Tweetovi
- Tweetovi, trenutna stranica.
- Tweetovi i odgovori
- Medijski sadržaj
Blokirali ste korisnika/cu @ldionmarcil
Jeste li sigurni da želite vidjeti te tweetove? Time nećete deblokirati korisnika/cu @ldionmarcil
-
Prikvačeni tweet
Here are my slides for "Cache Me If You Can: Messing with Web Caching", presented
@AppSecCali &@NorthSec_io!
Material includes:
- Web Caching 101
- Web Cache Deception
- Edge Side Include Injection
- Web Cache Poisoning
...with real bugs showcased!
https://drive.google.com/open?id=19IedR-fl5Uea9PeaAgEyYC-dCz7OU7VM …pic.twitter.com/0wTwAD3tNB
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
My automated recon engine that I've been working on for some weeks found its first bug today, all on it's own! I'M SO PROUD OF MY BABY
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Louis Dion-Marcil proslijedio/la je Tweet
@ngalongc,@EdOverflow, and I are starting a new security blog. In our first write-up, we will discuss the impact of "SameSite by default" and how it affects web app sec. Feel free to request future topics you would like us to cover. https://blog.reconless.com/samesite-by-default/ …pic.twitter.com/5R23YmpksT
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Louis Dion-Marcil proslijedio/la je Tweet
Did you know that the address '<a@b.com>c@d.com' when given to SES will send an email to a@b.com? this could lead to interesting exploit scenarios with some email parsing libraries/code https://nathandavison.com/blog/exploiting-email-address-parsing-with-aws-ses …
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
What are the best tools to dump .git/ folders found on web hosts? I used git-dumper on one recently, but for some reason I get a bunch of 404s and I end up with half of a git repository...
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
I was yesterday-years-old when I learned that Burp extensions like Flow/Logger++ needs to be at the BOTTOM of the load order in order to see traffic from other extensions

This tip and waaay more in this great video by @JR0ch17 https://www.youtube.com/watch?v=kbi2KaAzTLg …#bugbountytipsHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
The more I use Burp, the less I feel like I know its features. Been using it every day for 8+ years and still learn of handy features like intruder greps...https://twitter.com/Agarri_FR/status/1217148102366388226 …
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Louis Dion-Marcil proslijedio/la je Tweet
NEW: Google to phase out user-agent strings in Chrome * UA strings to be replaced with Client Hints * Move is part of the larger Privacy Sandbox project * UA string freezing and deprecation to take place between Chrome 81 and 85 https://www.zdnet.com/article/google-to-phase-out-user-agent-strings-in-chrome/ …pic.twitter.com/tI3goGmRRO
Prikaži ovu nitHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Louis Dion-Marcil proslijedio/la je Tweet
We need your help to select the top 10 web hacking techniques of 2019! Cast your vote here:https://portswigger.net/polls/top-10-web-hacking-techniques-2019 …
Prikaži ovu nitHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Spent close to 3h trying to fingerprint this mysterious SQL engine yesterday. Could add logic conditions (2>3, 1=1) to modify the behaviour but not subqueries... Turns out I was injecting in a <xsl:when test="..."> THAT BURP IDENTIFIED 3 HOURS PRIOR....... Trust your tools
pic.twitter.com/FTjkXeOfIL
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Louis Dion-Marcil proslijedio/la je TweetHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
Louis Dion-Marcil proslijedio/la je Tweet
To start the new year I'm releasing another write-up where I explain the process of detecting and exploiting a chained HTTP request smuggling vulnerability which led me to an account takeover.https://hipotermia.pw/bb/http-desync-account-takeover …
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Another thing we tried was to point the "url" to a server we control, and issue a 302 redirect to a `file://c:/...` location. We couldn't do that because
$client is dropping HTTPS packets that are not using the corporate certificate. So this bypass came in quite handy!Prikaži ovu nitHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Here `WebClient.DownloadData` isn't safely used. You can pass file:// but by default, omitting the protocol defaults to a file on disk. What could've been a SSRF could be used to read files. This is due to how windows handles non-existing directories with relative pathing.pic.twitter.com/B6UN82YX2t
Prikaži ovu nitHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
TIL, regarding Local File Read vulnerabilities on Windows, you can use non-existing directories to bypass poor implementations of protocol limitations.
$client was checking that the "url" began with "https"; it was still possible to read files with `https/../web.config`#AppSecpic.twitter.com/obXyLqe0Zk
Prikaži ovu nitHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Louis Dion-Marcil proslijedio/la je Tweet
Turbo Intruder now supports labelling requests and storing data within the engine. Here's a demonstration of using that functionality for a crude timing attack (demo URL included):https://github.com/PortSwigger/turbo-intruder/blob/master/resources/examples/timingAttackWithState.py …
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Louis Dion-Marcil proslijedio/la je Tweet
So FEYE just opened up some internal security APIs (detection as a service, virtual NX) and launched a developer relations program.
That's a very... different @FireEye & a surprise even to employees.
Developer hub: https://fireeye.dev/
AWS Apps: https://aws.amazon.com/marketplace/seller-profile?id=d0d6b869-1999-4ac5-b937-ca4c269b5237 …pic.twitter.com/BIW62DCkve
Prikaži ovu nitHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Louis Dion-Marcil proslijedio/la je Tweet
We are proud to launch our brand new interactive XSS cheatsheet featuring novel vectors from
@garethheyeshttps://portswigger.net/research/one-xss-cheatsheet-to-rule-them-all …Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi -
Louis Dion-Marcil proslijedio/la je Tweet
DOMPurify 2.0.3 was released to fix yet another mXSS variation, spotted again by
@SecurityMB who is officially our hero now. Get the release here: https://github.com/cure53/DOMPurify/releases/tag/2.0.3 … We hope to have this uphill battle against the broken HTML parser under control now, fingers crossed.Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.