ch
Feedback
Brut Security

Brut Security

前往频道在 Telegram

📈 Telegram 频道 Brut Security 的分析概览

频道 Brut Security (@brutsecurity) 英语 语言赛道中的 是活跃参与者。目前社区聚集了 15 896 名订阅者,在 技术与应用 类别中位列第 8 173,并在 印度 地区排名第 26 443

📊 受众指标与增长动态

невідомо 创建以来,项目保持高速增长,吸引了 15 896 名订阅者。

根据 04 七月, 2026 的最新数据,频道保持稳定运转。过去 30 天订阅人数变化为 315,过去 24 小时变化为 23,整体触达仍然可观。

  • 认证状态: 未认证
  • 互动率 (ER): 平均受众互动率为 16.24%。内容发布后 24 小时内通常能获得 5.76% 的反应,占订阅者总量。
  • 帖子覆盖: 每篇帖子平均可获得 2 578 次浏览,首日通常累积 914 次浏览。
  • 互动与反馈: 受众积极参与,单帖平均反应数为 11
  • 主题关注点: 内容集中在 hunter, bounty, darkshadow, bypass, hex 等核心主题上。

📝 描述与内容策略

作者将该频道定位为表达主观观点的平台:
✅DM: @wtf_brut 🛃WhatsApp: https://wa.link/brutsecurity 🈴Training: https://brutsecurity.com 📨Mail: info@brutsec.com

凭借高频更新(最新数据采集于 05 七月, 2026),频道始终保持新鲜度与高覆盖。分析显示受众积极互动,使其成为 技术与应用 类别中的关键影响点。

15 896
订阅者
+2324 小时
+387
+31530
帖子存档
Please do share and like . Thanks 🙏❤️

━━━━━━━━━━━━━━━━━ 🎁 MIDNIGHT GIVEAWAY — 5 FREE COPIES ━━━━━━━━━━━━━━━━━ At midnight tonight I'm dropping 5 free coupon codes right here in the channel. How to get one: → Be here at midnight → First 5 to DM me the word BRUT grab a free copy Set your alarm. 🕛

🔥 Just dropped — 2026 Bug Bounty Guide 📖 86 pages. 25 chapters. Built on real data. What's inside: → The AI shift — what it means for your bounties → Full recon workflow (subfinder → puredns → httpx → nuclei) → Every major vuln class with payloads — XSS, SSRF, IDOR, SSTI, SQLi, LFI, XXE → LLM & AI attack surface — prompt injection, MCP, indirect injection → WAF bypass techniques for CloudFlare, Akamai, AWS → 9 real HackerOne reports — PayPal $18,900 · Dropbox $17,576 · GitLab $12K · HackerOne $20K → Full payload cheatsheet you'll actually use mid-hunt → A-to-Z methodology checklist → Cloud security — AWS SSRF, S3, IAM escalation → Mobile app testing (Android + iOS) → Career roadmap from first VDP to private programs 🔗 https://topmate.io/saumadip/2187710 — Saumadip | Brut Security @brutsecurity

Something is coming soon. Stay Tuned!☠️

5 free coupons for Pro hacker's playbook: recon, XSS, SQLi, SSRF & more https://topmate.io/saumadip/2054509?coupon_code=awww

Repost from Brut Security
157 Methods for Privilege Escalation (WindowsLinuxMacos) PDF.pdf84.93 MB

🚨 [codeb0ss] — The Biggest CVE PoCs & Exploitation Channel on Telegram 🚨 [codeb0ss] is the largest and most dedicated Telegram channel focused entirely on real CVEs and professional Proof-of-Concept exploitation, built through more than six years of continuous hard work, research, and real-world experience in offensive security. This channel exists for one purpose only: to publish long, high-quality, Python-based exploitation PoCs that explain how vulnerabilities truly work, from the root cause to full exploitation, without shortcuts, reposts, or shallow demonstrations. Inside [codeb0ss], you will find an ever-growing archive of CVE-2025 and CVE-2026 PoCs, covering web applications, plugins, frameworks, logic flaws, authentication bypasses, remote code execution, privilege escalation, and complex vulnerability chains that reflect real attack scenarios seen in the wild. Unlike typical channels that repost incomplete scripts or broken examples, every PoC published in [codeb0ss] is written with depth, clarity, and purpose, focusing on exploit logic, reliability, and practical understanding. The goal is not only to show that a vulnerability exists, but to teach how exploitation is designed, developed, and executed using clean, structured, and reusable Python code. [codeb0ss] represents years of persistence, learning, failure, reverse engineering, and refinement. It is a channel created for security researchers, penetration testers, red teamers, bug hunters, and serious learners who value knowledge over noise and skill over hype. All content is shared strictly for educational and informational purposes, with no harmful intentions, and with a strong emphasis on responsible learning and technical mastery. If you are looking for the biggest, most serious, and most experienced CVE PoCs channel on Telegram, built on six years of real work and continuous contribution, then [codeb0ss] is the place to be. 👉 Join [codeb0ss] — where real CVEs become real understanding 🔗 https://t.me/thecodeb0ss

