joernchen

Rare pic of an hacker attempting to find a Buffer Overflow vulnerability.

Parser Differentials by @joernchen #10 in PortSwigger Web Hacking Techniques of 2025 This technique takes advantage of the disagreement of two different components (like a load balancer and backend app) on their interpretation of the exact same data. Worthy of a deep exploration. There’s no blog post but here’s the talk 👇 youtu.be/Dq_KVLXzxH8?si…

RIP FX We collected some texts from the community in memory of @41414141 . You can find them here phenoelit.de/fx.html

@JohnLaTwC @window x.com/joernchen/stat…

I was saddened at the passing of FX. Felix meant a lot to me. I met him while he was at n.runs doing engagements to help secure Microsoft products. He invited me to PH Neutral, the conference he founded and run by Phenoelit. @window Snyder introduced me to people. It was my first glimpse into the brilliant security research scene. A couple years later we implemented ASLR in Windows. Where should we talk about it first? I said PH-Neutral. FX showed me kindness I will never forget as I presented our work (x.com/JohnLaTwC/stat…). It is said that "when an elder dies, a library burns." However in FX's case, he left us with a gift. Many of us learned from him--about security, technology, community, and being human. I will miss him terribly. If you didn't know him, phrack profiled him here: #article" target="_blank" rel="nofollow noopener">phrack.org/issues/68/2#ar…

@dcuthbert x.com/joernchen/stat…

Everyone today is a hacker in a sense but there are very few OG hackers on which shoulders we stand Oh dude, Felix “FX” Lindner you were so much a hackers hacker and you will be missed RIP my friend and thank you

Lands of Packets TTL exceeded. I would like to collect texts from the scene about FX in his memory. A collection of obituaries that will then be posted on phenoelit.de. If anyone would like to contribute, please contact me. Mail: joernchen@phenoelit.de Signal: jrn.07

PortSwigger dropped their Top 10 Web Hacking Techniques of 2025 and we covered all of them on the pod (in a completely random order) Here's a quick intro of the first 5 we talked about:

10 - @joernchen's parser differential talk from OffensiveCon25 is 28 minutes and worth every one of them. The JSON duplicate keys example is the entry point, Erlang reads the first `roles` key, JS reads the last, auth bypassed but the double Authorization header trick is our fav part: First header is the unsigned JWT with whatever admin attributes you want. Second is your legit low-priv token. Frontend validates the second and the backend grabs the first. youtube.com/watch?v=Dq_KVL… 8 - @salvatoreabello's XSS-Leak has nothing to do with XSS, it's a timing attack against Chrome's connection pool scheduling that leaks cross-origin subdomains without any injection. CTFy origin, but the writeup covers applications outside the CTF context. Chromium only. blog.babelo.xyz/posts/cross-si… 9 - @flomb_'s HTTP/2 CONNECT research needed an extra read off-camera to fully appreciate. He built a Go-based port scanner that runs entirely through HTTP/2 CONNECT tunnels — successful connection returns :status 200, failed returns :status 503. Push raw HTTP/1.1 requests through and read back responses from internal services. If a target accepts CONNECT over HTTP/2, that's a free port scan and SSRF with no other precondition needed. blog.flomb.net/posts/http2con… 7 - @zhero___'s Next.js research goes after the framework's internal cache. `__nextDataReq=1` turns the page response into JSON, `x-now-route-matches` tricks Next.js into treating the request as SSG, flipping `Cache-Control` to cacheable. `__nextDataReq` isn't in the cache key, but `Accept-Encoding` is and every browser sends it... zhero-web-sec.github.io/research-and-t… 5 - @chudyPB's SOAPwn is a quick 93 page read. It's a quirk in how .NET handles HTTP client proxies: feed `HttpWebClientProtocol` a `file://` URI instead of HTTP, the cast fails silently while HTTP setup gets skipped and the SOAP body gets written straight to disk. watchtowr.com/wp-content/upl…

Important message from @joernchen in his @nullcon keynote presentation 🚀❤️

Want to hack AI things with me? job-boards.greenhouse.io/gitlab/jobs/81…

The future is now and the past keeps reaping itself ! #Keynote #nullconBerlin @joernchen 👍

@joernchen @nullcon Who doesn't want to be joernchen?

Be careful out there, identity theft is real!

I call the slides done, see you tomorrow at @nullcon

@schrotthaufen @nullcon That’s why the presentation has “The future is now and the past keeps repeating itself” in its title.

@joernchen @nullcon The 90s called. They want you to know you forgot your <blink> at the counter when you purchased <marquee>

Current status: Doing ✨annoyingly funky slide design ✨ in preparation for @nullcon

unfortunately and he seems stuck in this condition. We’re based in Berlin, Germany but really any contact with a specialist who would be willing to take on this case we’d be grateful for! To reach use you can DM me or contact us via Email at unclear.condition@gmail.com [3/3]

(myoclonus and/or spasms) to finally find a cause and, above all, an effective therapy. The symptoms are bothering our son ever since he’s born, now for more than nine years, seriously affecting his sleep. The usual processes and medical contact points have failed us [2/3]

Today I have a more serious topic than usual, please consider reposting for reach: My wife and I are urgently looking for a specialist in neuropediatrics or a similar field for our autistic child with a diagnosed, but not further specified, movement disorder [1/3]

@LiveOverflow Thinking further: SSRF might be a building block comparable to parser differentials. Not a vuln on its own but enabling vulnerabilities/weaknesses usually not reachable. Also "lack of checks" is a very simple primitive enabling IDOR and similar things.

@LiveOverflow in-band signaling might overlap with injection tho

What are the elementary atomic building blocks for all other types of vulnerabilities? I think "injection" and "parser differential" are definitely on the list. But what else?

👩‍💻 AI intern on “vibe mode” — what could go wrong? 🥳 #NullconBerlin2025 is excited to announce Joern Schneeweisz as our #keynotespeaker, who’ll take us on a wild ride through prompt injections, AI double agents, and accidental database wipeouts 👉 nullcon.net/berlin-2025/sp… #LLM