Вышел выпуск подкаста №4. Наконец cобрались обсудить давно интересующу нас тему: менджмент и бизнес - особенности данных веток таланов для пентестера. Есть ли вобще другие? Уже разлит по площадкам soundcloud.com/m1mo-croc music.yandex.ru/album/10321679 podcasts.apple.com/ru/podcast/id1…

Ruby on Rails 5 cookie tool (decrypt, encrypt and sign RoR cookies from Python) gist.github.com/juwilie/db1d3e… #pentest #bugbounty

I've just added an API routes wordlist containing 953011 possible API paths from the HTTPArchive dataset. Download it at wordlists.assetnote.io - all paths which start with "/api/", "/v1/", "/v2", or "/rest/". Good luck hacking! Thanks for requesting this, hope it helps.

Unintended solution for DragonCTF "Home Office 2" :-)

Excited to finally publish my lockdown project from earlier this year: an iOS zero-click radio proximity exploit odyssey. googleprojectzero.blogspot.com/2020/12/an-ios…

Got your special tool, Andrew 😸 #FireEye #RedTeam

We have combined all the tricks we know about SSRF into a single mindmap. If we missed something, write about it in the comments! High resolution: raw.githubusercontent.com/hackerscrolls/… XMind source: github.com/hackerscrolls/… #CyberSecurity #BugBountyTip #BugBounty

With the introduction of PHP 8.0, phar:// deserialization will be turned off by default so techniques like leveraging an XXE to trigger deserialization and gain RCE will no longer be possible. srcincite.io/assets/out-of-…

Выпуск #4 - Облачные истории Первый выпуск в новом году. Сегодня у нас в гостях Антон - lead application security engineer в компании Semrush. Общаемся про облака, доверие к ним и уйдем ли мы от старого доброго VPN. music.yandex.ru/album/10321679 podcasts.google.com/feed/aHR0cHM6L…

Burp Suite will SSE (Server Sent Events) proxy functionality be eventually added? It is really boring to toggle proxy every time application uses SSE.

📢 ZN 2021: new time and place Nothing can compare to the energy of live conversation. ZN 2021 will take place at Sevkabel Port, St Petersburg on June, 30. Early registration is available. Use promocode EARLYBIRD to get 20% off till the end of March zeronights.ru

Published a writeup for a Web challenge form YauzaCTF 2021 link.medium.com/PH8WOejFajb TL;DR: JA3 ratelimit bypass + a little guessing + MongoDB query injection

Today we're publishing a detailed technical writeup of FORCEDENTRY, the zero-click iMessage exploit linked by Citizen Lab to the exploitation of journalists, activists and dissidents around the world. googleprojectzero.blogspot.com/2021/12/a-deep…

The main problem with passwords is you always need to remember one for password managers like 1Password or Dashlane. Forget it! You can easily pick your most used one, written on a hand-made cracker! WOW! opensea.io/collection/pas…

Say NO to password managers in 2022! Use the most secure NFT password storage based on blockchain powered by cutting edge cryptography

I collected near million of subdomains from all #bugbounty scopes to make some #wordlists for enumeration. Hope it will help in searching new targets. You can check it here - "Yet another enumeration of subdomains with statistics" link.medium.com/nE3qmB2fHnb

All this CA stuff was cursed, but now, when CAs revoke certificates on a geographical basis, it is especially clearly visible.

История о том, как мы придумали с нуля отдельную инфру для Банка в Облаке, которая сейчас летит в проде. Сложно поверить, что эта история началась со схемы на доске в комнате безопасности. О том, с какими трудностями мы столкнулись и какие выводы сделали youtube.com/live/HJDOSkW-y…

What's happening? — Twitter asks. Almost nothing. Just Google laid off me before the start date of my employment: andgein.ru/blog/all/20-i-…

Playing CTF finals at #BHMEA23