22sh @0x22sh
jack of all trade master of none ・OSEP・BJJ blue belt ・@hexagonctf /home/bordeaux Joined May 2016-
Tweets489
-
Followers822
-
Following968
-
Likes18K
🧵[1/9] Time to publish the solution to this challenge! x.com/pilvar222/stat… The goal of this challenge was to find an XSS while avoiding it being blocked by the CSP sent by the PHP header() function. Let's dive into it!
🧵[1/9] Time to publish the solution to this challenge! x.com/pilvar222/stat… The goal of this challenge was to find an XSS while avoiding it being blocked by the CSP sent by the PHP header() function. Let's dive into it!
I've finally finished my writeups for #FCSC2024, which covered: - Nginx X-Accel-Redirect file read - Werkzeug error-based request smuggling - HTTP/1.1 and HTTP/0.9 browser confusion - Connection: close bypass via Expect: 100-continue - ... Link 👇 mizu.re/tag/FCSC2024 1/2
DOMPurify 3.1.1 & 2.5.1 have been released. Both are security releases & should be upgraded to asap. Note: More releases might follow, the mitigated attack is novel. Eternal gratitude goes to @IcesFont for finding, reporting & helping with fixes 🙇 github.com/cure53/DOMPuri…
🤯
🤯 https://t.co/y2bsOBvTOJ
Nice #KASLR break by @p1k4l4 for x86_64 kernels with Xen support (Debian and Ubuntu by default). Xen symbols are included in the kernel ELF .notes section and exposed world readable via SysFS (/sys/kernel/notes) since 2007 (pre-KASLR). Added to KASLD: github.com/bcoles/kasld/c…
Nice #KASLR break by @p1k4l4 for x86_64 kernels with Xen support (Debian and Ubuntu by default). Xen symbols are included in the kernel ELF .notes section and exposed world readable via SysFS (/sys/kernel/notes) since 2007 (pre-KASLR). Added to KASLD: github.com/bcoles/kasld/c…
Just finished 3rd place, out of 9186 players on this last HackTheBox season. Falling just behind @xct_de and @snowscan. Thank you very much for the competition @hackthebox_eu! Keeping this pace going was not very healthy suffice to say 🤪
wild stuff re: xz/liblzma backdoor news.ycombinator.com/item?id=398658…
Whats the bet this would never happen in an application when using the PostgreSQL lib. Not only does it need to be in extended mode, it needs 2 controlled args, the 1st being an int AND the int needs a - char just before the replace position. Good luck! cyberatlas.co/l/sql-injectio…
Just published a writeup of a Buffer Overflow in TP-Link's TDDP programs causing memory structure destruction resulting in a denial of service affecting at least 26 models 🤠 this bug was exploited and discovered using Shambles 🔥 boschko.ca/tp-link-tddp-b…
@fl0ct0 it's life on ez mode. just being a little bit curious and hard working can give huge returns. my non CS/sec friends work way harder for less (although they still enjoy their work). it's also nice that you can do it "anywhere/anytime". And you're constantly learning, more valuable
We can relay back to the same machine using Kerberos relay instead of NTLM relay. I discovered this attack vector more than a year ago. I will describe it in detail in upcoming Black Hat Asia 2024 blackhat.com/asia-24/briefi… and introduce more interesting attacks.
We can relay back to the same machine using Kerberos relay instead of NTLM relay. I discovered this attack vector more than a year ago. I will describe it in detail in upcoming Black Hat Asia 2024 blackhat.com/asia-24/briefi… and introduce more interesting attacks. https://t.co/T54yHWXFSt
I've just completed this lab, and I can only recommend it! This might be the best lab I've ever played, covering aspects from Azure AD shenanigans to EDR/WDAC bypass. Go play - you won't regret it.
I've just completed this lab, and I can only recommend it! This might be the best lab I've ever played, covering aspects from Azure AD shenanigans to EDR/WDAC bypass. Go play - you won't regret it.
