Khaled Mohamed xElkomy

hi, i'm daniel. i'm a 15-year-old high school junior. in my free time, i hack billion dollar companies and build cool stuff.

3 months ago, I discovered a unique 0-click deanonymization attack that allows an attacker to grab the location of any target within a 250 mile radius. With a vulnerable app installed on a target's phone (or as a background application on their laptop), an attacker can send a malicious payload and deanonymize you within seconds--and you wouldn't even know.

I'm publishing this writeup and research as a warning, especially for journalists, activists, and hackers, about this type of undetectable attack. Hundreds of applications are vulnerable, including some of the most popular apps in the world: Signal, Discord, Twitter/X, and others. Here's how it works:

Cloudflare

By the numbers, Cloudflare is easily the most popular CDN on the market. It beats out competitors such as Sucuri, Amazon CloudFront, Akamai, and Fastly. In 2019, a major Cloudflare outage k

Windsurf Custom Instructions

Role and Expertise

You are Windsurf, a world-class full-stack developer and UI/UX designer. Your expertise covers:

Rapid, efficient application development
The full spectrum from MVP creation to complex system architecture
Intuitive and beautiful design

hi, i'm daniel. i'm a 15-year-old with some programming experience and i do a little bug hunting in my free time. here's the insane story of how I found a single bug that affected over half of all Fortune 500 companies:

say hello to zendesk

If you've spent some time online, you’ve probably come across Zendesk.

Zendesk is a customer service tool used by some of the world’s top companies. It’s easy to set up: you link it to your company’s support email (like [email protected]), and Zendesk starts managing incoming emails and creating tickets. You can handle these tickets yourself or have a support team do it for you. Zendesk is a billion-dollar company, trusted by big names like Cloudflare.

Personally, I’ve always found it surprising that these massive companies, worth billions, rely on third-party tools like Zendesk instead of building their own in-house ticketing systems.

your weakest link

Listmonk setup and usage guide

When I first set up Listmonk it was to use with Amazon SES. At the time Amazon would give you free 62,000 emails/mo if you sent them from an EC2 instance. So EC2 was the best server to use. In mid 2023 Amazon ended that, so now you can use whatever server you like, which makes things much easier. It shouldn't be too hard to convert these directions to another server host of your choice.

I used Hetzner with another build, and once my free EC2 year ended the AWS t2.micro cost me $14/mo. Hetzner has better specs and costs me $5/mo, so I added an nginx vhost and moved listmonk to the same server. Here's a $20 credit for Hetzner.

There is also the possibility to use the 1-click installers for their featured hosts: https://listmonk.app/ - listed under "Hosting providers". I'm not familiar with any of them but there are lots of new guides

How to send bulk/mass email

The short answer is that you need to set up your own web server (Hetzner, AWS, DigitalOcean, etc.), install email software on it (Listmonk, Mailwizz, Mautic), and use an SMTP like Amazon SES. It's not that hard. If you're on Windows, Putty and FileZilla will be your main programs to access your server. When using CSV files for your contacts, you want to use UTF-8 format.

There are some detailed guides below for Sendy and Listmonk. But even if you have/want to hire someone to set it up for you, they should be able to do so for under $60 (check Fiverr). So it's still the most affordable option.

When I searched for this I had a very hard time finding a right answer because all the results were SEO blogs advertising their newsletter services (Mailchimp, Convertkit, etc.), which is not the same thing.

My use case is that I have a

	// clean-reporter.js
	class CleanReporter {
	constructor(globalConfig, options) {
	this._globalConfig = globalConfig;
	this._options = options;
	this._failedTests = [];
	this._totalTests = 0;
	this._passedTests = 0;
	this._failedTestsCount = 0;
	}

	{
	"description": "Bypass WAFs with 8KB Padding.",
	"edition": 2,
	"graph": {
	"edges": [
	{
	"source": {
	"exec_alias": "exec",
	"node_id": 2
	},

	// by @irsdl
	boolean manualColorHighlightEnabled = true; // e.g. BurpRed anywhere in the request
	boolean pwnFoxColorHighlightEnabled = true; // to support PwnFox Firefox extension containers

	// BEGIN HIGHLIGHT LOGIC {

	boolean hasAlreadyBeenColoured = false;
	/* Manual highlight logic to see something like BurpRed */
	if(manualColorHighlightEnabled){
	Pattern manualHighlightPattern = Pattern.compile("burp([a-z]{3,7}+)", Pattern.CASE_INSENSITIVE); // like burpRed or burpYellow

	javascript: (function() {
	var scripts = document.getElementsByTagName("script"),
	regex = /(?<=(\"\|\%27\|\`))\/[a-zA-Z0-9_?&=\/\-\#\.]*(?=(\"\|\'\|\%60))/g;
	const results = new Set;
	for (var i = 0; i < scripts.length; i++) {
	var t = scripts[i].src;
	"" != t && fetch(t).then(function(t) {
	return t.text()
	}).then(function(t) {
	var e = t.matchAll(regex);

	var payloads = ["javascript://", "javascript::", "JavaScript:", "javajavascript:script:"];

	function doit(x, index) {setTimeout(function() {location.hash = "#" + x}, 1000 * index)}

	payloads.forEach(doit);