Kévin - Mizu @kevin_mizu
Vulnerability researcher 🐛 | CTF with @HexagonCTF, @rhackgondins 🦦 | Team FR 2023 🇫🇷 | https://t.co/sEBb6VnMrm mizu.re Joined May 2017-
Tweets652
-
Followers3K
-
Following651
-
Likes3K
It has been a pleasure for us to attend and present at #Insomnihack 2024. In case you missed it, here is our newly released mXSS cheatsheet 🧬🔬 sonarsource.github.io/mxss-cheatshee…
🧵[1/9] Time to publish the solution to this challenge! x.com/pilvar222/stat… The goal of this challenge was to find an XSS while avoiding it being blocked by the CSP sent by the PHP header() function. Let's dive into it!
🧵[1/9] Time to publish the solution to this challenge! x.com/pilvar222/stat… The goal of this challenge was to find an XSS while avoiding it being blocked by the CSP sent by the PHP header() function. Let's dive into it!
From April 5 to 14, the FCSC 2024 took place (organized by @ANSSI_FR ) and I am glad to have finished 1st of the Junior/Pwn category and 7th of Junior scoreboard!🔥 You can find my writeups on my (new 👀) website: - ruulian.me/post/FCSC2024-… (v8 exploit) - ruulian.me/post/FCSC2024-…
DOMPurify 3.1.1 & 2.5.1 have been released. Both are security releases & should be upgraded to asap. Note: More releases might follow, the mitigated attack is novel. Eternal gratitude goes to @IcesFont for finding, reporting & helping with fixes 🙇 github.com/cure53/DOMPuri…
Very unusual browser behavior has lead to what seems to be a whole new class of mXSS, and we will release new versions of DOMPurify soon so to make sure you can protect against that. Stay tuned, more details soon, latest on Monday.
Statement on glibc/iconv Vulnerability Recently, a bug in glibc version 2.39 and older (CVE-2024-2961) was uncovered where a buffer overflow in character set conversions to the ISO-2022-CN-EXT character set affects PHP. Read our full statement at php.net/archive/2024.p…
The Society has investigated and uncovered a cheater. We believe this person might be present in other teams. Check out ctf.exposed for more information
This Friday, I'm presenting a novel technique as part of my talk "Secret web hacking knowledge - CTF authors hate these simple tricks". I've made a challenge about it, will you be able to pop an alert on pilv.ar ? The whole source code is in the screens below :)
Request smuggling is an amazing bug class! But I barely ever did more than running Request Smuggler. So I've analysed tens of reports and in this video, I'll break down the most common root causes and I'll give you some ideas for future research. Enjoy!
I made two small wu for some fcsc web challenges. Challenges were way harder than previous years but still great - 0xswitch.fr/CTF/fcsc-2024-… - 0xswitch.fr/CTF/fcsc-2024-…
We just pushed a collection of Server-Side Prototype Pollution gadgets to GitHub: 25 in Node.js, 57 in Deno standard libraries, and 55 in NPM packages github.com/KTH-LangSec/se… Follow the repo for upcoming Node.js updates. Enjoy digging into this on your Friday! More in🧵👇
@aroly @Hacker0x01 A mix of : - github.com/dompdf/dompdf/… - github.com/dompdf/php-svg… - @hash_kitten's technique to leverage full control of URL to blindly leak content based on an error oracle (synacktiv.com/publications/p…)
SourceForge: Vulnerability in import feature leads to RCE! 🔥 Cybercriminals could have compromised SourceForge entirely, targeting millions of users worldwide through malicious software downloads. Read more in our latest blog post: sonarsource.com/blog/dangerous… #appsec #security