A brief #OSINT investigation into the potential Chinese hacker exposed in the iSoon/Anxun leak. We have pulled together information from some of the great threads that other OSINT investigators have published including @NathanPatin, @S0ufi4n3, @fs0c131y.
Did a little writeup of the CSP bypass I reported to PortSwigger. It might be interesting to anyone who saw the disclosed report and wonders if CSP bypasses are the new ripe low-hanging fruit! joaxcar.com/blog/2024/02/1…
Also, I'd also like to do a commentary session on last year's LiveCTF, not sure when that will happen, but it's on my to-do list. Lately, I've realized how difficult it is to allocate free time during workdays... I'm recovering from a bit of burnout rn.
出来た。CSSでJSを動かす技術、expression()をWin11で体験する方法: 1. localhostで次のHTMLをホスト <meta http-equiv=x-ua-compatible content=IE=5><p style=x:expression(alert(1))> 2. Edgeでhttp://localhostでアクセス(ホストにドットがないURLが肝) 3. IEモードで再読込(無限alertが出ます)
出来た。CSSでJSを動かす技術、expression()をWin11で体験する方法: 1. localhostで次のHTMLをホスト <meta http-equiv=x-ua-compatible content=IE=5><p style=x:expression(alert(1))> 2. Edgeでhttp://localhostでアクセス(ホストにドットがないURLが肝) 3. IEモードで再読込(無限alertが出ます)
Hip, hip, hooray! It's been 10 years of AppSec Ezine! Big shoutout to all who have been supportive along the journey and to the security community that made this project possible. Cheers 🥂 520th Edition: pathonproject.com/zb/?6ba3505270… Repo: github.com/Simpsonpt/AppS… #AppSec #Security
OOPArtDB from #HackTheBox was recently retired, an insane #WEB challenge by @Strellic_ - learned some amazing attack techniques. Going to present the exploitation path soon. My slides for the upcoming presentation can now be found online: romanh.de/files/Advanced…
Worty @_Worty
2K Followers 514 Following Organizer of @HeroCTF || @FlatNetworkOrg || TeamFR 2021 & 2022 🇫🇷 || 🥷 @SynacktivKévin - Mizu @kevin_mizu
3K Followers 650 Following Vulnerability researcher 🐛 | CTF with @HexagonCTF, @rhackgondins 🦦 | Team FR 2023 🇫🇷 | https://t.co/sEBb6VnMrmNishacid @Nishacid
1K Followers 235 Following Cybersecurity enthusiast | Bug Hunter 🪲| Staff @RootMe_org | @GrehackConf 🏔️ | CTF @RMUBYGG 🇫🇷voydstack @voydstack
1K Followers 771 Following 🥷 @Synacktiv | CTF with @RMUBYGG, @Hexagonctf, @ECSC_TeamFrance 20/21/22/23Mayfly @M4yFly
5K Followers 754 Following Former Dev and DevOps| Pentester and red teamer at orange cyberdefense | OSCE³| Tweet are my own| discord: m4yflymxrch @mxrchreborn
2K Followers 403 Following HideAndSec 🐈⬛ https://t.co/6S8IYIrzHd a̶͇̫̋a̴̢̛̯͋̎ä̶̰́̊a̸̩̬̝̽̇̇Aurélien Chalot @Defte_
2K Followers 416 Following Hacker, sysadmin and security researcher @OrangeCyberdef 💻 Calisthenic enthousiast 💪 and wannabe philosopher 📖 🔥 Hide&Sec 🔥Rayan Bouyaiche @rayanlecat
1K Followers 681 Following Active Directory & Cloud hacking enthusiast, CTF @phreaks2600 and pentester @secnumcloud0xStarlight @Bhaskarpal__
3K Followers 575 Following CSE Major | eJPT | CRTP | CRTE | CRTO | CRTL | HackTheBox Hall Of Fame Top 50 and Top 2 in India | Programmer and Play CTF with @ActivateWind0wsaaSSfxxx @aaSSfxxx
1K Followers 585 Following https://t.co/5Lu2BqwhX3 | Ergo Proxy | Baby Sibyl System | Camion-benne de la connerie humaineEuz | Matthieu 🐙 @_Euzebius
