Tim Tomes

If you've seen me present, you know I introduce myself as a follower of Jesus. Everyone has an opinion of what that means. Can I challenge you to watch this explanation? It's more important than anything I've ever said, and may surprise you. youtu.be/ykH8E9wTCcQ

Don't ya go missin' @LaNMaSteR53's talk "Web Application Authorization: Taming the Perfect Storm" at Wild West Hackin' Fest - Deadwood 2025! Grab yer tickets before time runs out! -> lnkd.in/gCEQqCYxv #WWHF #Deadwood2025 #TheFutureIs

It's the last week to sign up for Practical Web Application Penetration Testing (#PWAPT) and the Practical Training Bundle. Class starts next Monday! practisec.com/events/

Just submitted a talk titled "Web Application Authorization: Taming the Perfect Storm" to the @WWHackinFest CFP. I am particularly excited about this one. It's the first time I'll be sharing how I tackle authorization outside the classroom, plus a few extra goodies.

Greetings! There are 2 training opportunities currently available on my events page at practisec.com/events/: * PWAPT beginning April 7th * PBAT beginning June 9th Bundle them and save $500!

Just pulled this gem out of a client code base: "AESKey": "dsfsfdfgsdfsgfdg", I guess their version of a cryptographically secure RNG is to smash the 4 main fingers of their left hand on the keyboard 4 times.

@Ch33z_plz There is admin enforcement in the actual code, but I left out for brevity. Probably should have made that more clear. But yes, your disgnosis is correct. Lastly, the route for `schedules`, is missing the preceding `/`, which means it isn't a match and can already be accessed.

@LaNMaSteR53 The middleware tries to block admin pages by checking the last part of the URL, but it's flawed. Attackers can bypass it with extra path segments (/customers/123), uppercase, or query params. There's no real admin enforcement, just a log, so unauthorized users still get through.

This is real code I am working with today. This is an authorization check protecting admin-only resources. There are multiple ways to bypass this. What are they? For additional context, this is middleware for an Express.js back end.

Join us on the @RedSiege Wednesday Offensive with @LaNMaSteR53 discussing testing web apps for authorization issues. Join us for just 30 minutes (and no slides!) at redsiege.com/wedoff. Awkward fam photo time!

I'll be on Wednesday Offensive with @RedSiege today talking about testing for authorization issues in web applications. Would love you have you along. Join us! redsiege.com/wednesday-offe…

As always, I thoroughly enjoyed presenting at WWHF and appreciate the opportunity. If you enjoyed the content of my presentation, then keep an eye on my socials, as I will be announcing my first training opportunities for 2025 in the next week. Happy New Year everyone!

Check out @LaNMaSteR53 's talk, "{JWT}.{ Misuse}. & Abuse," from Wild West Hackin' Fest - Deadwood 2024! youtube.com/watch?v=L4W7Cm…

@PortSwigger What parts of the API were added? The dropdown documentation looks the same. Is the AuditIssue class accessible?

Anyone on my feed have a connection with the Carolina Hurricanes?

I was literally saying this to a friend the other day and wondered if I was the only one that noticed. I'm glad I'm not. tidbits.com/2024/11/11/mis…

@hacks2learn My pleasure. The filtering capabilities are in the proxy configuration panel. It behaves like a split-tunnel for HTTP traffic. Pretty awesome. Make sure you set FoxyProxy to proxy by filters though, or they won't apply.

@LaNMaSteR53 Thanks for the FoxyProxy filter tip! I use it, but obviously to it's full potential 😀

I actually use the FoxyProxy browser extension to accomplish this. It's another tool you have to install (downside), but it persists across projects (upside). Thanks for the tip!

@brightball Pay to play, eh?

@LaNMaSteR53 Get a blue check and comment on other peoples posts

I'm going to try and be more active on this platform again. Any tips for finding favor with the algorithm? My engagement is next to zero, and it doesn't seem to matter how many followers I have. Thanks!

@jessecooper Communities and Spaces? ... I've been gone for a while. I got some catching up to do.

@LaNMaSteR53 Maybe posting in some of the communities? Also spaces for live quick discussions or demos.

@bl4nk_io Bah. That's too bad. Maybe I can add some value. I'll try not to be a bot.

@LaNMaSteR53 not really. the content is meh.