Projects, Researches, and Publications #

Products I’ve Built #

• FullHunt.io Assets Database: The attack surface database of the Internet. FullHunt is one of the largest and most updated databases for internet-facing assets and external attack surfaces of organizations. Thousands of security professionals worldwide use the FullHunt community search engine. Link
• FullHunt Attack Surface Management Platform: A solution that allows organizations to discover, monitor, and run continuous vulnerability scans on their attack surfaces. FullHunt ASM platform is used by security companies to monitor the security of their clients. Link
• Stressful.io Platform: A cloud-based DDoS (Distributed Denial-of-Service) simulation platform that is deployed on Microsoft Azure to run DDoS simulation attacks at a large scale. It supports over 20 DoS modules that I’ve developed. Stressful.io started as a research project that led to the development of the stress-testing engine. Link
• Phish-Catcher: a Node.JS library that can identify phishing emails based on modular checks on the client side. It does not require sending the email to an external party for analysis; instead, it runs scans on the user’s browser.
• protonvpn-cli: Official ProtonVPN Command-Line Tool for Linux and macOS. Link

Open-Source Tools #

• BFAC: (Backup File Artifacts Checker) - An automated tool that checks for backup artifacts that may disclose the web application’s source code. Link
• struts-pwn: An exploit for Apache Struts CVE-2017-5638. Link
• struts-pwn_CVE-2017-9805: An exploit for Apache Struts CVE-2017-9805. Link
• GithubCloner: A script that clones Github repositories of users and organizations. Link
• JWT-pwn: Security testing scripts for JWT (JSON Web Token). Link
• Log4j-scan: A fully automated, accurate, and extensive scanner for finding log4j RCE CVE-2021-44228. It was recommended by the United States CISA (Cybersecurity and Infrastructure Security Agency) for scanning Log4Shell vulnerabilities to the US government and entities. Link
• Firefox Security Toolkit: A tool that transforms Firefox browsers into a penetration testing suite. Link
• ct-monitor: A monitoring tool for certificate transparency for domains. Link
• Apache server-status PWN: A script that monitors and extracts requested URLs and clients connected to the service by exploiting publicly accessible Apache server-status instances. Link
• xless: The serverless blind XSS app. Link
• Tfquery: tfquery is a framework that allows running SQL queries on Terraform code. Link
• Shennina: An AI-driven automated host exploitation framework. Link
• Secrets-patterns-db: The largest open-source Database for detecting secrets, API keys, passwords, and tokens. Link
• Whatsapp-chat-parser: A module to parse WhatsApp chats. Link
• llmquery: A comprehensive framework for interacting with Language Model APIs. It leverages standard YAML templates for prompt management, validation, and dynamic generation. Designed to streamline complex workflows, it allows developers to integrate, query, and test LLMs with ease. Link
• aws-bedrock-proxy-server: A proxy server that provides an OLLAMA-compatible API interface for AWS Bedrock Claude models. Link
• detect_passive_secrets: A Node.JS library that detects secrets in codebases and texts through Shannon entropy. Link

Conferences #

Recorded Conference Talks #

• Attack Vectors on Terraform Environments - DEF CON Cloud Village (2021). Watch the talk
• Attack Vectors on Terraform Environments - DEF CON AppSec Village (2021). Watch the talk
• Attack Vectors on Terraform Environments - Bsides Amman (2021). Watch the talk
• Attack Vectors on Terraform Environments - ROOTCON (2021). Watch the talk
• Hacking Zoom: Uncovering Tales of Security Vulnerabilities in Zoom - DEF CON 28 (2020). Watch the talk
• Using Serverless To Build Pentesting Toolset - OPCDE (2020). Watch the talk
• Practical Approaches For Testing And Breaking JWT Authentication - Hack in The Box (2019). Watch the talk

