Nice one ! #lichess #chess @lichess.org

🚨NEW: "The Late Show with Stephen Colbert" just dropped its first response to ABC, FCC chair, and Disney firing Jimmy Kimmel. Trump ain't sleeping tonight. 🤣 This is a must-watch. 🔥

We've just published a novel technique to bypass the __Host and __Secure cookie flags, to achieve maximum impact for your cookie injection findings: portswigger.net/research/coo...

1st time I start Burp to do bug bounty since the begining of June. Let's see if I still enjoy it or if I need more time to get back at it...

How to make $$$ from request smuggling Step 1) Pick the right target:

Euro de basket : les Belgian Cats brillent face à l’Allemagne et filent en demi-finale (83-59) www.lesoir.be/684043/artic... #belgiancats

"Ce qu’on est en train de vivre aujourd’hui, c’est les trajectoires qu’on avait imaginées il y a 20 ans. La communauté des climatologues n’est pas du tout surprise par la vague de chaleur qui arrive. Elle est effrayée." @cassouman40.bsky.social ce matin sur @franceinfo.fr #VagueDeChaleur #DontLookUp

I'm thrilled to announce "HTTP/1 Must Die! The Desync Endgame" is coming to #DEFCON33! This talk will feature multiple new classes of desync attack, mass exploitation spanning multiple CDNs, and over $200k in bug bounties. See you there!

Mais putain 🤦 Enfin, au moins on sait pour qui ils roulent...

Bye bye full time bug bounty hunting. It's been a hell of a ride, but it's time to move on...

AppSec Ezine - 589th edition #AppSec #Security pathonproject.com/zb/?33afd768...

Active Scan++ just got sharper - we’ve added new checks for OS command injection, powered by our latest ASCII Control Characters research. Install via Extensions -> BApp Store

No clue if this will be exploitable, but it's at least interesting: when I add an incorrect "X-Forwarded-Port" header using HTTP Request Splitting (CRLF injection with Nginx proxy), I trigger a HTTP 400 and I can then tunnel other HTTP1 requests to the backend. Poke @t0xodile.com for the tunneling

I often end up testing weird things, but my current test is so weird that @burpsuite.bsky.social can't even handle in propery if I use the Repeater custom action 😅

First one on @yeswehack.bsky.social :)

Thrilled to finally release my latest research "The Single-Packet Shovel: Digging for Desync-Powered Request Tunnelling". Desync vulnerabilities stemming from HP2 downgrading continue to plague even the largest vendors, have a read to find out how!

If you’re into bug bounty hunting and like finding weird XSS bugs (like me 😊) in places most people overlook, come check out my talk at NahamCon 2025 this Friday, May 23. "Widgets Gone Wild: Exploiting XSS Through Flawed postMessage Checks"

I'm a big fan of these issues, but I always struggle to actually exploit them 😅

I'm thrilled to announce "HTTP/1 Must Die! The Desync Endgame", at #BHUSA! This is going to be epic, check out the abstract for a teaser ↓

If you missed my talk "The Single-Packet Shovel: Digging for Desync-Powered Request Tunnelling" @BSidesExeter you have another chance to catch it on 22/05 at 16:00 BST on the @portswigger.net discord. discord.com/events/11591... You can find the abstract/resources below. Hope to see you there!

Niiiiiiiiice game #chess #lichess

I've written lots of words on "the cloud" and specifically Europe's woes. In the post below I tie many articles together into a hopefully useful overview. It may be good to know that nothing I write on the cloud is original, I mostly hope to report things as they are: berthub.eu/articles/pos...

Never bet against hax0rs. “The hacker…[found] a token belonging to a GlobalX developer. They then used that to find access and secret keys for GlobalX’s AWS instances which contained the data. They…also sent a copy of the defacement message to GlobalX’s employees, and then deleted company data.”

La Belgique est dans le top 20, vraiment ?

Rubio publicly criticizing an ally for cracking down on right-wing extremism. And Germany hitting back. We are in a new world

When the same HTTP request gets you 3 different response code, you known something is weird... And thanks @jameskettle.com for the race condition custom action, it's really convenient to have it directly in Repeater.

If there's one thing I've learned about covering cybersecurity over the past decade or so, is that the cybersecurity community (the fixers and breakers) and the cybersecurity industry (profits above all else) are two very, very different things.

Bug bounty programs: - only use your own accounts to test, - create multiple accounts to test for access control issues, - use your bug bounty platform email otherwise you're not elligible for a bounty. Also bug bounty program:

When you test a path traversal in a parameter, and you get a HTML error response in a JSON message :)

Right wing politics in a nutshell.

PhD Timeline xkcd.com/3081

When you triggered ONE HTTP callback, but can't reproduce it... #bugbounty #ssrf

Potential secondary context path traversal on a nice target, in a GraphQL request variable. Probably tricky to exploit. And as usual, something suspicious has to be found one hour before the week-end, when I'm already exhausted... 😡

My story breaking this news exclusively was 7K+ words and had almost all of this in it, and more: www.npr.org/2025/04/15/n...

Chaud pour en arriver à tout débrancher... Bon courage aux équipes.

Niiiiice :)

Anyone up for an #OSINT challenge? The photographer of this pic would love to know what flight he captured. Taken from Gierle, Lille, Belgium on Sunday April 13th around 11PM Wonder if it can be done without more details... /cc @bellingcat.com @eliothiggins.bsky.social www.vrt.be/vrtnws/nl/20...

@lesoir.be Votre stagiaire a laissé une coquille :)

« Qui peut croire qu'après 9 ans de procédure d'instruction, après 2 mois de procès, dans une décision qui fait plus de 150 pages, les juges auraient pour seule motivation la boussole partisane ? » Magali LAFOURCADE Magistrate #CCeSoir ➡️ bit.ly/MLPcolereRev... 🎧en podcast

Très excité de vous dévoiler ce nouveau projet. 🤩 On peut le dire : en 2025, Charleroi sera le nouvel eldorado de l'ultra-trail avec l'organisation de la 1e édition de la Barakley ! Sur quel site historique se tiendra la course ? Devinez et gagnez votre poids en bières👇

Si la troisième croisade avait lieu maintenant... 😉😅

You can't use a clever definition of "cloud native" to pretend that you compete with AWS/Azure/Google stacks. Don't try to fool people, it will backfire eventually. "There is no cloud just other people's computers" means you don't get what developers are doing with clouds berthub.eu/articles/pos...

That's not good 😟

Europe & European governments can no longer rely on American clouds. European alternatives won’t emerge on their own. So, it’s time for #industrialpolicy. In this post, I explore the challenges and immodestly propose a coherent strategy to come to European alternatives: berthub.eu/articles/pos...

Playing with @hextreeio.bsky.social "Android" course and I must say it's really amazing !

Are you ready for another Burp AI sneak peek? 👀 Introducing False Positive Reduction - Access Control. #BurpAI