Solution to WMCTF2020's Make PHP Great Again 2.0, or how to use filters with `require_once` — dustri.org/b/solution-to-…
Clap de fin pour le #FCSC2024🐔 🎉Félicitations à tous les participants pour ces 10 jours de compétition. Vous étiez plus de 1500 joueurs actifs ! 🏆Découvrez le classement final : 🔗france-cybersecurity-challenge.fr
Thanks a lot to @kevin_mizu and @BitK_ for the challenge during the FCSC :) I've made two write ups for "Twisty Python" and "monopoly", you can found them here : github.com/W0rty/WU-FCSC2… Moreover, thanks again to @ANSSI_FR the CTF was amazing as every year 🩵
Rémi GASCOU (Podalir.. @podalirius_
7K Followers 555 Following Security Researcher & Speaker | Microsoft Security MVP | Developer of security tools | Coach of the CTF team @OteriHack 🎬 https://t.co/QaAENc4NcYCharlie Bromberg « .. @_nwodtuhs
13K Followers 648 Following Trying to hack the way we hack things 🏴☠️Intigriti @intigriti
155K Followers 644 Following Global Bug Bounty & VDP Platform. 🌐: https://t.co/fgCupJckrW ▶️: https://t.co/lRfCzZBgb7 👾: https://t.co/Inf7N9VQIlWorty @_Worty
2K Followers 514 Following Organizer of @HeroCTF || @FlatNetworkOrg || TeamFR 2021 & 2022 🇫🇷 || 🥷 @Synacktivvoydstack @voydstack
1K Followers 770 Following 🥷 @Synacktiv | CTF with @RMUBYGG, @Hexagonctf, @ECSC_TeamFrance 20/21/22/23Root-Me @rootme_org
20K Followers 484 Following Root Me allows everyone to test and improve their knowledge in computer security and hacking. Legal. Free. Realistic. Discord: https://t.co/G6y1wDrdOnNishacid @Nishacid
1K Followers 235 Following Cybersecurity enthusiast | Bug Hunter 🪲| Staff @RootMe_org | @GrehackConf 🏔️ | CTF @RMUBYGG 🇫🇷LiveOverflow 🔴 @LiveOverflow
142K Followers 1K Following wannabe hacker... he/him 🌱 grow your hacking skills @hextreeioSh0ck @Sh0ckFR
7K Followers 1K Following Just another infosec guy in a red team - Punk à chien avec le QI d’Einstein 😅Mathis Hammel @MathisHammel
61K Followers 559 Following Formateur IA, dev, cybersécurité • Entraîneur WorldSkills pour l'équipe de France cyber • GDE, MVP • Parrain de @Guardia_Schoolxanhacks @xanhacks
1K Followers 619 Following 🎯 Web & Malware 🩸CTF with @Arn_Hack @HexagonCTF @GCC_ENSIBS 💾 Staff member of @HeroCTF @Hack2g2 @Flag4jobsLupin @0xLupin
14K Followers 548 Following Roni Carta alias Lupin. Co-Founder of Lupin & Holmes. R&D. Red Teamer. Bug Hunter. Musician 🤘Euz | Matthieu 🐙 @_Euzebius
2K Followers 2K Following Gamer, hacker. Purple teamer at 💜. Infosec swiss army knife. Love pentest, threat hunting, IR. HTB 🇫🇷 ambassador : euz. I didn't choose InfoSec, it chose me.Noobosaurus R3x 🦖 @NoobosaurusR3x
2K Followers 578 Following L3 H4ck3r L3 Plu5 n00b Du w3b https://t.co/9Ey8TAzkLT https://t.co/jCTWg1DAPemxrch @mxrchreborn
2K Followers 403 Following HideAndSec 🐈⬛ https://t.co/6S8IYIrzHd a̶͇̫̋a̴̢̛̯͋̎ä̶̰́̊a̸̩̬̝̽̇̇Swissky @pentest_swissky
17K Followers 2K Following RedTeam | Pentest Author of PayloadsAllTheThings & SSRFmap https://t.co/w1ZLRqoafGΑριστος Μηλ.. @meliareses
15 Followers 682 Followinghashkitten @hash_kitten
564 Followers 167 Following vulnerability research @assetnote // hacking // codegolf // ctf with 🛹🐶aimen aimen @aimen3991
14 Followers 606 FollowingRanda Fielder @rand_fiel
46 Followers 5K FollowingRa1jin @_ra1jin
2 Followers 60 Followingjean vivine @JeanVivine
60 Followers 409 Followingzzzz @fafa91_
4 Followers 233 Followingsanga Mahesh @sangaMahesh118
3 Followers 380 FollowingMohamed Elawadly @Elawadly77
