🔥The 9th Round of Easy Loan, Earn $40 Reward is in progress❗️ ⏰ Promotion Period: January 15th - Feburary 15th, 2025 👉 Register now and check more details at gate.io/campaigns/358

AppSec Ezine - 330th Edition pathonproject.com/zb/?dc50d3b3ee… #AppSec #Security

Ever wondered what kind of stuff ends up in URL shorteners? I did, and then I found out about URL Team. 5+ years of distributed brute forcing, with over 12 billion links found, totaling ~1TB of data. There's some wild stuff in here! archive.org/search.php?que…

Even if there is URL encoding you can get same site SSRF if you control variables between forward slashes. Think '/encode($var1)/encode($var2)/encode($var3)' were those vars are '..' It's allowed per the RFC tools.ietf.org/html/rfc3986#s…

Marcus' tweet prompted me write this piece: "Technical Project Ideas Towards Learning Cyber Security" mchow01.github.io/education/secu…

blog.openzeppelin.com/argent-vulnera…

I was thinking about the SameSite 2 Minute "Post+LAX" workflow this morning and found that someone had already figured out the workarounds I was thinking about medium.com/@renwa/bypass-….

The Grafana SSRF found by Justin Gardner had a really nifty URL redirect requirement. rhynorater.github.io/CVE-2020-13379…

Quick tip: If you're attacking/defending a *nix box with users that can run limited sudo cmds, check for `more` and `less`. Both tend to be assumed as benign but can execute arbitrary commands. So, if you have a "read only" account with sudo less/more, it's trivial root privesc.

Join us on Nov 7 at 10:30 AM ET when Shea Polansky (Shea Polansky) presents "Adventures in Perimeterless Homelabbing" More info: 2020.bsidesorlando.org/?utm_campaign=… Full Schedule: 2020.bsidesorlando.org/?utm_campaign=… Tickets: …desorlando2020-virtual.eventbrite.com/?utm_campaign=…

Want to get more credits for SecurityTrails API™? Just retweet this tweet and you will get 100 RECURRING API CREDITS 🎉 Ends 28 Nov 2020, 3pm EST. Make sure we can PM you to ask for the email address you signed up with.

I finally setup my own collaborator server and it would have been hell without this blog and repo. teamrot.fi/self-hosted-bu…

TGanks for the tip! I will change those right now. I set it up so that it tees it into a file for logging and hits a Slack webhook with valid information. Its going to be very handy for OOB attacks.

TIL that javascript protocol XSS doesn't work if `target="_blank" rel="noopener noreferrer"` is set.

I've encountered a new contender for worst vulnerability disclosure process. NASA. It seemed promising at first, but I've been attempting to exchange PGP keys for over 3 weeks.

We're turning up the heat 🔥 for the next meetup! We're tackling a HARD Linux box and we called in the big guns to walk us through it! Offensive security specialist (from Ottawa🇨🇦), t1v0 , is our next guest presenter! Do not miss this one and RSVP🔗: meetup.com/Hack-The-Box-M…

We're hiring! Talk to our Director of Talent Development if you're onsite at #defcon29 this weekend!👇

Summer 2023 - 3 months paid, summer #internships available for US/EU residents. Learn #appsec from the best :) Apply today! careers-page.com/doyensec-llc/j… #doyensec

You may have certain files in your repo you want to keep an eye on and be notified if someone is trying to change them. If you're using Github for storing your code then you can take advantage of Github Actions and workflows to perform many different automation tasks and build