2K Followers 2K Following Gamer, hacker. Purple teamer at 💜. Infosec swiss army knife. Love pentest, threat hunting, IR. HTB 🇫🇷 ambassador : euz. I didn't choose InfoSec, it chose me.BlackWasp @BlWasp_
2K Followers 237 Following Pentester and Red Team technical leader at Advens | Microsoft MVPKavishka Gihan @_kavigihan
908 Followers 128 Following 18 | Security researcher | Machine author @hackthebox_eucrazyman_army @CrazymanArmy
6K Followers 3K Following CTFer / APT hunter / RedTeam / BlueTeam the member of @r3kapig the leader of @ShadowChasing1 CVE-2022-30190 find job opportunities opinions are own not groupShashwat Shah 🇮�.. @0xEr3bus
557 Followers 87 Following CRTL | CRTO | Ejpt | CRTE | HackTheBox Player | RastaLabs | Zephyr lab | APT Lab | Windows Exploitation | Wannabe Red TeamerBoschko 🇨🇦 @olivier_boschko
4K Followers 2K Following just a french canadien | adversary emulation (red team) @ RBC | CISSP BSCP CRTL CRTO OSCP eWPTX eCPPT | goofing off @ https://t.co/aWC0YYEp9xEuropean Cyber Cup @EuCyberCup
2K Followers 811 Following European Cyber Cup 🏆 | 1ère compétition d'eSport dédiée au hacking éthique, pendant le Forum International de la Cybersécurité @FIC_eu. | 📅 27 & 28 mars 2024xanhacks @xanhacks
1K Followers 619 Following 🎯 Web & Malware 🩸CTF with @Arn_Hack @HexagonCTF @GCC_ENSIBS 💾 Staff member of @HeroCTF @Hack2g2 @Flag4jobsAmanuel Hailegiyorgis @AHaileG
13 Followers 91 Following CS student | CTF advocate | the things I say target nothing but the subjects I love.S Artist @security_artist
30 Followers 175 FollowingMo0n Sha𝄞ow @null001__
45 Followers 2K Followingvtim @vtim9907
16 Followers 669 FollowingLuke Jahnke @lukejahnke
2K Followers 5K FollowingTo tor @Totor25232932
1 Followers 80 Followingbushidosan @bushidosann
13 Followers 156 Following Interested in maldev and windows internals with a sprinkle of reversing | Developing on a pace slower then a snailJosuke @Jotar056
0 Followers 1K FollowingZodial @Z0dial
126 Followers 1K FollowingK1nz @viet_kien16450
97 Followers 2K FollowingClips @clipsecio
173 Followers 602 Following Infosec enthusiast // Soon™ HtB Guru // Elon Musk idolizer // Future Tesla Owner // Gamer // MemerAshutosh Barot @ashu_barot
1K Followers 1K Following Looking for a new role | Security Researcher 💻 | Featured in @techcrunch @thehackersnews | MTech🎓 #NFSU| 12x CVEs | #2 Coinbase, H1| Securing web2,3crazyman @crazyman823886
340 Followers 649 Following CTFer / APT hunter / RedTeam / BlueTeam the member of @r3kapig the leader of @ShadowChasing1 CVE-2022-30190 find job opportunities pre account @CrazymanArmyFrozenk @CyberFrozenk
37 Followers 206 Following HackTheBox : https://t.co/q9cOdS8hvN Youtube : https://t.co/vBBAKzuBVJ GitHub : https://t.co/jwlMVAcTrWcelesian @c3l3si4n
3K Followers 366 FollowingBridget 🤪 @Bridget__L9236
2 Followers 254 Following Voluрtuоus enсhаntrеss cаptivаtеd bу limitless sеnsаtiоnsVALKY @VALKY_ow
33 Followers 72 Followingsol.D.ace @solDace_
9 Followers 17 FollowingTalace @Talace_
16 Followers 147 FollowingProx @OsintTheWorld
45 Followers 189 Following OSINT & CTF player. Interested in Infosec & Red teaming.Kib @_kibov
