Drew @hoodoer hoodoer - Bluesky Statics

MCP in Burp Suite: From Enumeration to Targeted Exploitation

Model Context Protocol servers often rely on SSE and WebSockets, which makes manual testing tricky. @hoodoer.bsky.social introduces MCP-ASD, a new Burp Suite extension designed to help testers identify, enumerate, and interact with MCP servers more effectively. trustedsec.com/blog/mcp-in-...

03.02.2026 16:07 — 👍 1 🔁 2 💬 0 📌 0

Microsoft seems to be integrating #Copilot into everything. And we mean EVERYTHING. Find out what we have to say about it and how it relates to data security on the latest episode of the #SecurityNoise podcast! @hoodoer.bsky.social youtu.be/QsmdLJsvAkc

30.01.2026 14:00 — 👍 2 🔁 1 💬 0 📌 0

Nice to finally knock this off my to-do list. Hope it helps!

20.01.2026 16:44 — 👍 1 🔁 0 💬 0 📌 0

The path to tricking users to trigger this isn't so hard.

13.06.2025 15:37 — 👍 0 🔁 0 💬 0 📌 0

Yes!

14.05.2025 00:08 — 👍 2 🔁 1 💬 0 📌 0

YouTube video by CactusCon CC13: JS-Tap Mark II: Attacking Web Apps With Even More Red Team Shenanigans

Apparently they did post it up, they just used the camera feed:
youtu.be/O7-zxAmP13o?...

13.05.2025 17:46 — 👍 1 🔁 0 💬 1 📌 0

The big features missing in that talk are the mimic feature that auto generates custom payloads and network traffic obfuscation.

Let me know if you have any questions, happy to help

09.05.2025 13:10 — 👍 1 🔁 0 💬 0 📌 0

I'm afraid the recording didn't work, my Mac doesn't play nice with conference recordings.

If there's a specific feature you're most interested in I can recommend another video that highlights that feature.

The readme has a demo section with links to a bunch of videos.

github.com/hoodoer/JS-Tap

09.05.2025 12:39 — 👍 0 🔁 0 💬 1 📌 0

checkIP.sh

I use "what's my IP" sites a ton to check my routing, got tired of bloated sites.

Made a simple service for this:
checkip.sh
or
checkip.sh?ip=8.8.8.8

Command line too (-L needed):
curl -L checkip.sh/cli

or for a specific IP instead of your source IP:
curl -L checkip.sh/cli?ip=8.8.8.8

29.04.2025 21:08 — 👍 0 🔁 0 💬 0 📌 0

I hope you're on the discord?

26.04.2025 00:19 — 👍 0 🔁 0 💬 1 📌 0

Are you in the ENC area? I may be biased but I think the PWN-252 group is pretty great 😂

Bunch of us will be at the con. Bring a laptop and CTF with us.

26.04.2025 00:08 — 👍 1 🔁 0 💬 1 📌 0

Absolutely, one of my favorite cons all year

26.04.2025 00:02 — 👍 1 🔁 0 💬 1 📌 0

Looking forward to showing off the latest features. Hoping to have some fun conversations during the Livestream.

23.04.2025 18:24 — 👍 1 🔁 0 💬 0 📌 0

That's forboding 😬

Good luck with whatever you're dealing with

22.04.2025 22:28 — 👍 2 🔁 0 💬 1 📌 0

The #eagles are Conowingo at feisty. One eagle catches, 3 more chase and it's fair game to steal food if you can. #birds #eagle #wildlife #photography

12.04.2025 15:14 — 👍 34 🔁 5 💬 1 📌 0

What this tells me is that since we talked at Shmoo you made the move.

Congratulations, this makes me happier than you can imagine. We miss it down there terribly. I hope you have a fantastic time ♥️🦘

03.04.2025 00:36 — 👍 1 🔁 0 💬 0 📌 0

It's their place in the universe to be insufferable. Share it widely, it's a solid take.

03.04.2025 00:31 — 👍 0 🔁 0 💬 0 📌 0

Interesting mix up of approaches. I mean, I do JavaScript C2 a lot, but that's for WebApps 🤣

01.04.2025 14:51 — 👍 2 🔁 0 💬 1 📌 0

v2.2 Release: Network traffic obfuscation, lazy rendering, reverse filter search option, and fingerprinting fixes · hoodoer JS-Tap · Discussion #36 Development has been in a private branch for a little while, but this is the latest code. Network Obfuscation: You now have the option in app settings to turn on traffic obfuscation. If the browser...

I just pushed my private JS-Tap repo changes over to public for v2.2 release.

Network obfuscation, rendering improvements, reverse filter searching, and client fingerprinting that isn't completely broken now available.

Release notes:
github.com/hoodoer/JS-T...

Repo:
github.com/hoodoer/JS-Tap

26.03.2025 14:19 — 👍 1 🔁 0 💬 0 📌 0

CISA does have a top notch team, I hope they all find spots soon.

11.03.2025 10:57 — 👍 2 🔁 0 💬 0 📌 0

Waste.Gov – Tracking government waste.Waste.Gov – Tracking government waste.

This landing page does not inspire confidence in the security posture lol

waste.gov

13.02.2025 12:44 — 👍 1 🔁 1 💬 1 📌 0

This should be fun, this is a great tool.

10.02.2025 17:54 — 👍 1 🔁 0 💬 1 📌 0

Senior Security Consultant Whitney Phillips will be speaking at CactusCon next week! Her session "Tips and Tricks to Creating Your First Conference Talk" will take place on Feb 14 at 11am in the Career Village. Stop by our booth too if you'll be there! www.cactuscon.com/cc13-schedule

07.02.2025 21:33 — 👍 3 🔁 1 💬 0 📌 0

Anyone need a @cactuscon.com ticket? I think I have a spare

03.02.2025 21:21 — 👍 0 🔁 0 💬 0 📌 0