Adam Willard

@CarMax even though I didn’t have the best experience, i care deeply about people experiencing hard times. Unfortunately the managers wife has triple negative breast cancer. I the mail today was this. So much love.

Huge shoutout to @MedUnivSC. Thanks to a cancellation, they got me scheduled for my ileostomy reversal in under 48 hours. Faced some complications, but their care and skill went above and beyond. Home and recovering!

@ColleenD11 @MedUnivSC Happy Thanksgiving to you all also. So very grateful! What a perfect time to celebrate Thanksgiving!

@asw_sec @MedUnivSC Happy thanksgiving to you and your family!

So thankful for @MedUnivSC for my temporary ileostomy and tumor removal. I have some amazing people on my care team. Just 4 days ago I was in surgery. Today I was able to be back to work. Happy that I will be able to enjoy Thanksgiving. Still a long road ahead.

Been having a little fun with AI lately for how to improve password cracking. #hashcat #passwordcracking github.com/awillard1/list… github.com/awillard1/pwfo…

Been a hell of a year battling cancer. Wife surprised me with the ⁦@steelers⁩ crucial catch hoodie. So far this year…4 colonoscopies, port surgery, radiation with chemo pills, 8 chemo infusions (4 more in my future) and waiting to schedule surgery. Enjoying a short break.

@netflix I would love to see the petter putter used in the movie.

Happy Gilmore 2 is officially in production ⛳️

@SAS_Cares Thank you. Message sent to psirt. Much appreciated.

@asw_sec Sure! Customers who have an active SAS license should report a suspected security issue by opening a case with SAS Technical Support. Security researchers or others can contact PSIRT directly by sending email to psirt@sas.com. This may also help: 2.sas.com/6015lyEuh twitter.com/messages/compo…

@SAS_Cares Can you provide a security contact for vulnerabilities?

Earlier this year I was credited with CVE-2024-25693 for arcgis with base CVSS of 9.9. This vulnerability was a lot of fun as it chained several vulnerabilities together resulting in unauthenticated access to a web shell.

Slowly getting the office together. Would have loved all black chairs but maybe next time. #Secretlab Penetration Testing setup.

@HackingDave Smoked hotdogs is where is it at.

Alright - I’m back in business baby and not on the couch. Entire household including wife said best hotdogs they’ve ever had. Wife said wow these are like stadium hotdogs. Nailed it. 😂😂😂

Finally caught the mouse in my trash can that had been eating my string cheese. It is now dead.

I was asked to show more than an alert for XSS in Sharepoint. I was able to access the user’s private/public files, delete and upload files to their drive. The XSS I reported was patched. The scripts used with the XSS is in the code of the repo. github.com/awillard1/shar…

We ended up snagging a pick at @CCMFLive with Duddy and @SublimeWithRome. Was not expecting to sing happy birthday to Rome or the vibe they brought to the venue.

6 days until Carolina Country Music Fest! #ccmfwristband

@NahamSec Definitely. Have you had a dupe of a vulnerability you submitted, never released to the public of a specific payload, where the platform leaked your payload to everyone and when you submit the next vuln you are the dupe even though it is your exact payload just on a dif endpoint?

Submitting a critical is cool but have you ever gotten a dupe of a crit?

I apologize, the example 14 isn’t real world since it relies on fetch and a string. The concept is worth learning. Using what is in the JavaScript to exploit XSS without actually typing a normal payload. It is an interesting exercise. Encountered a few times but not this easy.

Have a way to go. Some allow payloads that aren’t the intended solution (need to code checks for things burp discovers). Trying to create XSS that happens in the real world. The intended payloads are based on alert and document.domain unless specified. github.com/awillard1/XSS-…

There are 102 payloads that are not your normal XSS payloads. Some are very abstract but a lot are based off JavaScript concepts. There are payloads in the list that bypass major WAFs.

While this gist page is a snapshot in time for the payloads (url changes when new payloads are added), I went through and created some abstract #XSS payloads. You can fire these off in the web developer console to see these execute. gist.github.com/awillard1/b7fc…