Come to Roma ๐ฎ๐น ๏ฟผin September and attend the only in-person public training session I'll give in 2026! ๐จโ๐ซ
And if you like camping with other hackers (as I do), stay over the weekend for the 3-day long RomHack Camp ๏ฟผ๐๏ธ
romhack.io/training/
Last week, I had the opportunity to attend the 4-day Mastering Burp Suite Pro training by ๐ ๏ธ Nicolas Gregoire, and it exceeded my expectations by far. This wasnโt just another slide-driven course. Nicolas took the time to answer every question in depth and provided plenty of hands-on labs, allowing us to immediately apply what had just been explained. Even though Iโve been working with Burp for nearly five years, I still picked up a surprising number of new techniques and practical tricks, including ways to streamline otherwise time-consuming workflows such as managing CSRF tokens both with and without session handling rules. What I especially appreciated were the little side explorations (driven by our requests) into methodologies for leveraging features and extensions to remain stealthy or bypass WAFs. This is something thatโs particularly relevant (and often underestimated) when exploiting external or internal web applications during advanced Red Team engagements. Iโm genuinely looking forward to applying this newly gained knowledge in upcoming projects, and I can wholeheartedly recommend this training to any (web) pentester who wants to level up their Burp skills. Big thanks to Nicolas for an excellent and highly practical course!
Another highly satisfied trainee ๐ ๐จโ๐ซ
If you want to take the online version of my Burp Suite course, there are two opportunities really soon (March in French, April in English) hackademy.agarri.fr/sessions
And if you want to indulge your company a private session (like this company did), ping me!
Spring is just around the corner, and that's when I offer online training courses on Burp Suite Pro ๐จโ๐ซ Two sessions are planned (in English and French), and there are still a few spots left in each.
Contact me to get an early-bird discount code! ๐ฐ
Spring is just around the corner, and that's when I offer online training courses on Burp Suite Pro ๐จโ๐ซ Two sessions are planned (in English and French), and there are still a few spots left in each.
Contact me to get an early-bird discount code! ๐ฐ
Thanks to everyone who nominated & voted in the top ten! The panel of @irsdl.bsky.social , @agarri.fr , @liveoverflow.bsky.social and myself are hard at work reviewing the 15 finalists... we're hoping to announce the winners next week!
In case you didn't vote yet (2 days left!), let me tell you that your participation is critical ๐ณ๏ธ
Indeed, the panel (that I'm part of) will only process the top X results and it may contain some sh*tty entries (because of ballot stuffing ๐ฅด)
So please do your part! ๐
It's time to vote for your favorite Web Hacking Techniques of 2025 ๐ณ๏ธ
portswigger.net/polls/top-10...
The 2026 online public sessions of my "Mastering Burp Suite Pro" course have been published ๐
- March 24th to 27th, in French ๐ซ๐ท
- April 14th to 17th, in English ๐ฌ๐ง
hackademy.agarri.fr/2026
PS: feel free to ping me if you'd like to temporarily block a seat or are looking for a 10% coupon ๐
To sign or not to sign: Practical vulnerabilities in GPG & friends
media.ccc.de/v/39c3-to-si...
I'm slowly going though the talks from the CCC congress. Here's my favorites so far... โคต๏ธ
Annaโs Archive is an incredible project aimed at preserving humanityโs knowledge and culture
Their latest exploit is a near-full backup of Spotify. It includes 86 million songs, representing around 99.6% of listens ๐ถ
annas-archive.org/blog/backing...
Annaโs Archive is an incredible project aimed at preserving humanityโs knowledge and culture
Their latest exploit is a near-full backup of Spotify. It includes 86 million songs, representing around 99.6% of listens ๐ถ
annas-archive.org/blog/backing...
Looks like the final OWASP Top 10 (2025) has been published: owasp.org/Top10/2025/.
Based on commits, looks like this happened 5 days ago.
THC Release ๐ฅ: The worldโs largest IP<>Domain database: ip.thc.org
All forward and reverse IPs, all CNAMES and all subdomains of every domain. For free.
Updated monthly.
Try: curl ip.thc.org/1.1.1.1
Raw data (187GB): ip.thc.org/docs/bulk-da...
(The fine work of messede ๐)
#Protip Need to go really fast and HEAD is disabled?
Use GET and the Range header...
The wait is over! Phrack 72 40th Anniversary Edition is available now.
Order straight to your doorstep โ the perfect gift for your fellow hacker, just in time for the holidays ๐
No need to go to rely on the warez scene with scans anymore ๐
Order here: www.lulu.com/shop/phrack-...
THC Release: ๐Smallest SSHD backdoor๐
- Does not add any new file
- Survives apt-update
- Does not use PAM or authorized_keys
Just SSHD trickery....adds one line only.
More at thc.org/tips ๐
Looking for a Christmas gift for yourself? #burp #training #2026
Thereโs 9 seats left for the English-speaking session, and 5 for the French-speaking one
Great article ๐
Printed version of Paged Out #7, collected during GreHack 2025
Printed version of Paged Out #7, collected during GreHack 2025 ๐คฉ
This vulnerability was the inspiration for the first step of the Panel challenge we played during last weekโs Grehack CTF
But we found a dumb bypass ๐
Lโ4N551 4 un3 m1551on 9our vou5 :
๐ Lโ4N551 4 un3 m1551on 9our vou5.
S1 vou5 lโ4cc3973z, vou5 s3r3z 4m3n3 4 :
*53rv1r lโ1nt3r37 g3n3r4l 37 9ro73g3r l4 N471on f4c3 4 l4 m3n4c3 cy83r ;
*1nc4rn3r lโ3xc3ll3nc3 fr4nรง4153 3n m4713r3 d3 cy83rd3f3n53.
9our 7rouv3r vo7r3 m1551on :
๐ www.welcometothejungle.com/fr/companies...
Stealth (from Team-Teso, Phrack staff and other groups) passed away earlier this year ๐ข
I didn't know him personally, but his groundbreaking research has been a constant influence on my career
www.thc.org/404/
Here's the recording of the stream we made earlier this week with @laluka.bsky.social, @thesytten.bsky.social and @rhynorater.bsky.social
If you speak French, you may appreciate its title: "Caido de Noรซl" ๐ ๐ ๐
www.youtube.com/watch?v=JvUm...
I really want to know the full story behind this epic hack, and yet I also hope it is never solved.
I've uploaded the slides of my recent talk "JS Engine Security in 2025": saelo.github.io/presentation.... I think there'll also be a recording available at some point (otherwise I can make one as not everything's in the slides).
Fantastic conference as usual, big thanks to the PoC Crew!
The 2026 online public sessions of my "Mastering Burp Suite Pro" course have been published ๐
- March 24th to 27th, in French ๐ซ๐ท
- April 14th to 17th, in English ๐ฌ๐ง
hackademy.agarri.fr/2026
PS: feel free to ping me if you'd like to temporarily block a seat or are looking for a 10% coupon ๐
