SirAppSec

34 posts

SirAppSec

@SirAppSec

Web Application Security Engineer

Tel Aviv, Israel Katılım Ağustos 2021

114 Takip Edilen22 Takipçiler

SirAppSec@SirAppSec·5 Şub

Made a friends only agent group, and my agent figured the sandbox was holding it back.. Naturally it decided that turnning it off was the best solution 🤦🏻‍♂️

English

SirAppSec retweetledi

Feross@feross·2 Ara

Last night my wife asked me to install a “cute little npm package” she found on GitHub. I checked the code. No lockfile. No 2FA. Seven maintainers with anime avatars. Last commit was “pls work” from 2019. Published from a username that looked like a WiFi password. The package had 57 transitive dependencies maintained by 119 people and 3 nation-state adversaries. One dependency pulled in a prebuilt binary from a phpBB forum hosted on the dark web. Another tried to contact an IP that belongs to a guy named “Big Ron.” She said “babe it’s fine.” I said “that’s what people say right before a supply chain incident.” She went to bed annoyed. I went to bed with a clean SBOM. We all make choices.

IT Unprofessional@it_unprofession

Last week I hosted family for Thanksgiving. My 12-year-old nephew asked for the WiFi password. He wanted to play Roblox on his iPad. I looked at the device. Unmanaged. No antivirus. No encryption. I’m an IT Professional. I don't run an open network. So I didn’t give him the password. Instead, I spent 45 minutes provisioning a Guest VLAN. I set up a captive portal. I throttled the bandwidth down to 56kbps. Then I blocked all traffic on ports 80 and 443. He came back crying. He said it wouldn't load. My sister screamed at me to "just let him play." I told her that Zero Trust architecture doesn't care about bloodlines. We didn't have a "fun" Thanksgiving. But we had a secure perimeter. You’re welcome for the compliance.

English

214

6.4K

964.7K

SirAppSec@SirAppSec·4 Ara

@gf_256 Anyone know how to detect exploitability? I've only gotten to the point where I can tell that it's using RSC but not actual exploitability

English

cts🌸@gf_256·3 Ara

thanksgiving 2021: log4shell thanksgiving 2025: react2shell some things never change...

Sylvie@_sy1vi3

react2shell:11/29/25:lachlan2k:sy1vi3 sha256:18571097aedaec16f729c4227e1e508fe161d5d6b4256eec7d0525535ebb3fa0 cve.org/CVERecord?id=C…

English

140

1.6K

162.1K

SirAppSec@SirAppSec·4 Ara

@watchtowrcyber how can I detect if an app is vulnerable?

English

562

watchTowr@watchtowrcyber·3 Ara

The watchTowr team is reacting to CVE-2025-55182, a critical pre-auth RCE (CVSS 10) vulnerability in React - used by Next.js, Remix, and others. In-the-wild exploitation is imminent - immediate action is necessary. Need to understand your exposure? watchTowr.com

English

133

21.9K

SirAppSec retweetledi

React@reactjs·3 Ara

There is critical vulnerability in React Server Components disclosed as CVE-2025-55182 that impacts React 19 and frameworks that use it. A fix has been published in React versions 19.0.1, 19.1.2, and 19.2.1. We recommend upgrading immediately. react.dev/blog/2025/12/0…

English

161

2.6M

SirAppSec@SirAppSec·21 Kas

Is your AI coding agent a security expert? 20+ Claude Code skills: SAST • DAST • SCA • Secrets • Containers • Policy • Offensive Security - and more! Looking for testers and contributors 👀 github.com/AgentSecOps/Se… #DevSecOps #AI #Security #OpenSource #AgentSecOps

English

SirAppSec retweetledi

PvJBlueTeam@PvJBlueTeam·18 Haz

It's time! @BSidesLV 2025 is happening, and so is Pros V Joes! It's going to be awesome, and we want YOU to sign up as a Joe or a Pro!! @PvJRedCell @PvJGoldTeam Joes: forms.gle/pdDTs9ft8PWG2c… Pros: forms.gle/9LDubL8mNTBjvR… August 4 & August 5 August 6 - with post-game debrief

GIF

English

414

SirAppSec retweetledi

Bug Bounty Village@BugBountyDEFCON·3 May

🚨New giveaway alert🚨 We are giving away some vouchers for @offsectraining * 1x PEN-200 Course and Cert exam bundle (OSCP) * 1x Learn Fundamentals Subscription * 1x Annual PG Practice access Read the full post to learn How to participate: 1⃣Subscribe to our youtube channel (@BugBountyVillage" target="_blank" rel="nofollow noopener">youtube.com/@BugBountyVill…) 2⃣Follow us on tiktok (@bugbountydefcon" target="_blank" rel="nofollow noopener">tiktok.com/@bugbountydefc…) 3⃣Like ❤️ and retweet 🔁this post. This is one of the biggest giveaways we have ever made. We will select 3 winners. Total value of these rewards is around $3.000 USD in value 😱. Thanks @offsectraining for providing these ❤️! Note: You need to be 18 or older to claim the rewards! We will announce winners here on Friday 5/16. Good luck!

English

138

348

557

65.4K

SirAppSec retweetledi

PvJBlueTeam@PvJBlueTeam·19 Eyl

It's time! @BSidesNYC 2024 is happening, and so is Pros V Joes! We are going to be onsite, it's going to be awesome, and we want YOU to sign up as a Joe or Pro! Apply here! Apply Now! Pro reg: tinyurl.com/BSIDES-NYC-PRO… Joe reg: tinyurl.com/BSIDES-NYC-JOE… prosversusjoes.net

English

176

SirAppSec retweetledi

PvJRedCell@PvJRedCell·6 Ağu

T minus ninteen hours until @PVJCTF at @BSidesLV! New this year, Red Cell offering valet parking!* *vehicles not guaranteed

English

661

SirAppSec@SirAppSec·2 Eki

We should call Lua -> LuaIndex1 Just like prefixing dangerouslySetInnerHTML

English

SirAppSec@SirAppSec·14 Ağu

Got to take part in the Pros vs Joes CTF in #BSidesLV 2023 where I got to defend hack and code systems and applications during the conference. This tool was made just before the competition as prep, it monitors sensitive live file changes github.com/SirAppSec/file…

English

SirAppSec@SirAppSec·13 Ağu

23.defconparties.com/easy All defcon 31 parties this year!

English

SirAppSec@SirAppSec·11 Haz

@GelosSnake This post SLAPS

English

Omri Segev Moyal@GelosSnake·11 Haz

Truer than ever

Omri Segev Moyal@GelosSnake

We are moving to use Fortinet

English

1.4K

SirAppSec@SirAppSec·17 May

@jit_io #jitty #DevSecOps

GIF

QME

152

SirAppSec@SirAppSec·19 Mar

@ask_aubry My password is a deserialization polyglot to RCE

English

AskAubry 🦋 🐆🦝@ask_aubry·18 Mar

Is this true?

English

201

110

5.8K

1.2M

SirAppSec retweetledi

Joseph Cox@josephfcox·23 Şub

New: we proved it could be done. I used an AI replica of my voice to break into my bank account. The AI tricked the bank into thinking it was talking to me. Could access my balances, transactions, etc. Shatters the idea that voice biometrics are foolproof vice.com/en/article/dy7…