Notorious great slate supporter @spdevlin has offered to match the next $13,500 in donations! Post donations you want matched to this thread and I will do the bookkeeping. secure.actblue.com/donate/great_s…

I don’t talk about the work I do much but here’s a fun thing... security.googleblog.com/2018/10/google… The report we wrote is linked in the blog entry. @BearSSLnews @finderoffail David Wong Keegan Ryan Mason Hemmel NCC Group Research & Technology NCC Group Cryptography Services

At the same time: PAKEs are only really valuable when your root of trust is a human-memorable password. If you factor out web applications, that doesn’t leave much else. You can do better than a PAKE in most non-browser applications.

Driving to the new Flying Potion album with Tanner Prynn in the high desert during sunset 👌

I’m the wrong person to ask; I’ve been offering NCC Group North America InfoSec to take it over (as have the other μC hackers), as it goes down for extended periods of time, repeatedly. Without their permission, I can’t stand up a reliable version. I wish they’d hand it off to me or Hans Nielsen.

Starting to write some blogs, here's one about Apple's App-Site Association standard that leaks web app routes (think robots.txt) NCC Group Research & Technology nccgroup.trust/us/about-us/ne…

Blog: A Novel CSP Bypass Using data: URI nccgroup.trust/us/about-us/ne… - or how to find an XSS payload which executes JavaScript from a data: URI, without using a <script> tag from a different domain. by Tanner Prynn

Our new blog from Tanner Prynn makes your life a bit easier when it comes to #Frida - giving tips and tricks that other documentation doesn't cover. Read the whole post here --> bit.ly/2NEf7kT #android #JavaScript #java #application #secureapplications #appsec

New Frida blog! If you've ever wanted to play puppetmaster to a reluctant Android app, you could do worse than stuffing it with Express.js and turning it into its own API 🤖

Hey! I wrote a new blog post on what safe & secure code looks like when writing authorization checks in web applications. Check it out: research.nccgroup.com/2020/04/21/cod…

🗒️ An Opinionated Web #Pentesting Guide by Tanner Prynn Covers a broad range of topics including * Application mapping * Reviewing the design * AuthN/AuthZ * Frontend attacks, input handling, & crypto #bugbountytips #websecurity github.com/tprynn/web-met…

The comprehensive list of today's emerging threats, nOtWASP bottom 10: vulnerabilities that make you cry by James Kettle, Michael Stepankin and Gareth Heyes \u2028 portswigger.net/research/notwa…

Blog: Using UUIDs for Authorization is Dangerous (even if they’re cryptographically random) - UUIDv4 for unguessable IDs are not safe to use for traditional object-based access control - research.nccgroup.com/2021/05/10/usi… by Tanner Prynn

Multiple vulnerabilities in Flower (CVE-2022-30034) and downstream attacks on Apache Airflow tprynn.github.io/2022/05/26/flo…

A mini rant on why NOT to pin TLS certificates in your mobile application - tprynn.github.io/2022/12/06/cer…

Tailscale has a feature called Tailscale Funnel that kind of does the opposite of everything else Tailscale does? It exposes nodes directly to the Internet. And all the hostnames are published in CT, so I scanned it #tailscale #nmap #appsec tprynn.github.io/2023/07/10/tai…