HN Security

@[email protected]
167 Followers
14 Following
123 Posts
Penetration testing, red teaming, and security by design delivered by world-class cybersecurity experts.
Websitehttps://hnsecurity.it
LinkedInhttps://www.linkedin.com/company/hnsecurity
Twitterhttps://twitter.com/hnsec
HN Security32m ago

Five years ago, we set out to build something different: a team of world-class offensive security experts who trace their roots back to the early days of the discipline, don't cut corners, go as deep as the problem demands, and approach every engagement with the same relentless curiosity that defined the craft from the start.

Today, we're celebrating that anniversary with a milestone we're genuinely proud of: #HNSecurity has brand new headquarters in #Turin! A bigger space. A proper hacking lab, because our researchers deserve the right playground. And ('cause we're Italian and we have our priorities straight đź‡®đź‡ą) a well-equipped kitchen.
 
Here's to five more years of breaking things so others can't, staying ahead of real-world adversaries, and giving our clients the strategic edge they deserve. đźĄ‚

https://hnsecurity.it/

HN SecurityMay 14

🎙️ Join Federico’s Discord talk later today!

As part of #BurpExtensibilityMonth initiatives, our Research Lead and #BurpAmbassador @apps3c is joining #PortSwigger on Discord for “Restoring testability: Handling complex scenarios in Burp Suite with a custom extension”.

Most web and mobile backends and APIs can be assessed effectively with #BurpSuite out of the box. But testers sometimes hit scenarios where standard workflows become impractical, such as encryption, request signing, custom data formats, WAF controls, token handling, and other protections.

In this talk, Federico will explore how custom Burp Suite extensions can integrate those mechanisms directly into your testing workflow, so you can keep using tools like Repeater, Intruder, Scanner, and more as if the underlying complexity was not there.

Expect a real-world inspired scenario, practical design guidance, and plenty of extension-building inspiration.

👉 Register your interest here!
https://discord.com/events/1159124119074381945/1499761261750128670

Discord - Group Chat That’s All Fun & Games

Discord is great for playing games and chilling with friends, or even building a worldwide community. Customize your own space to talk, play, and hang out.

Discord
HN SecurityMay 5

To kick off his collaboration with @portswigger as a Burp Suite Ambassador, our Research Lead @apps3c just published the 10th article on the creation of extensions for #BurpSuite. Topic: #Burp #AI!

https://hnsecurity.it/blog/extending-burp-suite-for-fun-and-profit-the-montoya-way-part-10/

HN Security - Extending Burp Suite for fun and profit – The Montoya way – Part 10 - Articles

Setting up the environment + Hello World Inspecting and tampering HTTP requests and responses Inspecting and tampering WebSocket messages Creating […]

HN Security
HN SecurityFeb 20
raptorFeb 20

Just shipped updates for rhabdomancer, haruspex, and augur. Now compatible with @HexRaysSA IDA 9.3 and @xorpse's idalib-rs 8.0.

These headless #IDA plugins are built for #VulnerabilityResearch workflows where you want IDA's power without the GUI. This release brings a bunch of small improvements and bug fixes.

https://hnsecurity.it/blog/streamlining-vulnerability-research-with-the-idalib-rust-bindings-for-ida-9-2/

HN Security Streamlining Vulnerability Research with the idalib Rust Bindings for IDA 9.2 Tools

HN Security's Technical Director Marco Ivaldi walks through using idalib's Rust bindings with IDA 9.2 to streamline vulnerability research.

HN Security
HN SecurityFeb 5
raptorFeb 5

While waiting for the upcoming release of #IDAPro 9.3 by @HexRaysSA, I have made some updates and bug fixes to my idalib-based headless IDA #plugins rhabdomancer, haruspex, and augur.

Check out the changelogs for all the details and enjoy!

https://hnsecurity.it/blog/streamlining-vulnerability-research-with-the-idalib-rust-bindings-for-ida-9-2/

HN Security Streamlining Vulnerability Research with the idalib Rust Bindings for IDA 9.2 Tools

HN Security's Technical Director Marco Ivaldi walks through using idalib's Rust bindings with IDA 9.2 to streamline vulnerability research.

HN Security
HN SecurityDec 18
raptorDec 18

This is my experience with LLMs. To paraphrase @apps3c “sometimes you just need to ask nicely”

https://hnsecurity.it/blog/attacking-genai-applications-and-llms-sometimes-all-it-takes-is-to-ask-nicely/
https://mastodon.cloud/@slashdot/115742100395423331

Attacking GenAI applications and LLMs - Sometimes all it takes is to ask nicely! - HN Security

Real-world attack examples against GenAI and LLMs, highlighting attack techniques and often-overlooked security risks.

HN Security
HN SecurityDec 10
Federico DottaDec 10

The ninth article of the series "Extending Burp Suite for fun and profit - The Montoya way" is out! The topics of this ninth part is "Custom scan checks - An improved quick way to extend Burp Suite Active and Passive Scanner"!

https://hnsecurity.it/blog/extending-burp-suite-for-fun-and-profit-the-montoya-way-part-9/

Extending Burp Suite for fun and profit – The Montoya way – Part 9 - HN Security

A comprehensive guide on extending Burp Scanner with custom scan checks.

HN Security
HN SecurityDec 10

In this latest article in our long-running series on #BurpSuite #Extension #Development, @apps3c illustrates how to extend the Active and Passive Scanner in your favorite #WebApplication #PenetrationTesting tool with Custom Scan Checks:

https://hnsecurity.it/blog/extending-burp-suite-for-fun-and-profit-the-montoya-way-part-9/

Check it out!

Extending Burp Suite for fun and profit – The Montoya way – Part 9 - HN Security

A comprehensive guide on extending Burp Scanner with custom scan checks.

HN Security
HN SecurityDec 3
raptorDec 3

Hey developers and vulnerability researchers!

I'm currently working on improving my #Semgrep ruleset for C/C++ static code analysis, and I've just published the new v1.1.0 release: https://github.com/0xdea/semgrep-rules

Some notable changes since the previous battle-tested release: new rules for detecting high-entropy assignments and ReDoS vulnerabilities, numerous enhancements to existing rules, reduced false positives without sacrificing coverage, optimized patterns across the board, and overall better documentation. Check the changelog for the full list (yes, there’s a changelog now).

Please test it inside and out, and feel free to open issues or submit pull requests. Your feedback is invaluable and will help shape the project roadmap. I'm aiming for a major release sometime before spring.

HN SecurityNov 11, 2025

Our senior security analyst @[email protected] has published a follow-up to his popular #Groovy Template Engine #Exploitation writeup:

https://hnsecurity.it/blog/groovy-template-engine-exploitation-part-2/

Check out some new practical exploitation tricks that he figured out while working on a real-world scenario.

Groovy Template Engine Exploitation – Notes from a real case scenario, part 2 - HN Security

New practical tricks for Groovy template engine exploitation in a real-world scenario.

HN Security