🚨 [codeb0ss] — The Biggest CVE PoCs & Exploitation Channel on Telegram 🚨 [codeb0ss] is the largest and most dedicated Telegram channel focused entirely on real CVEs and professional Proof-of-Concept exploitation, built through more than six years of continuous hard work, research, and real-world experience in offensive security. This channel exists for one purpose only: to publish long, high-quality, Python-based exploitation PoCs that explain how vulnerabilities truly work, from the root cause to full exploitation, without shortcuts, reposts, or shallow demonstrations. Inside [codeb0ss], you will find an ever-growing archive of CVE-2025 and CVE-2026 PoCs, covering web applications, plugins, frameworks, logic flaws, authentication bypasses, remote code execution, privilege escalation, and complex vulnerability chains that reflect real attack scenarios seen in the wild. Unlike typical channels that repost incomplete scripts or broken examples, every PoC published in [codeb0ss] is written with depth, clarity, and purpose, focusing on exploit logic, reliability, and practical understanding. The goal is not only to show that a vulnerability exists, but to teach how exploitation is designed, developed, and executed using clean, structured, and reusable Python code. [codeb0ss] represents years of persistence, learning, failure, reverse engineering, and refinement. It is a channel created for security researchers, penetration testers, red teamers, bug hunters, and serious learners who value knowledge over noise and skill over hype. All content is shared strictly for educational and informational purposes, with no harmful intentions, and with a strong emphasis on responsible learning and technical mastery. If you are looking for the biggest, most serious, and most experienced CVE PoCs channel on Telegram, built on six years of real work and continuous contribution, then [codeb0ss] is the place to be. 👉 Join [codeb0ss] — where real CVEs become real understanding 🔗 https://t.me/thecodeb0ss
#AD

☺️Your support keeps me motivated to share more valuable content! If you found this helpful, drop a like & send stars ⭐ to help me keep going. 💬 For queries, message me on Telegram: @wtf_brut 🎓 For course enrollment, reach out on WhatsApp: wa.link/brutsecurity

🔥 Chrome RCE PoC: CVE-2026-6307 A working renderer RCE Proof of Concept for CVE-2026-6307 — a V8 type-confusion bug (JS-to-Wasm deoptimization) patched in Chrome 147.0.7727.101. ✅ Full primitives (addrof/fakeobj, out-of-cage, in-cage r/w) ✅ No-ASLR RCE that patches JIT code to pop xcalc ✅ Based on Nebula Security writeup ✅ Heavily improved with frontier LLMs + human direction (4-day experiment) This is renderer-only and still far from fully weaponized, but great for learning and research. 📥 PoC + scripts: https://github.com/0xsha/CVE-2026-6307 #Chrome #V8 #Exploit #CVE #SecurityResearch

💥TORLINK: A torrent finder that runs right from your terminal with zero setup and nothing to configure. One search checks a small curated list of sources at once. Pick what you want, and it downloads directly to your computer. GitHub: https://github.com/baairon/torlink

Repost from Brut Security 2.0
🔴 Another serious security vulnerability has been discovered in Redis 8.8.0, and no POC has been released yet for this bidirectional RCE found by v12sec.

