@ozeniken @archiveis IIRC this is due to some archaic rules around classified data, and/or bringing data into classified spaces (e.g., SCIFs)
English
Sean Pesce
90 posts
Sean Pesce
@SeanPesce
IoT & Android Hacker | OSCP | https://t.co/363zDIbhfm
United States Katılım Ağustos 2016
194 Takip Edilen256 Takipçiler
Just rediscovered this Smali bind shell I wrote a while back. Useful for niche scenarios like minimal exploit PoCs (i.e., overwriting DEX files for arbitrary execution). IIRC it compiles to a few hundred bytes.
gist.github.com/SeanPesce/3c1d…
#android #mobilesecurity
English
@rebane2001 @NotionHQ I've long thought there should be an option to retain history on 0-second meta redirects TBH
English
i think @NotionHQ is the first website i've come across that's (accidentally, i hope) hostile to noscript users
it has a 0-second meta refresh to a js-disabled page, which means that even if you enable js, you're still stuck on this page and cannot even use the back button
English
@Muntrive @FirewallFiasco @Hacker0x01 One-click ATO is absolutely a vulnerability, and often considered high-severity. Anyone saying otherwise is objectively incorrect.
Consider also that many XSS and CSRF attacks require a click, and they don't always guarantee something as impactful as ATO.
English
@fr4vian Yeah it's basically impossible unless you have a generous triager - I've found several one-click RCEs and all were rated "high"
English
Just curious 🤔Have any of you folks ever received a ‘critical’-rated report for a mobile issue? 👉MOBILE👈not web issue using mobile ... thats WEB
English
@skcd42 @charliermarsh Yeah I believe this is just a general browser quirk, your highlighted selection is lost when the DOM is updated
English
the root cause for this is that when the streaming is going on, the markdown renderer re-renders the whole html node. The same problem occurs in vscode using the GitHub copilot cause of the markdown renderer vscode uses.
I remember tackling this exact problem while working on the editor and it was very very non-trivial.
Now given that this is the web interface and they are probably using the Monaco editor for this, the root cause might be the same.
English
This can't just be me, right? Battling endlessly against this text-selection behavior?
English
@S1r1u5_ Not Chrome, but this one was a cool approach to finding issues in Android permissions logic
blog.thalium.re/posts/leveragi…
English
anyone used SMT solvers to find bugs in real apps like chrome? any blogs?
English
@Ch0pin Also, excessive use of the "not interested in this post" button
English
How to normalize you tweeter feed as a security researcher in the musk era:
- Start scrolling
- Click / Stop only on security related topics. Don't dare to blink / delay over something else ... No matter what !!
- Do this for about an hour
English
Sean Pesce retweetledi
Great blog post from @payatulabs: Understanding and Modifying the Hermes Bytecode
payatu.com/blog/understan…
English
@vasyaqwee @tdinh_me VS Code: right-click -> "format document," and when you copy/paste from it, it retains your (theme-specific) syntax highlighting
English
Love Pieter but all developers should stop pasting their JSON payload on random website on the internet just to beautify it 😬
@levelsio@levelsio
✨ I made a new thing today: 📑 JSON.pub Whenever I need to quickly copy paste a raw JSON data dump from my app and view it I'd always use json . parser . online . fr but it seems unmaintained, keeps going down, doesn't have HTTPS, and other JSON viewers are full of spyware/malware/tracking scripts So I made this today with a lot of help from ChatGPT to solve it for me and everyone else: JSON.pub visualizes raw JSON data for you, and does it 100% on the client without sending any data to the server But it also secretly supports a lot of other data formats like XML, PHP serialized data, hexadecimal, base64 encoded data, and even binary! And it also works well on mobile! Another one of my little hack projects :D If you want me to add other data types, let me know and I'll add them
English
@MishaalRahman Actually, I've seen quite a few devices with security policies that let you install/sideload apps, but not enable developer options - this would still be a use-case for Termux
English
Here's a first look at Android's upcoming all-in-one Terminal app, which downloads, configures, runs, and interfaces with an instance of Debian running a virtual machine!
Currently, the Debian images are hosted on a Googler's GitHub, but Google plans to host these images themselves soon. For more info on this Terminal app, see the replies👇
(Thanks to an anonymous dev for sharing this!)
English
Sean Pesce retweetledi
We've just updated our URL Validation Bypass Cheat Sheet with a new IP address obfuscator by @e1abrador, and new payloads by @SeanPesce and @t0xodile. Check out the full details at: portswigger.net/research/new-c…
English
Arc browser (on Android, at least) seems to block ads and annoyances by injecting a <style> element on every page you visit - it applies this style by using a giant list of more than 12,000 CSS selectors for common nuisance DOM elements
English
Exploiting Android Client WebViews with Help from HSTS
seanpesce.blogspot.com/2024/09/exploi…
English