Another example I just looked at with an XSS attack that is using Right Double Quotation Mark visual confusable for the ASCII Quotation Mark codepoints.net/U+201D util.unicode.org/UnicodeJsps/co…

Compromised VPNs have been traditionally only used for initial access. Read how much more damage can be done by threat actors performing VPN post-exploitation: ow.ly/3Q9F50SSZNq

As expected, Akamai Security Intelligence Group is seeing WAF attacks related to Orange Tsai 🍊's research (Local Gadget to LFI) released at Blackhat last week.

A shoutout to André as we referenced your Unicode normalization table in our workshop 👊 0xacb.com/normalization_…

Another example related to our Bug Bounty Village workshop. We didn't have time to include this example but I have seen "spelling" data manipulation be abused for WAF obfuscation both server and also client-side in JS. t.ly/Asg7I

For those that attended Angel Hacker and I's Bug Bounty Village workshop and liked it, here is a great mindmap type of view for Unicode normalization issues that you can apply to #BugBounty #bugbountytips

A shoutout to Anton for this html entity encoding trick. We highlighted it in Angel Hacker and I's Bug Bounty Village workshop (t.ly/Asg7I) We have a YesWeHack ⠵ DOJO lab for it here: dojo-yeswehack.com/challenge/play…

Here is the YesWeHack ⠵ DOJO lab that Angel Hacker made that demo's this issue in an XSS attack - dojo-yeswehack.com/challenge/play… This was part of our Bug Bounty Village workshop: t.ly/Asg7I

It was the hacker version of Omega Mart! meowwolf.com/visit/las-vegas

This week's Critical Thinking - Bug Bounty Podcast HackerNotes has dropped, covering a bunch of takeaways with Lupin and Justin from Google's BugSwat event in Vegas! Check it out below: blog.criticalthinkingpodcast.io/p/hackernotes-…

LOVE it Lenny Zeltser! I agree with this mindset and I outlined many of these concepts for defend web applications in the first section of my book "Web Application Defender's Cookbook: Preparing the Battlespace". BTW - I also quoted Richard Bejtlich 💾 🇺🇦 as well 👊 #DetectionEngineering

Thanks to YesWeHack ⠵ for the swag boxes for Angel Hacker and I! LOVE the sweatshirts 👍

These privilege escalation endpoints are overlooked feat. D Day #bugbounty #bugbountytips #bugbountyhunter

🚀 New Shazzer update shazzer.co.uk - Added tool tips and help for placeholders - Added new UI to separate simple/advanced placeholders - Added new placeholders to use fromCodePoint method - Displayed warning when using raw characters inside JS strings

Akamai's SIRT discovered a zero-day command injection RCE vulnerability in the brightness function of AVTECH CCTV cameras. This was being used as part of a Mirai botnet campaign abusing several other vulnerabilities as well. Full write-up including IOCs: akamai.com/blog/security-…

Here is the YesWeHack ⠵ DOJO lab Angel Hacker made for this issue from our Bug Bounty Village workshop dojo-yeswehack.com/challenge/play…

Here is the YesWeHack ⠵ DOJO lab that Angel Hacker made for this issue (Unicode codepoint truncation) from our Bug Bounty Village workshop. dojo-yeswehack.com/challenge/play…

Unicode codepoint truncation vuln strikes again... x.com/ryancbarnett/s…