a-knife-unauthorized-prompt-injection-to-rce-in-anthropics-claude-code-action/
John Stawinski IV
Trusting Claude With a Knife: Unauthorized Prompt Injection to RCE in Anthropic’s Claude Code Action
When does prompt injection matter? In the 2022-era of Large Language Models (LLMs), when I used ChatGPT only as an alternative to Google Search, prompt injection was not very impactful. That has ch…
❤3👍1