Nadir

269 posts

Nadir banner
Nadir

Nadir

@kapytein

stuff at @aikidosecurity

The Netherlands Katılım Şubat 2018
530 Takip Edilen1.4K Takipçiler
Luke Turvey
Luke Turvey@TurvSec·
@theXSSrat @AikidoSecurity What 😭 surely if they're going to out of scope something like this, it would be within the same tenant. Cross-tenant access is not an issue?!
English
1
0
1
30
Nadir
Nadir@kapytein·
@theXSSrat @AikidoSecurity We are revamping the bug bounty program's scope soon though, so keep an eye out for any updates.
English
1
0
1
30
Nadir
Nadir@kapytein·
@theXSSrat @AikidoSecurity Not having it in scope doesn’t mean we don't care about it perse! The focus of the BBP was on different vuln. classes, and e.g. internal efforts could get in the way of researchers, so having a vuln. class (temp.) out of scope actually helps to avoid that.
English
1
0
1
25
Nadir retweetledi
Mitchell Hashimoto
Mitchell Hashimoto@mitchellh·
This reverse engineering work led its way to a fix in Chrome (subsequently Electron), with credit given back to me! Very cool to see, and happy to help the macOS ecosystem. I hope macOS fixes this huge issue soon. chromium-review.googlesource.com/c/chromium/src…
Mitchell Hashimoto tweet media
Mitchell Hashimoto@mitchellh

Everything is open source if you try hard enough. (Trying to find the source of a pathological performance issue stemming from AppKit only on macOS 26. I'm pretty sure it's a macOS 26 bug but given this is shipping, I need to find a workaround). I really wish Apple would just make the source of their frameworks available (even under a non-OSS license that doesn't allow any reuse), just so that app developers can understand how certain logic interacts with the system.

English
15
30
615
79.2K
Nadir retweetledi
keshav
keshav@keshavchan·
when building ai products, the key is having some reliable signal about what is working and what is not. whether that signal comes from evals, user feedback, your own taste, performance metrics, or just gut feel does not really matter as long as it is giving you actionable information about where to focus your efforts. the mistake is either having no signal at all (just building blindly) or getting caught up in the methodology of the signal rather than its utility. a formal eval that tells you nothing useful is worse than informal feedback that clearly points to real problems
Shreya Shankar@sh_reya

i did not expect to wake up this morning and write a blog post

English
1
2
31
7K
Nadir
Nadir@kapytein·
@rez0__ Bug bounty hunting, on at least web applications, has always been about discovery instead of exploitation. Exploitation has always been straightforward in most cases (excluding escalating issues into more severe bug classes). So, the work here by @Xbow is definitely impressive.
English
0
0
0
111
Joseph Thacker
Joseph Thacker@rez0__·
huge L. it's impressive how much it tested to eventually arrive at the vuln. anyone liking and laughing without having found bugs on live bug bounty targets should go try before judging. on the costs, you have to blind to not see how costs will fall and models improve.
Tib3rius@0xTib3rius

"most tools would have given up" "A master class on path traversal exploitation" "the vulnerable endpoint permitted local file access via the file:// scheme" "/photo/proxy?url=file:///etc/passwd" ... 🤣🤣🤣 The marketing is the most impressive thing here.

English
7
2
58
11.8K
Nadir retweetledi
Paul Graham
Paul Graham@paulg·
Imagine not having had any food to give your kids for 10 days.
Motasem A Dalloul@AbujomaaGaza

I swear to God, this what exactly happened: I woke up today morning and found a missed call on my phone coming from a widow with a number of orphan children living next door. I called her back and asked her what she wanted. She said: “I need some flour. Me and my children have been sleeping without food for 10 days.” I replied: “Unfortunately, me and my children have nothing to eat for more than 10 days.”

