Philippe Arteau

@h3xstream

Security Researcher at , interested in web security, crypto, pentest, static analysis but most of all, samy is my hero.

Montréal, Canada
Vrijeme pridruživanja: rujan 2011.

Tweetovi

Blokirali ste korisnika/cu @h3xstream

Jeste li sigurni da želite vidjeti te tweetove? Time nećete deblokirati korisnika/cu @h3xstream

  1. Prikvačeni tweet
    19. ruj 2019.

    I have just published the slides for my talk on Find Security Bugs. ~ I will be doing a similar presentation at next month with a different demo and different vulnerabilities.

    Poništi
  2. proslijedio/la je Tweet
    19. stu 2019.

    Write-up about my last submission in Facebook: Broken session management leads to bypass 2FA and Permanent access to Facebook user’s

    Poništi
  3. proslijedio/la je Tweet

    I don’t endorse the vocabulary in this tweet but I’d like to share our side of things and perhaps set the records straight. We never really wanted to (and still don’t want to) discredit Dragos publicly, there is really no point. 1/x

    Prikaži ovu nit
    Poništi
  4. proslijedio/la je Tweet

    Windows isn't a favorite feature, but details a bug submitted by Eduardo Braun Prado that shows how you can use it to escalate from guest to SYSTEM (includes video)

    Poništi
  5. proslijedio/la je Tweet
    30. lis 2019.

    We’ve just published a new blogpost about our journey with exploiting prototype pollution in Kibana to RCE (CVE-2019-7609)

    Poništi
  6. proslijedio/la je Tweet
    25. lis 2019.

    Slides from my talk, including HTTP smuggling techniques via fake WebSocket connection

    Prikaži ovu nit
    Poništi
  7. proslijedio/la je Tweet
    22. lis 2019.

    RubyGems >3.0.5 removed an instance of Kernel#open that is key in this universal gadget payload for Marshal.load

    Poništi
  8. 18. lis 2019.

    I have just published a project update for . I've also opened a channel on OWASP slack for discussion around Java security, and vulnerability research. 🗨️

    Poništi
  9. proslijedio/la je Tweet
    Poništi
  10. proslijedio/la je Tweet

    How the combination of a HTML sanitizer bug with a Phar Deserialization lead to remote takeover of Magento <= 2.3.1 shops Read on!

    Poništi
  11. proslijedio/la je Tweet
    26. ruj 2019.

    We are proud to launch our brand new interactive XSS cheatsheet featuring novel vectors from

    Poništi
  12. proslijedio/la je Tweet

    We've added a brand new topic on testing for vulnerabilities, including three new labs.

    Poništi
  13. proslijedio/la je Tweet
    23. ruj 2019.

    DOMPurify 2.0.2 was released to address several new mXSS variations (affecting Blink, Webkit and EdgeHTML) that were spotted after an internal audit. Thanks and 🙇‍♀️ to for his help!

    Poništi
  14. proslijedio/la je Tweet
    14. ruj 2019.

    You can now find all resources about *Dupe Key Confusion* attacks (slides, paper, demos and tool) in enjoy it!

    Poništi
  15. 11. ruj 2019.

    I will be presenting at this week and next week. Looking to chat with AppSec enthusiasts! Bonus: I will be giving FindSecBugs "limited edition" stickers.😁

    Poništi
  16. proslijedio/la je Tweet
    8. kol 2019.

    Jonathan Birch is sharing tips on new Unicode normalization bugs (HostSplit/HostBond) he discovered. So many vulns found. He is encouraging folks to look around for more and showing how.

    Prikaži ovu nit
    Poništi
  17. proslijedio/la je Tweet
    25. srp 2019.

    Hello world! A few thoughts on how Apple BLE works (spoiler: it is possible to get your phone number while you're using your Apple Device)

    Poništi
  18. proslijedio/la je Tweet
    Prikaži ovu nit
    Poništi
  19. proslijedio/la je Tweet
    19. srp 2019.

    😱 Edge apparently sends the full URL of pages you visit (minus a few popular sites) to Microsoft. And, in contrast to documentation, includes your very non-anonymous account ID (SID).

    Prikaži ovu nit
    Poništi
  20. proslijedio/la je Tweet
    19. srp 2019.

    I wrote a blog post about a Docker escape from . Note that if something works on --privileged containers it doesn't mean there aren't other setups. Here, we use no AppArmor and SYS_ADMIN capability which is "the new root". Hope you enjoy:

    Poništi

Čini se da učitavanje traje već neko vrijeme.

Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.

    Možda bi vam se svidjelo i ovo:

    ·