688 Followers 996 Following Offensive Security Engineer @EG_CERT | OSCP, OSWE | Chess player ♟️Dave @_cydave
148 Followers 258 Following Security Engineer doing Web Application Security 🇨🇭🐱 Sometimes tooting @[email protected]rugb @Bet0_Shinoda
698 Followers 2K FollowingGuillaume Assier 🌤.. @GuillaumeAssier
2K Followers 1K Following Ex @clever_cloud ⛅ I write articles on @50nuancesoctets 🚀 • #Cyber, #Tech, #CloudMukhilan Pari @MukhilanPari
202 Followers 724 Following aka Catamob || OSCP || CEH || Cyber security enthusiast || DarkArmy CTF Team || amritian || blockchain & crypto.Zodial @Z0dial
126 Followers 1K FollowingAndré @0xacb
14K Followers 704 Following Hacker grinding for L1gh7 and Fr33dφm, straight outta the cosmic realm. Co-founder @ethiackAnanda Dhakal @dhakal_ananda
10K Followers 580 Following Vulnerability Researcher @patchstackapp | Brand Ambassador @Hacker0x01 | Blogs: https://t.co/a0aOojdwyl 🇳🇵ydg91744 @ydg9174442438
89 Followers 599 FollowingSonarPaul @SonarPaul
0 Followers 79 FollowingMilad Bahari @Milad_Bahari
672 Followers 1K FollowingDamiano @Damiano91502500
2 Followers 26 FollowingZhenghao He @he_zhenghao
2K Followers 2K Following senior software engineer @docusign, ex-@instacart, ex-@aws TypeScript/JavaScript enthusiast.Mo0n Sha𝄞ow @null001__
46 Followers 2K FollowingRio Putra @RioPutr4Suryana
10 Followers 120 FollowingVie @vie_pls
1K Followers 232 Following Security Engineer @Google red team by day — artist by night — CTFs with @mmm_ctf_team — @UBC alumni — opinions expressed are my ownLibbie Vastardis @LibbiLibbie
75 Followers 5K FollowingBoschko 🇨🇦 @olivier_boschko
4K Followers 2K Following just a french canadien | adversary emulation (red team) @ RBC | CISSP BSCP CRTL CRTO OSCP eWPTX eCPPT | goofing off @ https://t.co/aWC0YYEp9xElie @HighRockPark
9 Followers 36 Following Medicine meets cybersecurity. Study, learn and hunt the world! 🌐✨ #MedSchool #BugBounty ⏳PaloAlto on YWH & H1SysAdm @SysAdm_
31 Followers 193 Following Student at @Epitech / CyberSecurity Pentester & CTF HunterJ'Hack l'Éventreur @KarjHack
72 Followers 386 FollowingTiago @tiago_hom7
111 Followers 965 FollowingRémi GASCOU (Podalir.. @podalirius_
7K Followers 555 Following Security Researcher & Speaker | Microsoft Security MVP | Developer of security tools | Coach of the CTF team @OteriHack 🎬 https://t.co/QaAENc4NcYCharlie Bromberg « .. @_nwodtuhs
13K Followers 648 Following Trying to hack the way we hack things 🏴☠️vx-underground @vxunderground
291K Followers 211 Following The largest collection of malware source code, samples, and papers on the internet. Password: infectedIntigriti @intigriti
155K Followers 644 Following Global Bug Bounty & VDP Platform. 🌐: https://t.co/fgCupJckrW ▶️: https://t.co/lRfCzZBgb7 👾: https://t.co/Inf7N9VQIlWorty @_Worty
2K Followers 514 Following Organizer of @HeroCTF || @FlatNetworkOrg || TeamFR 2021 & 2022 🇫🇷 || 🥷 @SynacktivSynacktiv @Synacktiv
17K Followers 277 Following Offensive security company. Dojo of many ninjas. Red teaming, reverse engineering, vuln research, dev of security tools and incident response.voydstack @voydstack
1K Followers 770 Following 🥷 @Synacktiv | CTF with @RMUBYGG, @Hexagonctf, @ECSC_TeamFrance 20/21/22/23Root-Me @rootme_org
20K Followers 484 Following Root Me allows everyone to test and improve their knowledge in computer security and hacking. Legal. Free. Realistic. Discord: https://t.co/G6y1wDrdOnmpgn @mpgn_x64