🛡️ Bug Bounty Tip: Test IDOR + Web Cache Deception Together When hunting IDORs, always check for web cache deception on the same endpoints: 1. As User A, access a sensitive resource like /api/invoices/123 (also try appending .css or `.js`). 2. As User B, repeat the exact same URL with identical headers. 3. Only change the Cookie/Auth token. If User B receives User A's 200 OK response from cache → you've likely found a critical vulnerability! This combo can lead to account takeover-level impacts. #BugBounty #AppSec #WebSecurity #IDOR #Pentesting

😆😆

🔍 Detailed Bug Bounty Tip: Publicly Exposed Firebase Config → Unauthorized Data Uploads Found a juicy misconfiguration durin
🔍 Detailed Bug Bounty Tip: Publicly Exposed Firebase Config → Unauthorized Data Uploads Found a juicy misconfiguration during a recon phase! ### Vulnerability: Many web/mobile apps use Firebase Realtime Database (Google) and leave the configuration exposed in client-side JavaScript or source code. When the database security rules are not properly set (often left as default "true" for testing), anyone can read and write data without authentication. This leads to unauthorized data injection, tampering, or even full database takeover. ### How to Test: 1. Hunt for Firebase config in JS files, source code, or APK (look for firebaseConfig, apiKey, databaseURL, projectId etc.) 2. Identify the database URL (usually `https://<project-id>.firebaseio.com`) 3. Test write access with a simple PUT request ### Exploitation Command:
curl -X PUT "https://your-project-id.firebaseio.com/poc.json" \
     -d '{"POC": "Successful upload by Bug Hunter", "timestamp": "2026"}'
Replace your-project-id with the actual one. If successful, you'll be able to inject arbitrary data into the database. Proof of Concept Result: The database accepted the PUT request and stored the attacker-controlled JSON data. ### Impact: - Data pollution / poisoning - Injecting malicious content (e.g., XSS payloads, fake user data, phishing links) - Potential account takeover or business logic abuse depending on how the app uses the data - In severe cases → complete database compromise ### How to Report & Fix (for devs): - Set proper Firebase Realtime Database Security Rules (deny read/write by default) - Use Firebase Authentication - Avoid exposing sensitive config in client-side code when possible - Use Firestore with stricter rules instead (if applicable) Pro Tip: Always check .js files and network tab for firebaseio.com during recon. Many programs pay well for this! #BugBounty #BugBountyTips #Firebase #WebAppSec #HackerOne #Bugcrowd #Pentesting #CyberSecurity

☺️Your support keeps me motivated to share more valuable content! If you found this helpful, drop a like & send stars ⭐ to help me keep going. 💬 For queries, message me on Telegram: @wtf_brut 🎓 For course enrollment, reach out on WhatsApp: wa.link/brutsecurity

🚨 CVE-2026-20230: Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition S
🚨 CVE-2026-20230: Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition Server-Side Request Forgery (SSRF) Critical Vulnerability Alert! Cisco Unified Communications Manager is affected by CVE-2026-20230. Full Vulnerability Details & Analysis at DarkEye: 🔗 https://darkeye.org/vuln/cve/CVE-2026-20230 🔍 Identify Targets via ZoomEye: Filter: vul.cve="CVE-2026-20230" Search Dork: app="Cisco Unified Communications Manager" Exposure: 5k instances identified globally. ZoomEye Search Link: 👉 https://www.zoomeye.ai/searchResult?q=YXBwPSJDaXNjbyBVbmlmaWVkIENvbW11bmljYXRpb25zIE1hbmFnZXIi&t=all&utm_source=telegram&utm_medium=community&utm_campaign=cve_ops_20260626

An anonymous GitHub account has begun releasing proof-of-concepts for exploits framed as undisclosed zero-days, accompanied b
An anonymous GitHub account has begun releasing proof-of-concepts for exploits framed as undisclosed zero-days, accompanied by a note instructing readers to report the findings and claim credit for the associated CVEs themselves. 🛡️📝 https://github.com/bikini/exploitarium 🔗

🚨 Bug Bounty Tip: Password Reset Race Condition Many applications generate a password reset token but fail to invalidate it when critical account details change. This can create a dangerous account takeover scenario. Test Flow: 1️⃣ Request a password reset for your account. 2️⃣ Do not use the reset link yet. 3️⃣ Log in normally using your current password. 4️⃣ Change your email address (or another identifier linked to password recovery). 5️⃣ Now open the old password reset link you received before the email change. 💥 Potential Finding: If the old reset token still resets the password after the email change, the application isn't invalidating previously issued reset tokens. An attacker with access to an older reset email could still take over the account even after the user updates their recovery email. What to Verify: • Is the old token still valid after changing the email? • Does the reset affect the current account owner? • Are all existing reset tokens revoked after sensitive account changes? • Does changing the password or email invalidate outstanding reset links? 🎯 Impact: High (Account Takeover) if an attacker can obtain or intercept an old password reset email. Always test only on accounts you own or are explicitly authorized to assess.