HTTP is stateless. Repeat after me. Oh wait. Someone put the kettle on and he's about to show how this isn't exactly the case. This topic scared James so much that it nearly put him off researching it.pic.twitter.com/IMvlgqSUCT
U tweetove putem weba ili aplikacija drugih proizvođača možete dodati podatke o lokaciji, kao što su grad ili točna lokacija. Povijest lokacija tweetova uvijek možete izbrisati. Saznajte više
HTTP is stateless. Repeat after me. Oh wait. Someone put the kettle on and he's about to show how this isn't exactly the case. This topic scared James so much that it nearly put him off researching it.pic.twitter.com/IMvlgqSUCT
Can I just say how DAMN refreshing that James starts off with a side no-one talks about: the fear we all have of the subject and failures along the way.
Now we all know RFCs right? RFC 2616 #4.4.3 says that if you get a message with both transfer-encoding AND content-length, the latter MUST be ignored. But who reads the docs??
The Kettle Break The Web© methodology. it's based upon timing and on influence.pic.twitter.com/avax1zhRkO
Ok Jesus wept bugbounty crowd, stop DMing me.
Here's the simple trick. Buy a copy of @PortSwigger and support Daffs growing fancy shirt collectionpic.twitter.com/W9GtfcKbop
Attack two: request reflection Cool thing here is that the request gets concatenated onto the other POST login request. That's sexy af!pic.twitter.com/NqWeQ1B4lr
The X-Forwarded headers are so misunderstood and at the same time so widely used.pic.twitter.com/aRFCC89NDQ
PSA: F5 didn't seem to think that this was enough to issue a patch but just an advisory.pic.twitter.com/n96u43N4dq
When James says "accidental" and "cache poisoning" and then making many accessing a well-known homepage automatically hit the burp collaborator, to grab an image Accidental, pfftpic.twitter.com/SXrsnpnP7U
He is the Dwayne Johnson of infosec and bug bounties. Such a ballerpic.twitter.com/0O0kssUN5J
The demo video truly shows how friggin amazing this research is and has earned him over 90,000 USD. Seriously I couldn't be more of an appsec fanboy at this moment in timepic.twitter.com/2oCpk3bMZD
The defensive side is actually the most important. We really need to push adoption of HTTP/2 overall. Many said WAFs solve this, no no no they will only ever be bandaids.pic.twitter.com/mGZGkBvqxG
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.