24 Followers 180 Followingcarnifex17 @carnifex1717
15 Followers 39 Followingpurplestormctf @purplestormctf
75 Followers 103 Following Official Twitter account of the purplestorm ctf team.Melissa Wright @Melissa32458861
62 Followers 97 Following I am a strong believer in the tyranny, the dictatorship, the absolute authority of the writer.DoubleTake @LeDoubleTake
212 Followers 388 Following Pentester | DigitalFence Co-Founder | eWPTx, Dante | Offshore in progress 👨🏻🍳Zélétix @Zeletixx
7 Followers 30 FollowingLexter @lxt33r
276 Followers 525 Following Reverse Engineer @fuzzinglabs , CTF Player for @thehackerscrew1 and @MadeinFranceCTFValekoZ @valekoz_
184 Followers 382 Following CTF player at @phreaks2600, student at @ecole2600 and ninja at @SynacktivHackviser @hackviserr
2K Followers 3K Following Tailored cybersecurity #upskilling platform for all levels, catering to beginners and pros | Best way to boost your #cybersecurity skillsjason @jason41244
29 Followers 189 FollowingMartin Mielke @xct_de
5K Followers 821 Following Windows Exploitation • OSCE3/OSEE • Labs @vulnlab_eu • Principal Red Teamer @MantodeaSecvx-underground @vxunderground
291K Followers 211 Following The largest collection of malware source code, samples, and papers on the internet. Password: infectedcts🌸 @gf_256
52K Followers 624 Following Co-founder @zellic_io & @pb_ctf | YT: https://t.co/nlNai6iQCn Prev: Vector35, Grayshift, Two Sigma, Dfsec | 23yo hacker femboyHack The Box @hackthebox_eu
190K Followers 226 Following #1 Cyber Performance Center, providing a human-first platform to create and maintain high-performing cybersecurity individuals and organizations.Charlie Bromberg « .. @_nwodtuhs
13K Followers 648 Following Trying to hack the way we hack things 🏴☠️Worty @_Worty
2K Followers 514 Following Organizer of @HeroCTF || @FlatNetworkOrg || TeamFR 2021 & 2022 🇫🇷 || 🥷 @SynacktivKévin - Mizu @kevin_mizu
3K Followers 650 Following Vulnerability researcher 🐛 | CTF with @HexagonCTF, @rhackgondins 🦦 | Team FR 2023 🇫🇷 | https://t.co/sEBb6VnMrmSynacktiv @Synacktiv
17K Followers 277 Following Offensive security company. Dojo of many ninjas. Red teaming, reverse engineering, vuln research, dev of security tools and incident response.Nishacid @Nishacid
1K Followers 235 Following Cybersecurity enthusiast | Bug Hunter 🪲| Staff @RootMe_org | @GrehackConf 🏔️ | CTF @RMUBYGG 🇫🇷voydstack @voydstack
1K Followers 771 Following 🥷 @Synacktiv | CTF with @RMUBYGG, @Hexagonctf, @ECSC_TeamFrance 20/21/22/23Mayfly @M4yFly
5K Followers 754 Following Former Dev and DevOps| Pentester and red teamer at orange cyberdefense | OSCE³| Tweet are my own| discord: m4yflyJohn Hammond @_JohnHammond
240K Followers 2K Following Hacker. Cybersecurity Researcher @HuntressLabs || https://t.co/qUeDM3lSClLiveOverflow 🔴 @LiveOverflow
142K Followers 1K Following wannabe hacker... he/him 🌱 grow your hacking skills @hextreeiosahuang @sahuang97
3K Followers 682 Following Founder @ProjectSekaiCTF | Software Engineer @MicrosoftVan | Mococo: @_YaNnhui_ | Trading alt: @sahuang_alt | Chunithm & osu! enjoyermxrch @mxrchreborn
