Disclosed. June 30, 2025: LLM-Powered Hacking, Xbow Tops HackerOne, and DEF CON 33 Speaker Reveals

Each week, 3 readers will win a 1-month PentesterLab Pro license, completely free. Refer a friend to the newsletter to enter.

Shout out to this week’s winners (I will email you):

skydesperados
vikasgupta.92155
tahirmisbahi000

PentesterLab is one of the best hands-on platforms for learning web security, with real-world vulnerabilities, private labs, and practical exercises trusted by professionals and bug bounty hunters worldwide.

Huge thanks to PentesterLab for sponsoring this giveaway and supporting the Disclosed. community. ❤️

Using LLMs to Hack Better and Faster [🔗 Blog]
by André Baptista (@0xacb)

Ethiack’s recent talk at C-DAYS 2025 explored how hackers can use LLMs to enhance their workflows, from reconnaissance to exploit development, while also addressing the unique risks of AI-generated code.
Read the full blog →

Xbow Becomes #1 Hacker on HackerOne Leaderboard [🔗 Tweet]
by @Xbow

XBOW has identified 1,092 vulnerabilities across various web applications on HackerOne, spanning issues like RCE, XXE, SQLi, SSRF, exposed secrets, and XSS.
Read the full tweet →

More Speakers Announced for Bug Bounty Village at DEF CON 33
by @BugBountyDEFCON

The Bug Bounty Village has revealed more of its speaker lineup for DEF CON 33, including Jason Haddix, Martin Doyhenard, Harrison Richardson, Gunnar Andrews, Sam Erb, Bruno Halltari, Dane Sherrets and more. Additional speakers are being announced daily.
Visit their Twitter →

Have something you want to Spotlight? Tell me.

Le Loft Hacking Event Final Scores Announced [🔗 Tweet]
by @yeswehack

Celebrating top participants, the final scores from the Le Loft hacking event are revealed, fostering community spirit among ethical hackers.
Read the full tweet →

Immunefi Releases Statement About Spectra Finance Situation [🔗 Tweet]
by @GaspardPeduzzi

Immunefi states that Spectra Finance approved the rules of an audit competition, including a $40K payout for a single valid bug, but later refused to honor this commitment when it was time to pay.
Read the full tweet →

German HackerOne Meetup Vol. 3 Sets New Bounty Record [🔗 Tweet]
by @lauritz

The third volume of the German Hacker0x01 Club meetup achieved over $94,000 in bounties, with swag for attendees on the way.
Read the full tweet →

Highlights from Q2 HackerOne Meetup in Portugal [🔗 Tweet]
by @val_brux

This tweet summarizes the Q2 Hacker0x01 meetup in Portugal, including discussions about recent hacking sessions and encouraging future community engagement.
Read the full tweet →

Join Google CTF to Test Your Hacking Skills [🔗 Tweet]
by @GoogleVRP

Inviting hackers to participate, the tweet announces the upcoming Google CTF event scheduled for June 27-29.
Read the full tweet →

HackTheSystem CTF Offers Real Bug Bounty Challenges This Weekend [🔗 Tweet]
by @0xdf_

The HackTheSystem CTF features challenges based on real bug bounty reports, providing an excellent practice opportunity for participants.
Read the full tweet →

Did I miss an important update? Tell me.

Nuclei Forge - Visual Editor & Builder for Nuclei Templates [📁 Tool]
by payloadartist

Introducing Nuclei Forge, a visual editor facilitating the creation of vulnerability templates with live YAML previews, enhancing vulnerability detection workflows.
View the tool →

GitHub - Icare1337/CVE-Monitor: CVE Monitor v1.0 [📁 Tool]
by Icare1337

CVE Monitor v1.0 allows real-time CVE monitoring and analysis with a user-friendly interface, dashboards, and installation options.
View the tool →

GitHub - francisconeves97/jxscout: jxscout superpowers JavaScript analysis for security researchers [📁 Tool]
by francisconeves97

The jxscout tool automates JavaScript analysis for security researchers, featuring asset organization, code beautification, and real-time vulnerability discovery frameworks.
View the tool →

Have a favorite tool? Tell me.

Link Unfurling-Based Data Exfiltration in Anthropic Slack MCP Server  [📓 Blog]
by wunderwuzzi

Claude Desktop, Claude Code, Windsurf, VS Code, or any AI system that is configured to use the Slack MCP Server from Anthropic is susceptible to data exfiltration when posting messages. An adversary can exploit this via prompt injection to leak sensitive information.

