Ryan Barnett
@ryancbarnett
Web App Defender | Bug Hunter/Triager | Purple Team | Detection Engineering | Author | Principal Security Researcher @Akamai_research | OWASP Project Leader ✝️
ID: 135907568
http://tacticalwebappsec.blogspot.com 22-04-2010 14:27:56
4,4K Tweet
4,4K Followers
313 Following
As expected, Akamai Security Intelligence Group is seeing WAF attacks related to Orange Tsai 🍊's research (Local Gadget to LFI) released at Blackhat last week.
Another example related to our Bug Bounty Village workshop. We didn't have time to include this example but I have seen "spelling" data manipulation be abused for WAF obfuscation both server and also client-side in JS. t.ly/Asg7I
For those that attended Angel Hacker and I's Bug Bounty Village workshop and liked it, here is a great mindmap type of view for Unicode normalization issues that you can apply to #BugBounty #bugbountytips
A shoutout to Anton for this html entity encoding trick. We highlighted it in Angel Hacker and I's Bug Bounty Village workshop (t.ly/Asg7I) We have a YesWeHack ⠵ DOJO lab for it here: dojo-yeswehack.com/challenge/play…
Here is the YesWeHack ⠵ DOJO lab that Angel Hacker made that demo's this issue in an XSS attack - dojo-yeswehack.com/challenge/play… This was part of our Bug Bounty Village workshop: t.ly/Asg7I
This week's Critical Thinking - Bug Bounty Podcast HackerNotes has dropped, covering a bunch of takeaways with Lupin and Justin from Google's BugSwat event in Vegas! Check it out below: blog.criticalthinkingpodcast.io/p/hackernotes-…
LOVE it Lenny Zeltser! I agree with this mindset and I outlined many of these concepts for defend web applications in the first section of my book "Web Application Defender's Cookbook: Preparing the Battlespace". BTW - I also quoted Richard Bejtlich 💾 🇺🇦 as well 👊 #DetectionEngineering
Thanks to YesWeHack ⠵ for the swag boxes for Angel Hacker and I! LOVE the sweatshirts 👍
Here is the YesWeHack ⠵ DOJO lab Angel Hacker made for this issue from our Bug Bounty Village workshop dojo-yeswehack.com/challenge/play…
Here is the YesWeHack ⠵ DOJO lab that Angel Hacker made for this issue (Unicode codepoint truncation) from our Bug Bounty Village workshop. dojo-yeswehack.com/challenge/play…