If you're using ruby-saml or omniauth-saml for SAML authentication make sure to update these libraries as fast as possible! Fixes for two critical authentication bypass vulnerabilities were published today (CVE-2025-25291 + CVE-2025-25292). github.blog/security/sig...

NEW JWST IMAGE SHOWING A PROTOPLANETARY DISK AROUND A NEWLY FORMED STAR!!! 🤩

Last year, I committed to uncovering critical vulnerabilities in Maven repositories. Now it’s time to share the findings: RCE in Sonatype Nexus, Cache Poisoning in JFrog Artifactory, and more! github.blog/security/vul...

This is what I love about Chris, authenticity: muffsec.com/blog/abstain.... Btw I couldn’t agree more with his conclusion about the event.

Bitcoin is enemy of culture because it introduces monetary incentive where only prestige belongs.

I wrote a PoC for the recent Ivanti Connect Secure stack buffer overflow, CVE-2025-0282, based on the exploitation strategy watchTowr published, along with an assessment of exploitability given the lack of a suitable info leak to break ASLR: attackerkb.com/assessments/...

What's the point of being rich if you can't afford to do the right thing.

Nominations are now open for the Top 10 Web Hacking Techniques of 2024! Browse the contestants and submit your own here: portswigger.net/research/top...

Just unrestricted an issue that shows a fun new attack surface. Android RCS locally transcribes incoming media, making vulnerabilities audio codecs now fully-remote. This bug in an obscure Samsung S24 codec is 0-click project-zero.issues.chromium.org/issues/36869...

Positive Technologies published two scenarios they encountered during pentests, where they pivot to the internal network thanks to an Internet-facing Exchange server and its numerous SSRF vectors 💎

TIL how easy it is to ask curl to dump TLS session keys to disk 🛠️ Simply set the environment variable `SSLKEYLOGFILE=/path/to/file` 😅 Note: it also works for Firefox and Chrome Extremely useful when combined with Wireshark 👍

CVE-2024-12727 Sophos coming in with an unauthenticated SQLi in their firewall appliance 👏

These are some really nice blog posts regarding algo confusion bugs in JWT by @pentesterlab.com pentesterlab.com/blog/jwt-alg... & pentesterlab.com/blog/another... nice one @snyff.pentesterlab.com!

Happy Winter Solstice! These photos were taken with a pinhole camera I made from a beer can and left out from Summer to Winter Solstice - a 6 month exposure. Bottom line = Winter Solstice. Top line = Summer Solstice. The lines are the Sun moving across the sky w/some reflections. No line = clouds

[4/n] My Hexacon 2023 talk about .NET Deserialization. New gadgets, insecure serialization (RCE through serialization) and custom gadgets found in the products codebase. Talk: www.youtube.com/watch?v=_CJm... White paper: github.com/thezdi/prese...

I put together a VERY limited (for now) list of web hackers in a Starter pack: go.bsky.app/9uay4Ad A lot of people are missing (I will try to add more as I find them) but make sure you follow people already in the list!

S2-067 is a fantastic bypass of the patch for S2-066. It uses ONGL to re-write the upload filename property in order to bypass the filename path traversal checks. PoC: if the target bean is called "UploadFile" the your target parameter is "top.UploadFileFileName". 🤯

We updated our CFP for Phrack 72! The deadline is now April 1st 2025. Check the site for specifics on how to contribute, as well as some inspiration! We also posted a link to purchase physical copies of Phrack 71, and a donation link too. Enjoy! phrack.org

wokism is out of control

…and what is your office? My office is that which is in the higher aspirant of the soul - Ma’at

A companion blog to my Bluehat 2024 presentation on OleView.NET is up now. googleprojectzero.blogspot.com/2024/12/wind...

I wrote a fun, little blog post. Remote pre-auth file deletion in SolarWinds ARM allowed to achieve LPE on AD machines 🙃

Here is a great follow up blog post to my blog Remote Code Execution with Spring properties written by Elliot Ward: snyk.io/articles/rem...

Shit posting on wastebook and having my family all triggered is the glory I get on a Friyay!

My latest blog post is live 🔥 Read it to learn what SafeMarshal is and *two* very different ways to escape and get RCE! Read it to find out why Date is *not* a safe class in Ruby or how to leverage serialized strings being constructed with string concatenation! nastystereo.com/security/rub...

My latest blog post is live! nastystereo.com/security/cro... Read how to send a cross-site POST without including a Content-Type header (without CORS). It even works with navigator.sendBeacon

I just wrote a new blog post! This is how I (ab)used a jailed file write bug in Tomcat/Spring. Enjoy! Remote Code Execution with Spring Properties :: srcincite.io/blog/2024/11...

I just published a new blog post sharing an improved Deserialization Gadget Chain for Ruby! It builds on the work of others, including Leonardo Giovanni, @ulldma.bsky.social and @vakzz.bsky.social nastystereo.com/security/rub...

Trust me, the Chinese hack Spring apps harder than you: juejin.cn/post/6972564...

Heh, got the poc for @qualys.bsky.social #needrestart CVE-2024-48990 in a couple of hours 😄

X-PAN-AUTHCHECK: lol

Awesome: www.zerodayinitiative.com/advisories/Z...

Qualys is at it again: https://seclists.org/oss-sec/2024/q4/108 LPEs in needrestart (CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003) Original post

Interesting read: infosecwriteups.com/my-llm-bug-b...

Just the one :->

Loose lips sink ships

I bet this is actually pretty interesting: seclists.org/oss-sec/2024... and what’s the bet their would be variants in other frameworks and components.

I'm in the process of creating a *web security* starter pack and need your help finding more webbies here. Please share and recommend folks passionate about web security in comments below so we can get this community started here 🙂 go.bsky.app/Uf8dZhz

Post a pic YOU took (no description) to bring some zen to the timeline

Pop thy shell

Born too late for 2000s blackhat ezines born to early for bug bounty millionaire.

It’s that time of the month… for some spell craft 🧙‍♂️

[ZDI-24-1510|CVE-2024-50330] Ivanti Endpoint Manager GetComputerID SQL Injection Remote Code Execution Vulnerability (CVSS 9.8; Credit: Piotr Bazydlo of Trend Micro Zero Day Initiative) zerodayinitiative.com/advisories/Z...

Analysis for CVE-2024-47575, the recent FortiManager 0day, aka FortiJump from Rapid7: attackerkb.com/topics/OFBGp...

Im back because apparently this is the place to be

Disney making my job easier in the future https://youtu.be/W_fuiBHhdK4

Screaming into the void and the void screaming back.

“There is no life I know to compare with pure imagination. Living there you’ll be free, if you truly wish to be” - Willy Wonka