17K Followers 234 Following Flibustier du net ̿ ̿̿'̿'\̵͇̿̿\=(•̪●)=/̵͇̿̿/'̿̿ ̿ ̿ ̿ Podcast Hack'n Speak @hacknspeak / https://t.co/GyACSFg9mwNishacid @Nishacid
1K Followers 235 Following Cybersecurity enthusiast | Bug Hunter 🪲| Staff @RootMe_org | @GrehackConf 🏔️ | CTF @RMUBYGG 🇫🇷Hack The Box @hackthebox_eu
190K Followers 226 Following #1 Cyber Performance Center, providing a human-first platform to create and maintain high-performing cybersecurity individuals and organizations.cts🌸 @gf_256
52K Followers 624 Following Co-founder @zellic_io & @pb_ctf | YT: https://t.co/nlNai6iQCn Prev: Vector35, Grayshift, Two Sigma, Dfsec | 23yo hacker femboyLiveOverflow 🔴 @LiveOverflow
142K Followers 1K Following wannabe hacker... he/him 🌱 grow your hacking skills @hextreeioSh0ck @Sh0ckFR
7K Followers 1K Following Just another infosec guy in a red team - Punk à chien avec le QI d’Einstein 😅PwnFunction @PwnFunction
38K Followers 981 Following I make animated computer science videos • product & ai @pdiscoveryio • blog at https://t.co/RLiSNOVQ0WJohn Hammond @_JohnHammond
240K Followers 2K Following Hacker. Cybersecurity Researcher @HuntressLabs || https://t.co/qUeDM3lSClYesWeHack ⠵ @yeswehack
34K Followers 4K Following Global Bug Bounty & VDP Platform - #YesWeRHackers 🎯 https://t.co/57gODBq2WZ 👾 https://t.co/ICc6RyhJTp 💡 https://t.co/KNYxhkKuztMaciej Piechota @haqpl
4K Followers 1K Following I’m a security enthusiast and technology polyglot, pug lover and drum’n’bass head. Vice Captain @justCatTheFish, HTB @AlphaPwners, Daily Pwning @ElectrovoltSecDawid Moczadło @kannthu1
3K Followers 281 Following Co-founder of @vidocsecurity | Bug bounty hunter | CTF player with p4team | Security lover Check out the: https://t.co/pwj5qFgXZ4Vie @vie_pls
1K Followers 232 Following Security Engineer @Google red team by day — artist by night — CTFs with @mmm_ctf_team — @UBC alumni — opinions expressed are my ownJobert Abma @jobertabma
42K Followers 752 Following I tweet about security and my experience as a hacker. Co-founder of HackerOne (@Hacker0x01).DSpiricate @DSpiricate
126 Followers 121 Following French CTF player @rmubygg and part-time @MadeinFranceCTF, Security auditor, #TeamFr ECSC 2021. Crypto, web, and a bit of hardware I like protogensSal ꙮ @salchoman
631 Followers 945 Following Software Entomology & Archeology at Google. Previously BurpSuite Crawler & Scanner team. Personal friend of Carlos Montoya. 🧀Manfred Paul @_manfp
5K Followers 279 Following Maths and cyber and stuff. Playing CTFs with @redrocket_ctf (and @Sauercl0ud). Pwn2Own Vancouver 2020..=2022, 2024. @[email protected]truff @truffzor
187 Followers 468 FollowingMartin Doyhenard @tincho_508
818 Followers 216 Following Security Researcher at PortSwigger. Speaker at BlackHat, DEF CON, RSA, Hack In The Box, Troopers, EkoPartyCaido @CaidoIO
6K Followers 29 FollowingLukas Weichselbaum @we1x
2K Followers 513 Following Leading @Google's web security team. Opinions are my own.SINJ | Mehdi Moitou @MrMoitou
1K Followers 1K Following 30 ans, TO Smash & FGC MOITOU ¿ POR QUÉ ? Organisateur de tournois E-sportEsprit Shōnen @Esprit_Shonen
7K Followers 46 Following « On va entrer par la grande porte. » | League of Legends | Super Smash Bros Ultimate.Centho @Centho9
1K Followers 76 Following Je suis Centho, l'architecte du chaos virtuel, un agitateur qui sévit depuis des années contre des arnaqueurs en tout genre +33 7 54 46 92 70Ben Sadeghipour @NahamSec
197K Followers 1K Following Cofounder @hackinghub_io, Advisor @Trick3st @CaidoIO. I hack companies and make content about it. Bug Bounty Village & #NahamCon organizer. ex @hacker0x01🇮🇷Ego 🇨🇵 @ego_v1