English
230
3.2K
11.3K
498.5K
Nadir retweetledi
slonser
slonser@slonser_·
Today I used a technique that’s probably not widely known in the community. In what cases could code like this lead to a vulnerability? ->
slonser tweet media
English
22
187
1K
274.8K
Nadir
Nadir@kapytein·
@Rhynorater Mostly because CSPT are not 1:1 reproducible across targets. It’s a novel approach every single time (esp. when chaining bugs), which makes it a beautiful bug class.
English
1
0
1
390
Justin Gardner
Justin Gardner@Rhynorater·
CSPT is such a stunning bug type. So prevalent too.
English
6
3
129
11.5K
Nadir retweetledi
Nat Friedman
Nat Friedman@natfriedman·
We did it! We tested 300 Bay Area foods for plastic chemicals. We found some interesting surprises. Top 5 findings in our test results: 1. Our tests found plastic chemicals in 86% of all foods, with phthalates in 73% of the tested products and bisphenols in 22%. It's everywhere. 2. We detected phthalates in most baby foods and prenatal vitamins. 3. Hot foods which spend 45 minutes in takeout containers have 34% higher levels of plastic chemicals than the same dishes tested directly from the restaurant. 4. The 1950s Army rations we tested contained surprisingly high levels of plastic chemicals. 5. Almost every single one of the foods we tested are within both US FDA and EU EFSA regulations. Check out our full results below.
Nat Friedman@natfriedman

I'm going to re-run all these tests on food we eat in California. Also going to test for other plastic chemicals. Let me know what foods we should test and suggestions for methodology.

English
563
2.8K
15.3K
9.8M
Nadir retweetledi
Hudzah
Hudzah@hudzah·
in a couple weeks, i built a nuclear fusor in my bedroom – with zero hardware experience the secret? Claude sonnet 3.5 + projects a glimpse into the process below
Hudzah tweet mediaHudzah tweet media
English
315
1K
9.9K
3.2M
Nadir retweetledi
Tal Be'ery
Tal Be'ery@TalBeerySec·
Pass-the-{token} attacks are still very much relevant. Tokens may change: Cookie, NT Hash, Kerberos ticket, MFA token, ... However, the problem is not in the "token" but in the "pass". We need a solutions to make tokens stay put, such as device and channel binding.
Microsoft Threat Intelligence@MsftSecIntel

Microsoft has detected a 111% year-over-year increase in token replay attacks, and incidents are continuing to grow. msft.it/6011lSgZ7

English
5
41
153
21.6K
Nadir
Nadir@kapytein·
@charafmrah @benawad IMO it is fine. There is usually other ways to achieve persistence, e.g. by inviting your own user account to an affected tenant, changing the user's e-mail address, linking a social login account, creating an API key, etc. The impact of a XSS doesn't really change.
English
0
0
1
426
charaf
charaf@charafmrah·
@benawad It’s actually not fine Just because your code might be vulnerable to XSS doesn’t mean you should make it easier to exploit
English
1
0
3
4.7K
Nadir retweetledi
Ruikai Peng
Ruikai Peng@ruikai·
My latest blog about my discovery for Evernote Client All-platform RCE via PDF.js font-injection to preload.js exposed ipcRenderer-BrokerBridge-boron.actions bypassing Electron's nodeIntegration | context-isolation; Enjoy reading! 0reg.dev/blog/evernote-…
English
10
124
462
32.9K
Nadir retweetledi
spaceraccoon | Eugene Lim
spaceraccoon | Eugene Lim@spaceraccoonsec·
I love crossover bugs that go between web/mobile/native because there's so much strange interactions that occur and a lot can go wrong - this research was another result of this! spaceraccoon.dev/universal-code…
English
2
66
163
18.9K
Thiezn
Thiezn@thiezn_·
@gregxsunday the well known 'proxy-urldecodes-my-params-for-me' attack, aka PUMPFM, aka PUMP-FOR-ME
English
1
0
1
429
Bug Bounty Reports Explained
Bug Bounty Reports Explained@gregxsunday·
What is the name of the attack when the backend does not URL-encode my parameter when making a request to a microservice or 3rd party API so I can inject params? Eg. I send /path?param=a%26trusted_param=b and the backend request goes to /api/whatever?param=a&trusted_param=b
English
17
3
71
17.2K

Keşfet

@TurvSec @theXSSrat @AikidoSecurity @rez0__ @Xbow @Rhynorater @intigriti @charafmrah