Spotted a reverse engineering boutique at Zurich main station

It's amusing to me the amount of apps that implement pretty decent anti-SSRF measures: - Private IP addresses✅ - Normalization of diff. IPv4/IPv6 representations✅ - TOCTOU DNS rebinding✅ - HTTP Redirects✅ But still this little😈 slips through the cracks: - 0.0.0.0❌ #bugbountytips

It's just like that sometimes

Swag's here! As part of an active campaign from 12build program run by @intigriti.com, I managed to find a few cool bugs. Great program, good quality💯 t-shirts #bugbountytips

Os Inception

I'm starting a new series called: Weird SSRF outputs

Hacking is just a weird thing that many discover because it's just something that we inherent (at birth?) and then develop over the years. It just feels right to be around computers and entangled stuff that most of the time, u cannot wrap your head around it, but guess what? That's the beauty of it

Sometimes all it takes is one weird byte. REcollapse aims to find it! Just give it a URL and it will generate a fuzzing list for all regex pivot positions with all possible bytes %00 to %ff! Check it 👇

This is the bad thing about sharing testing environments. This guy has been hammering an HTMLi on a invitation email request for three days now, which I'm 99.9% sure has been reported before **several times**.

I feel sorry for triagers seeing this type of... Thing on bug bounty reports

Antimatter is cool and it's a real thing. I used to work on an experiment where we collided protons with antiprotons to make top-antitop quark pairs (among other things). ⚛️

📷

Decompressing

I hate providing reproduction steps with (a) missed step(s). I guess writing reports late at night can take a toll on us sometimes. It can happen but it sucks, especially for the triager assessing the ticket

It's all about that tiny request, that picky little one that gets lost in a sea of junk from your history tab, the one which gives you the keys to the juicy treasure. Bug Bounty poem :)

It’s the same picture

Arp 321. a compact group of five galaxies located in the constellation Hydra. It's a fascinating object for astronomers because these galaxies are in close proximity and interacting with each other. Processed Hubble data by Dr. Mehmet Hakan Özsaraç. www.flickr.com/photos/mhozs... 🔭 🧪

Even physical games are bricked without PSN access if you need to pair a disc drive. This is why real physical media and disc drive access is vital. Welcome to the future - nobody owns anything, and all art and entertainment is disposable, temporary, and lost forever.

I guess this is well known by experienced WebApp pentesters/bug hunters/Burp Suite power-users, so this is targeting beginner users. While loading the Burp Suite extension Autorize, it has by default this box checked: 1/n

Stored XSS is cewl but have you heard about a store full of XSS's? 🙄

We've updated our URL validation bypass cheat sheet with this shiny Domain allow list bypass payload contributed by dyak0xdb!

By testing for SSRF be on the lookout of any Axios http clients, these instances follow redirects by default which devs sometimes don't know it. Therefore, there is a high chance defenses could be bypassed by entering the evil host after the redirection. Don't forget 301,308 redir codes ;)

"The best possible knowledge of a whole does _not_ include the best possible knowledge of its parts -- and this is what keeps coming back to haunt us." -Erwin Schrödinger, on quantum entanglement, 1935

Spotting bugs left and right just to sit back thinking about bb reports... That right there *is* the struggle!

Tip toeing into the app, It doesn't seen to have a Bookmark kinda thing, am I missing something?

Anyway if you'd like a lightweight primer on all things quantum, you can check out the series of short intro videos I made with the Perimeter Institute, Quantum 101: perimeterinstitute.ca/quantum-101-... Just because quantum mechanics isn't spooky doesn't mean it's not really, really cool. 🧵🔚

Today I was asked in an interview about folks who use the weirdness of ✨quantum✨ to hawk pseudoscience junk. I think that kind of grift proliferates because of a big misunderstanding a lot of folks have about quantum mechanics, which is not really their fault! 🧵

test