44K Followers 80 Following Fan account d'Ibrahim Maalouf et de Jean-Marc Jancovici Pro : [email protected]Matan Berson @MtnBer
969 Followers 204 Following Hacking for fun | H1-65 Eliminator award | AWC23 Best New HackerAaditya Purani @aaditya_purani
7K Followers 908 Following SecEng @awscloud. CTFs with @pb_ctf. DEFCON & BHUSA speaker. Passionate about everything tech. My opinions are my own. Ex-@Tesla @bishopfox @PaloAltoNtwkshamayanhamayan @hamayanhamayan
1K Followers 478 Following CTFに出て解説をブログに書くのが趣味。競プロ履修済。 防衛省セキュリティコンテスト2023,2024二連覇/RISS/Comptia Security+/GCFE/OSCP/OSEP/AZ-305/SC-200/SC-900/HTB Guru/THM 0xD/AtCoder 黄/アルゴリズム実技検定ExpertUnderscore_ @UnderscoreTalk
29K Followers 9 Following 🥨 Le talk-show des passionnés de l'IT ➡ 1 mercredi sur 2 à 19h sur https://t.co/PZGPWDhSYW 🎙 Avec @Micode @MatthieuLambda @TiffanySouterrekalmarunionen @kalmarunionenDM
1K Followers 87 Following https://t.co/8NHWhF6mHU A collaboration of Danish CTF teams. Homepage: https://t.co/R1QLSkNBhi CTFtime Link: https://t.co/UZqSKg6yJ6Arkunir @Arkunir
1.1M Followers 2K Following Memphis Depay est un crack interplanétaire / j’ai 21 ans / @MiraiMathiis @Sayfzu / Contact : [email protected] / @OLUranium238 @uraniumhacker
11K Followers 503 Following I do the hacks. He/him. Tinder Security Labs. Building and hacking stuff at @OphionSecurityStephen Fewer @stephenfewer
8K Followers 208 Following Principal Security Researcher @rapid7. Decompiler @relyze. Core @metasploit dev 2009 - 2013. MSRC Top 100 2015. Pwn2Own 2011 & 2021.Marcello @byt3bl33d3r
29K Followers 531 Following CyBeRsEcUrItY | Not afraid to put down with some THICC malware on disk | securing and breaking AI @ProtectAICorp | Ex @spacexjoernchen @joernchen
8K Followers 545 Following Your mom's favorite hacker. Also at @[email protected]Prashant Anantharaman @parsingpunisher
773 Followers 785 Following Senior Security Researcher @ Narf Industries IoT, PDF, and parser security PhD from Dartmouth Opinions are mine, RTs≠Endorsements He/Him/Hisspaceraccoon | Eugene.. @spaceraccoonsec
21K Followers 293 Following Here to learn! Infosec@Open Government Products | White Hat && SecOpsxer0dayz @xer0dayz
8K Followers 2K Following Sr. Penetration Tester. Creator of Sn1per. Top 20 worldwide on @bugcrowd in 2016. OSCE/OSCP - https://t.co/iqw8gBoMUDhugeh0ge @hugeh0ge
2K Followers 357 Following fuzzing researcher. have been playing CTFs as binja leader (DEFCON Finals'14 '16 '18 '20 '22; Google Finals'17) and competitive programming also(ICPC WF'19 '20)Pass the SALT Confere.. @passthesaltcon
2K Followers 0 Following English spoken Conference about Security & Free Software (SALT=Security And Libre Talks). Talks+Workshops+Social. Attendance is free. July 3 to 5, 2024. #pts24Rémi @shoxxdj
601 Followers 1K Following Pentester. 👨💻🏴☠️ CTF Player & Blogger 🌐 Organiser & President @Sth4ck 🍷 Organiser @hackvens ⛵ Triager @hack_4_values #FPV pilot ✈️ #Fr RubiksCubeLover 🤯Hack4Values @hack_4_values
19 Followers 1 FollowingHunter @HunterMapping
11K Followers 187 Following Internet search engine for security researchers https://t.co/PYY1kXgbiiZero Day Initiative @thezdi
77K Followers 17 Following Trend Micro’s Zero Day Initiative (ZDI) is a program designed to reward security researchers for responsibly disclosing vulnerabilities.New AituWeek blog post ! Today, I talk about my project of building a search engine for it security and a tool I will use this month for javascript analysis. aituglo.com/aituweek-2/
