Joona

@joohoi

Hacks for beer. FOSS, infosec and privacy. Chaotic good.

 
Vrijeme pridruživanja: lipanj 2009.

Tweetovi

Blokirali ste korisnika/cu @joohoi

Jeste li sigurni da želite vidjeti te tweetove? Time nećete deblokirati korisnika/cu @joohoi

  1. Prikvačeni tweet
    29. sij

    ffuf 1.0 released! phew, this is a big one. Feature highlights in this thread Huge thanks for all the contributors, and special thanks to for pulling off a feature bounty and for fulfilling it in a record time (and contributing said bounty to charity).

    Prikaži ovu nit
    Poništi
  2. 3. velj

    ffuf -w all.txt -u https://deepthought.hhg2g -X POST -d 'FUZZ' -mr '42'

    Poništi
  3. proslijedio/la je Tweet
    3. velj

    Interesting Facebook company open redirect: <put anything here>?href=<any url> e.g. Already reported but they showed no interest in it, so full disclosure it is.

    Poništi
  4. 2. velj

    There's a new repository for payload generators and helper scripts for ffuf. I wrote a HTTP basic authentication payload generator as an example. Contributions are more than welcome, it's show & tell time!

    Poništi
  5. 1. velj

    This feature had a bug, where using it would make matchers and filters fail. It's now fixed in the master branch though.

    Poništi
  6. 31. sij

    The refined help text is definitely my favorite improvement in the last release. It's actually readable now :)

    Poništi
  7. proslijedio/la je Tweet
    30. sij

    We are celebrating Ffuf 1.0 release! got a bubbly and preaching gospel of Ffuf

    Poništi
  8. 29. sij

    The help text (and usage examples!) got refined and are no longer a trash fire, enjoy! The -sa (stop on any error) flag now takes 429 responses into account as well.

    Prikaži ovu nit
    Poništi
  9. 29. sij

    Smaller stuff: if any matcher is defined (-mc, -ms, -mw, -ml, -mr), the default -mc value is ignored. This caused confusion in users previously. Output JSON file now stores the configuration structure, if you want to figure out all the parameters later on.

    Prikaži ovu nit
    Poništi
  10. 29. sij

    Want to catch reflections? The regex matcher & filter now support the keywords too. To match all reflected inputs: ffuf -u -w wordlist.txt -mr "FUZZ"

    Prikaži ovu nit
    Poništi
  11. 29. sij

    We all love Burp suite by , right? Want to send over all the ffuf job matches to Burp? Easy with -replay-proxy ffuf -u -w wordlist.txt -replay-proxy http://127.0.0.1:8080 If you ffuf on remote box, this totally works through ssh tunnels too!

    Prikaži ovu nit
    Poništi
  12. 29. sij

    If you use ffuf in automation, and got frustrated when hitting a s-l-o-w server, making the ffuf job to block the automation - now you can use -maxtime, which will terminate the ffuf job after a certain duration. ffuf -u -w wordlist.txt -maxtime 360

    Prikaži ovu nit
    Poništi
  13. 29. sij

    Ffuf now supports recursion as well! ffuf -u -w wordlist.txt -recursion -recursion-depth 4

    Prikaži ovu nit
    Poništi
  14. 29. sij

    If you want to save all matched requests and responses to a file, you can use a new flag -od (output directory). All matches will be written to a file with accompanying request within that directory. ffuf -u -w wordlist.txt -od output_files/

    Prikaži ovu nit
    Poništi
  15. 29. sij

    The feature mentioned in the first tweet was support for parsing requests from files to ffuf options. You can now store a request to a file, define the FUZZ keywords as you are used to, and run ffuf: ffuf -request req_file.txt -request-proto https -w wordlist.txt

    Prikaži ovu nit
    Poništi
  16. proslijedio/la je Tweet
    28. sij

    I just published an exposé for on 's trackers in Android. In short: lots of info to multiple third parties.

    Poništi
  17. proslijedio/la je Tweet
    24. sij

    Here's a cool trick to break out of AppLocker in Citrix environment: 1. Open a dummy RTF file in wordpad 2. Add ftp.exe as an object 3. Click to open ftp (or other similar apps) 4. ftp>!{commmand/app to run} for example: ftp>!cmd <-- blocked? ftp>!powershell <-- not blocked?:)

    Poništi
  18. proslijedio/la je Tweet
    19. sij

    To process JSON results output by ffuf you can use the jq tool. You can use a bash alias similar to below depending on your needs: alias jqffuf="jq -r '.results[] | [.url,.redirectlocation,.status,.length] | \"\(.[0]) -> \(.[1]) \(.[2]) \(.[3])\"'"

    Poništi
  19. proslijedio/la je Tweet
    19. sij

    If you want to fuzz sequential numbers when looking for , you can easily do this with . Here's a real (sanitised) example in bash: $ seq 1000 8000 | ffuf -u -o ffuf_idor.txt -v -w -

    Poništi
  20. proslijedio/la je Tweet
    14. sij

    NEW: We examined in detail how 10 popular smartphone apps secretly share extensive personal information with at least 135 companies, systematically breaking EU data protection law. This must end. Two massive reports + legal complaints against 6 companies:

    Prikaži ovu nit
    Poništi

Čini se da učitavanje traje već neko vrijeme.

Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.

    Možda bi vam se svidjelo i ovo:

    ·