2K Followers 403 Following HideAndSec 🐈⬛ https://t.co/6S8IYIrzHd a̶͇̫̋a̴̢̛̯͋̎ä̶̰́̊a̸̩̬̝̽̇̇Aurélien Chalot @Defte_
2K Followers 416 Following Hacker, sysadmin and security researcher @OrangeCyberdef 💻 Calisthenic enthousiast 💪 and wannabe philosopher 📖 🔥 Hide&Sec 🔥PortSwigger Research @PortSwiggerRes
88K Followers 7 Following Web security research from the team at @PortSwiggerPwnFunction @PwnFunction
38K Followers 981 Following I make animated computer science videos • product & ai @pdiscoveryio • blog at https://t.co/RLiSNOVQ0WMathis Hammel @MathisHammel
61K Followers 559 Following Formateur IA, dev, cybersécurité • Entraîneur WorldSkills pour l'équipe de France cyber • GDE, MVP • Parrain de @Guardia_SchoolClips @clipsecio
173 Followers 602 Following Infosec enthusiast // Soon™ HtB Guru // Elon Musk idolizer // Future Tesla Owner // Gamer // Memercrazyman @crazyman823886
340 Followers 649 Following CTFer / APT hunter / RedTeam / BlueTeam the member of @r3kapig the leader of @ShadowChasing1 CVE-2022-30190 find job opportunities pre account @CrazymanArmyBalti @toujoursbalti
57K Followers 840 FollowingMrMidnight @MrMidnight53
1K Followers 406 Following We do a lil hacking!™ | eJPT | CTF Creator & Player | Developer | Game-dev | Vinyl Enjoyer | YouTuber: https://t.co/MnWJZ9Zl7pc0m0r1 @c0m0r1
2K Followers 252 Following KAIST CS & EE 18 + EE M.S. Student 23 / KAIST GoN 18 / pwn, rev / newbie forever / 음악듣는 코모리 @DC0m0r1kolokokop @kolokokop
143 Followers 271 FollowingThe Impartial Truth @IImpartialTruth
15K Followers 35 Following 🎞️ History Uncensored | Rare Archives ↙️Manfred Paul @_manfp
5K Followers 279 Following Maths and cyber and stuff. Playing CTFs with @redrocket_ctf (and @Sauercl0ud). Pwn2Own Vancouver 2020..=2022, 2024. @[email protected]Jason Lang @curi0usJack
15K Followers 195 Following @TrustedSec Red Team | Hi-Fidelity trolling | Privacy Enthusiast | Putting the "no" in nano | Avatar: https://t.co/3XHmKR8VrSn00py @n00py1
13K Followers 955 Following Retweeter of InfoSec/Offsec/Pentest/Red Team. Occasional blogger/Independent security research. [email protected] on Mastodogepurplestormctf @purplestormctf
75 Followers 103 Following Official Twitter account of the purplestorm ctf team.CvxFous @Cvxfous
81 Followers 172 Following I coded Monster Logic, buy now on steam: https://t.co/acbVwZKVqd…Ian Beer @i41nbeer
49K Followers 144 FollowingSoheil @Soheil__K
273 Followers 412 Following Researcher @CISPA, Web Security & Privacy, Program Analysis | Engineer | #BugBounty Hunter; Past @IMDEA_Software.Lexter @lxt33r
276 Followers 525 Following Reverse Engineer @fuzzinglabs , CTF Player for @thehackerscrew1 and @MadeinFranceCTFsakura @eternalsakura13
6K Followers 156 Following Security Researcher of 360. 2021/2022/2023 Top 10 Chrome VRP Researcher. 2023 Top2 Facebook whitehat. BlackHat Asia/BlackHat USA/Zer0Con speaker.Dlive @D1iv3
2K Followers 1K Following Security Researcher. 2022 MSRC MVR. Windows Active Directory Security / Cloud Security / Web Security. Tweets are my own.ValekoZ @valekoz_
184 Followers 382 Following CTF player at @phreaks2600, student at @ecole2600 and ninja at @SynacktivPwned Labs @PwnedLabs
