Only 1 hour into our SecDim AI Wargame at Black Hat. The king-of-the-hill title has taken over twice! Players need to both defend (secure prompt engineering) and hack (prompt injection) their OpenAI LLM Apps. We will be also hosting our contest at AppSec Village

Thrilled to release my latest research on Apache HTTP Server, revealing several architectural issues! blog.orange.tw/2024/08/confus… Highlights include: ⚡ Escaping from DocumentRoot to System Root ⚡ Bypassing built-in ACL/Auth with just a '?' ⚡ Turning XSS into RCE with legacy code

@nffrenchie presenting the talk "Runtime Reachability: Prioritizing Vulnerabilities with eBPF & Continuous Profiling". #dc32 #defcon32

It was just disclosed: github.com/navidrome/navi… Proof that I can still find bugs I guess...

My blog is live! Decided to share a few thoughts on SQL injection polyglot payloads for my first post. RTs and feedback greatly appreciated nastystereo.com/security/sqli-…

I'm doing a talk at the OWASP Brisbane meetup on the 18th of November on Code Review, JWT, Golang... It's going to be a lot of fun and I will bring swag and stickers! meetup.com/brisbane-owasp…

I just published a new blog post sharing an improved Deserialization Gadget Chain for Ruby! It builds on the work of others, including Leonardo Giovanni, Peter Stöckli GitHub Security Lab and William Bowling @[email protected] nastystereo.com/security/ruby-…

🧵Can you work out how to bypass this vulnerable CSRF protection? Read all about this gotcha in my latest blog post

🧵I just published a new blog post, this time about vulnerabilities in a web framework written in the R programming language!

nastystereo.com - Where reporting the vulnerabilities is left as an exercise for the reader Want to provide feedback on upcoming posts before they’re published? Drop me a DM!

🧵My latest blog post is live 🔥 Read it to learn what SafeMarshal is and *two* very different ways to escape and get RCE! nastystereo.com/security/ruby-…

🧵New blog post! Introducing the _json juggling attack in Ruby on Rails

Probably my last CVE for the year: JWT Algorithm Confusion in a C library... github.com/xmidt-org/cjwt…

The detailed version of our #WorstFit attack is available now! 🔥 Check it out! 👉 blog.orange.tw/posts/2025-01-… cc: splitline 👁️🐈‍⬛

The Fetch API supports Blob objects as request bodies, not just strings! Blobs can omit a type, enabling cross-site POST requests without a Content-Type header. Even with non-empty bodies, the Blob's data becomes the request body! (credit: Luke Jahnke)

This is absolutely the greatest recognition for a researcher. Thank you all!

If you’re on twitch you can now follow me there, username is nastystereo The channel will be focused on hacking, link in the next tweet

We are cooked. Google DeepMind Genie 3 just broke the internet. 10 wild examples 1. Nothing feels real anymore

As an engineer, I ❤️ clever engineering. Ruby on Rails relies on signed sessions (AES GCM). They are secure, but there is a catch: you cannot invalidate them early. You have to wait for expiry. Workarounds exist, like caching sessions you want to kill, but nothing universal.

New blog post: Ruby Array Pack Bleed PoC + breakdown of a simple out-of-bounds reads in Ruby's Array#pack