Conferences I’ve Spoken at #

• OWASP PNW - Vancouver (2024) - Attacking GraphQL APIs
• Black Hat MEA (2022) - DoS Attacks are Dead: Demystifying Practical DoS Attacks
• OWASP Vancouver (2022) - Attack Vectors on Terraform Environments
• @Hack (2021) - Attack Vectors on Terraform Environments
• DEFCON Cloud Village (2021) - Attack Vectors on Terraform Environments
• DEFCON AppSec Village (2021) - Attack Vectors on Terraform Environments
• Bsides Amman (Jordan) (2021) - Attack Vectors on Terraform Environments
• RootCon (2021) - Attack Vectors on Terraform Environments
• DEFCON RedTeam Village (2020) - Hacking Zoom: Uncovering Tales of Security Vulnerabilities in Zoom
• OPCDE (2020) - Using Serverless To Build Pentesting Toolset
• Hack in the Box Abu Dhabi (2019) - Practical Approaches For Testing And Breaking JWT Authentication
• Swiss Cyber Storm (2016) - Bug Bounty Hunting for Companies and Researchers
• OWASP Khartoum Chapters (2015-2019)

Researches #

• Secrets Patterns DB: Building Open-Source Regex Database for Secret Detection (2023)
• DoS Attacks are Dead: Demystifying Practical DoS Attacks (2022)
• Scan Terraform plans and changes with tfquery via SQL-powered framework (2022)
• Twitch Internal Security Tools: In-depth Analysis of the Leaked Twitch Security Tools (2022)
• Attacking Modern Environments Series: Attack Vectors on Terraform Environments (2022)
• tfquery: Run SQL queries on your Terraform infrastructure (2021)
• Hacking Zoom: Uncovering Tales of Security Vulnerabilities in Zoom (2020)
• OhMyZsh dotenv Remote Code Execution (2020)
• Practical Approaches for Testing and Breaking JWT Authentication (2019)
• Search Engine Abuse in Popular Social Networks (2019)
• Overview of the Application-Level Security of the Swiss Evoting System (2019)
• Search Engine Abuse in Popular Social Networks (2019)
• Backchannel Leaks on Strict Content-Security Policy (2019)
• emojis-webshell: A PoC PHP web-shell, in emojis (2018)
• Using HTML Attribute Separators for Bypassing WAF XSS Filters (2018)
• Practical Protection Against DNS Rebinding Attacks (2018)
• Bypassing CSP by Abusing JSONP Endpoints (2018)
• [Public Report] ModX CMS - Responsible Disclosure (2017) - Read the report
• [Public Report] Symantec Web Services - Responsible Disclosure (2017) - Read the report
• Exploiting Misconfigured Apache server-status Instances (2017)
• Using Ubuntu .DESKTOP as a Malware Vector (2017)
• Backup-File Artifacts: The Underrated Web-Danger (2016)
• [Paper] Bypassing NoScript Security Suite Using Cross-Site Scripting and MITM Attacks (2016) - Read the paper
• Google UI-Redressing Bug That Discloses The User’s Email Address (2016)
• [Paper] Evading All Web-Application Firewalls XSS Filters (2015) - Read the paper
• Summary of HSTS Policy in Modern Browsers (2015)
• XSS Challenges - Web-App Security Challenges (2015)
• Bypassing Google Password Alert with One Line of Code (2015)
• Why Prebuilt Browsers are Bad: Introducing Firefox Security Toolkit (2015)
• Summary of HSTS Support in Modern Browsers (2015)
• Facebook Messenger Multiple CSRF Vulnerabilities (2015)
• W3TotalFail: W3 Total Cache Vulnerability that Leads to Full Defacement (2014)
• Session Hijacking in Instagram Mobile Application via MITM Attacks (2014)

Projects #

• HackBack: HackBack is an offensive security podcast that discusses security highlights and insights, delivered in English and Arabic.

CVEs #

Discovered #

• CVE-2017-7324
• CVE-2017-7323
• CVE-2017-7322
• CVE-2017-7321
• CVE-2017-7320
• CVE-2014-9414

Developed Exploit #

• CVE-2022-42889
• CVE-2021-44228
• CVE-2017-5638
• CVE-2017-9805
• CVE-2017-12616