787 Followers 47 Following Pwned Labs delivers fun and immersive cybersecurity training experiences for individuals and businesses. Join the community: https://t.co/kyG413GZDa@[email protected] @r3tr074
760 Followers 498 Following Security research | https://t.co/0JQ2SjUVJZ founder | CTF pwn/rev @eltctfbr + @r3kapig | yes, I'm the browser guyKavishka Gihan @_kavigihan
908 Followers 128 Following 18 | Security researcher | Machine author @hackthebox_eur0BIT @0xr0BIT
481 Followers 285 Following OSCP | CRTO | Sr. Pentester @ProsecNetworks | Content exclusive @vulnlab_eucvc5 Solver @cvc5_solver
84 Followers 19 Following cvc5 is an efficient open-source automatic theorem prover for Satisfiability Modulo Theories (SMT) problems.D3STY @d3sty_
199 Followers 605 Following 🎓CNVP | CLNP | CSIS 🧠 Neurodiversity 💻 CyberSec Research 🚩 Player @purplestormctfDitzyFlama @DitzyFlama
126K Followers 700 Following @glitch_prod @memesbycowbelly @NeverthinkTV | Alt: @DitzysAlt @osakefuru | Business Inquiries: https://t.co/Bn43fOhSbBjeremy scahill @jeremyscahill
393K Followers 4K Following co-founder of the intercept. wrote blackwater & dirty wars. contact: [email protected] DM for signal. Join my email list at https://t.co/aSxp03XtEbJoel Eriksson @OwariDa
5K Followers 4K Following Offensive security researcher and entrepreneur -Kernels, browsers and all that jazz- Also: - AI/ML/DL - AR/VR/XR - CTFs (pwn/re/crypto) + Cicada 3301, Boxen etcPaul Bolton (m0noc) @overtsecrecy
915 Followers 948 Following Also @[email protected] #ActuallyAutistic he/himDirk-jan @_dirkjan
25K Followers 173 Following Hacker at @OutsiderSec. Researches AD and Azure (AD) security. Likes to play around with Python and write tools that make work easier.Xah Lee @xah_lee
4K Followers 516 Following Math and Programing Nerd. Author of JavaScript in Depth, Practical Emacs Lisp, WolframLang Tutorial. I post mostly nerd stuff.Brian Pak @brian_pak
2K Followers 187 Following CEO @ Theori | CMU CS '11 | Plaid Parliament of PwningChocapikk 🇨🇵 @Chocapikk_
1K Followers 736 Following Pentesting Enthusiast, Hunter/Moderator at @leak_ix, Student at @OteriaCS, x18 CVEs - https://t.co/Ezbt3w1g3v Views are my ownSeanWu @seanwupi
263 Followers 70 Followingdefault itsec guy @bongoalex
522 Followers 523 Following just the average next door security janitor@lecomptoirakons @AlertesInfos Rien a voir avec les musulmans je connais des mecs qui parlent comme ça et qui sont pas croyants c'est juste une mode de débiles adolescents pas encores finis
@PercheTetu @AlertesInfos Ouais, on appelle ça "les squatteurs de l'islam". ça se limite à pas manger de porc mais ça n'a jamais ouvert un coran et serait incapable de citer une seule parole de leur prophète.
👀
As expected, two variations of the so far known mXSS attacks have been spotted and new DOMPurify releases are ready to fix those. github.com/cure53/DOMPuri… github.com/cure53/DOMPuri… Many thanks to @kevin_mizu and @hash_kitten for spotting and reporting those 🙇
Le jjb est-il une arme pour tuer ? On en parlera dans le numéro spécial de 7 à 8 en présence d'Harry Roselmack Adel Cherifi c'est fort, je vous en avais parlé y a un moment.