Read more →

Basecamp | Report #2819573 - Mutation Based Stored XSS on Trix Editor version latest (2.1.8) | HackerOne [📓 Blog]
by sudi

This report details a mutation-based stored XSS vulnerability in Trix Editor, version 2.1.8. It covers payloads that bypass sanitization and includes proof-of-concept code to replicate the issue.
Read more →

Exposed Client Secret in JavaScript Resulted in Quick Bug Bounty $$$ [📓 Blog]
by Medusa

The author shares their findings of a hardcoded client secret in a JavaScript file from a public beta site, leading to a quick bug bounty payout, and emphasizes clear report writing.
Read more →

Intigriti June RCE Challenge (0625) [📓 Blog]
by jorianwoltjer

Outlining the exploitation of an Intigriti challenge, the post details exploited web vulnerabilities that transitioned from client-side XSS to remote code execution (RCE).
Read more →

From SQLi Discovery to a $4,500 Reward [📓 Blog]
by Monika Sharma

This article recounts a SQL injection vulnerability discovered on Zomato’s platform that led to a $4,500 reward, detailing technical challenges and explotation steps.
Read more →

XBOW – Breaking the Shield: How XBOW Discovered Multiple XSS Vulnerabilities in Palo Alto’s GlobalProtect VPN [📓 Blog]
by Alvaro Muñoz

The article explains how XBOW found multiple XSS vulnerabilities in Palo Alto's GlobalProtect VPN through reconnaissance and exploitation techniques.
Read more →

Did I miss an important update? Tell me.

What bugs you should look for in a GraphQL API? Bug Bounty Case Study [🎥 Video]
by Bug Bounty Reports Explained

This video examines vulnerabilities found in GraphQL APIs through analyzed bug bounty cases, discussing bugs categorized by authorization and mutation exploits.
Watch video →

Browser Exploits, AI Recon, and Font Ligature Spoofing [🎥 Video]
by Critical Thinking - Bug Bounty Podcast

This video covers advanced browser attack vectors like fetchLater() and credentialless iframes, AI-assisted reverse engineering of obfuscated code, and a $15K Chrome URL spoofing bug using font ligatures. It’s a deep dive into tools, techniques, and emerging trends in offensive security.
Watch video →

Exploiting Exact-match Cache Rules for Web Cache Deception | PortSwigger Lab | Explained [🎥 Video]
by Medusa

Demonstrating web cache deception exploitation, this video shows how to manipulate requests to cache malicious payloads through CSRF tokens.
Watch video →

Hacking BOLA Like a Pro: Real-World Bug Bounty Tactics [🎥 Video]
by APIsec University

Diving into Broken Object Level Authorization (BOLA), this session highlights testing scenarios and the importance of recon in vulnerability discovery.
Watch video →

AUSCERT2025 - Why Didn't I Get Paid? Bug Bounty Programs From the Vendor Perspective by Jon Green [🎥 Video]
by AUSCERT

Jon Green discusses bug bounty programs from a vendor perspective, covering communication, budget constraints, and effective vulnerability triage processes.
Watch video →

Did I miss something? Tell me.

XBOW – The road to Top 1: How XBOW did it [📓 Blog]
by Nico Waisman

Detailing XBOW's ascent to the top autonomous penetration tester on HackerOne, the blog showcases techniques for discovering vulnerabilities.
Read more →

Log4Shell (Log4J): Advanced Exploitation Guide | Intigriti [📓 Blog]
by blackbird-eu

Exploring the Log4Shell vulnerability's implications, this guide details target identification, payload delivery, and advanced exploitation techniques.
Read more →

Top Techniques for Bypassing Weak Two-Factor Authentication [🔗 Tweet]
by @_0b1d1

Discussing vulnerabilities in Two-Factor Authentication, the tweet shares techniques used by professionals to exploit weak implementations.
Read the full tweet →

Guide to Analyzing JavaScript Files for Vulnerabilities [🔗 Tweet]
by @intigriti

This tweet highlights a comprehensive guide on examining JavaScript files for vulnerabilities, assisting bug bounty hunters in testing.
Read the full tweet →

Did I miss something? Tell me.

Account Takeover via XSS and Cookie Theft Techniques [🔗 Tweet]
by @mugh33ra

Explaining XSS leverage for account takeover, this tweet includes code snippets for manipulating alerts and stealing cookies.
Read the full tweet →

Bypass XSS WAF Alert Block with These Tricks [🔗 Tweet]
by @therceman

This tweet highlights effective methods for bypassing alert blocks in XSS WAFs, aimed at enhancing hacking techniques.
Read the full tweet →

Remote Code Execution via Authentication Login PoC [🔗 Tweet]
by @viehgroup

This tweet provides a proof of concept for RCE vulnerability found in authentication login processes, offering insights for researchers.
Read the full tweet →

Exploiting Zendesk to Extract User Info via Email CCS [🔗 Tweet]
by @rikeshbaniya

This tweet outlines a method of exploiting Zendesk's email handling by injecting payloads into CC fields to extract sensitive user data.
Read the full tweet →

Elevate Your Bug Bounty Skills with Expert Tools and Tactics [🔗 Tweet]
by @myselfakash20
Providing insights into advanced bug bounty tactics, this tweet emphasizes tools and strategies for improving success rates in 2025.
Read the full tweet →

Using Webhook.site to Capture RCE Outputs [🔗 Tweet]
by @hackinghub_io

This tweet shares a method for capturing RCE attack outputs using webhooks, allowing developers to visualize results from their exploits.
Read the full tweet →

Did I miss something? Tell me.

Because Disclosure Matters: This newsletter was produced with the assistance of AI. While I strive for accuracy and quality, not all content has been independently vetted or fact-checked. Please allow for a reasonable margin of error. The views expressed are my own and do not reflect those of my employer.