@kevin_mizu This guy is finding bugs from his cellphone 😂 what a crack😅
Thanks for the swag pack !! @yeswehack 🔥❤️
It has been a pleasure for us to attend and present at #Insomnihack 2024. In case you missed it, here is our newly released mXSS cheatsheet 🧬🔬 sonarsource.github.io/mxss-cheatshee…
As expected, two variations of the so far known mXSS attacks have been spotted and new DOMPurify releases are ready to fix those. github.com/cure53/DOMPuri… github.com/cure53/DOMPuri… Many thanks to @kevin_mizu and @hash_kitten for spotting and reporting those 🙇
Hey everyone! 👋 I am excited to release my first #pwn tool that allows to extract and compress initramfs cpio, useful for Linux kernel exploitation. 🎉 Feel free to send me a message to give me a feedback or to get more information about it! 👇 github.com/Ruulian/initra…
Reproduced DOMPurify 3.1.0 bypass, but my payload requires two mutations. Has anyone managed to trigger it with a single mutation?
In the past, I created a challenge with 1000 GET parameters (not PHP): blog.arkark.dev/2022/11/18/sec… Such a parameter limit is probably for DoS protection, but ironically it is sometimes(?) abused as a bypass technique. Interestingly, it's CSP bypass in @pilvar222 's challenge!
🧵[1/9] Time to publish the solution to this challenge! x.com/pilvar222/stat… The goal of this challenge was to find an XSS while avoiding it being blocked by the CSP sent by the PHP header() function. Let's dive into it!
🧵[1/9] Time to publish the solution to this challenge! x.com/pilvar222/stat… The goal of this challenge was to find an XSS while avoiding it being blocked by the CSP sent by the PHP header() function. Let's dive into it!
This Friday, I'm presenting a novel technique as part of my talk "Secret web hacking knowledge - CTF authors hate these simple tricks". I've made a challenge about it, will you be able to pop an alert on pilv.ar ? The whole source code is in the screens below :)
Really enjoyed the challenge! I found at least three different ways to solve it and here are the hashes of my solutions. I'll publish the methods I found once the talk is released. Curious to see how many other methods there are!
This Friday, I'm presenting a novel technique as part of my talk "Secret web hacking knowledge - CTF authors hate these simple tricks". I've made a challenge about it, will you be able to pop an alert on pilv.ar ? The whole source code is in the screens below :)
@intigriti 1 - portswigger 2 - re run php/nodejs/python code by extracting (text from images) intigriti's xss, regex, etc on hostinger and localhost 3 - mxss, xss, html injection, regex bypass, javascript challenges by @joaxcar, @kevin_mizu, @terjanq 4 - chat[.]hackerai[.]co
We manage to finish at the second place at @1ns0mn1h4ck CTF finals ! Congratz to all the players and my team mates @JouetR @_Noiche @adam_le_bon @cy_nics @Vozec1 @MathisHammel & mouthon ! Again thanks a lot to the SCRT crew for the challenges ! See you next year !
@kevin_mizu This is mind blowing. Thanks for this writeup. Is Werkzeug accepting smuggling reports? A few years ago the said it was a development server not focusing on security. But now I see they are on huntr huntr.com/repos/pallets/…
Exploiting Arbitrary Object Instantiations in PHP without Custom Classes swarm.ptsecurity.com/exploiting-arb…
@cure53berlin @IcesFont Ooh wow deep nesting! Can't wait to reproduce at home