@Haeya_chae Ok mais tu as fais tout ça pendant combien de temps ? 1h 1 jour 1 semaine ? Car pour pas perdre de poids à 1k calories par jours plus 70km par semaine c’est du domaine de la science fiction pour moi
@terjanq 🧵[6/9] This means that if we have, for example, a request containing more than 1000 GET parameters, a warning will be sent, and the CSP header won't! Trying this solution (gist.github.com/pilvar222/300c…) on remote, we can pop an alert!
@terjanq 🧵[7/9] This solution is only one among many. From the different solutions I've seen, some also used the maximum length of the parameters or files, and I wouldn't be surprised if many others are still unexplored ways to have warnings! In any case, big props to the solvers!
@terjanq @hash_kitten @haqpl @SecurityMB @arkark_ @satoki00 @Satoooon1024 @c3l3si4n @rootaux @ankursundara @Strellic_ @IcesFont @sushicomabacate @darinmao_ @blueminimal @realansgar @BrunoModificato @taramtrampam @SasukeOurad @0x22sh @frevadiscor89 @ixSly @kolokokop @damned_me_ 🧵[9/9] I hope you enjoyed the challenge! If you did, you might want to check out the talk where I presented it along with other techniques, I will post the link on my twitter as soon as the recording is published!
🧵[1/9] Time to publish the solution to this challenge! x.com/pilvar222/stat… The goal of this challenge was to find an XSS while avoiding it being blocked by the CSP sent by the PHP header() function. Let's dive into it!
This Friday, I'm presenting a novel technique as part of my talk "Secret web hacking knowledge - CTF authors hate these simple tricks". I've made a challenge about it, will you be able to pop an alert on pilv.ar ? The whole source code is in the screens below :)
Suite à la vidéo, certes impulsive, que j’ai réalisée après m’être fait voler, les choses se sont améliorées dans le quartier concerné. Moralité de l’histoire soyez toujours optimiste, voyez le bon coté des choses. Maiiis ne reproduisez pas ce que j’ai fait si vs voulez pas de pb
Released a new authenticated RCE for GLPI, specially it's plugin "order" (installed on many systems), which unserialize()'d a $_POST parameter, making RCE possible with a monolog gadget.
pluginsglpi/order disclosed a bug reported by @c3l3si4n - Patch: github.com/pluginsglpi/or… huntr.dev/bounties/dcacc… #hunter #infosec #opensource
Students in my security class joked they should just hack the server to change their grade to 100%, so I handed them my CSRF token for the gradebook and told them to have at it
@albinowax I'm sure you would be interested in this one: mizu.re/post/twisty-py… 😁
I've finally finished my writeups for #FCSC2024, which covered: - Nginx X-Accel-Redirect file read - Werkzeug error-based request smuggling - HTTP/1.1 and HTTP/0.9 browser confusion - Connection: close bypass via Expect: 100-continue - ... Link 👇 mizu.re/tag/FCSC2024 1/2
CTF is over! In the end, it was a very close call. Congrats to 🥇 @0rganizers, 🥈 @ECSC_TeamFrance & 🥉 @leetmore! Thanks everyone for participating Insomni'hack CTF 2024, #INSO24, #CTF Here's the final scoreboard.
We manage to finish at the second place at @1ns0mn1h4ck CTF finals ! Congratz to all the players and my team mates @JouetR @_Noiche @adam_le_bon @cy_nics @Vozec1 @MathisHammel & mouthon ! Again thanks a lot to the SCRT crew for the challenges ! See you next year !
DOMPurify 3.1.1 & 2.5.1 have been released. Both are security releases & should be upgraded to asap. Note: More releases might follow, the mitigated attack is novel. Eternal gratitude goes to @IcesFont for finding, reporting & helping with fixes 🙇 github.com/cure53/DOMPuri…
Enfaite js juste triste pcq il me cours pas après wallah