Arminius

Mini XSS challenge 3. Can you solve it? 🤔 <?php $n = bin2hex(random_bytes(8)); header("Content-Security-Policy: script-src 'nonce-$n'"); printf('<script nonce=%s>"%s"</script>%s', $n, str_replace('"', '', $_GET['a']), $_GET['b']); ?> #minixss #ctf

@nazarpc @qtile Appreciate it! Great to see someone with a developer background using it. :)

@rawsec's Paxmod is AMAZING! I was lacking it ever since Firefox started dropping APIs and killed TabMixPlus. Found accidentally because I'm also using Plasma layout for @qtile. Thank you! 😍

@AlexPopovJr DM'ed you :)

@rawsec Hi! I love Semshi. I was wondering if you still work on it or accept pull requests. Wanted to know if it's worth doing the work to add docstring hightlighting support.

Well, seems like @kucoincom didn't take their security that seriously in the first place #KuCoinHack #KuCoin

@krakensupport Thanks, the security team got back to me!

@rawsec Hi Arminius, Our security team did get your report and we are contacting them again to find out what the status of it is.

Hey @krakenfx @krakensupport. I reported a major security vulnerability on your exchange 74 days ago. It's still open, and both your support and security team are ghosting me. Any help? #bugbounty $btc

Sigh. It's 2020. Crypto exchange @kucoincom just awarded me a $28.49 bounty for an unconditional XSS vuln on their main domain. (via 3rd party component but still...) A little deceitful to call that a #bugbounty program 🤷 @gan_chun $KCS

Know someone who needs a Titan security key bundle from Google? Got that promo mail where someone gets a free bundle if I refer them to Google's Advanced Protection Program

@krakensupport I reported a security vulnerability on @krakenfx a week ago, but you did not reply. Could you have another look?

@coolfire It got CVE-2019-12735. I had suspected the modeline "sandbox" didn't receive much attention, so it was just an afternoon of manually looking through the vim source and docs.

@rawsec Did you get a CVE number for this? Would be handy to track if distros have rolled out a patch yet. Also I'd be interested in learning how you found this bug. It looks like the sort of thing that might be hard to get to if you were just fuzzing modelines.

Arbitrary code execution vulnerability in Vim < 8.1.1365 and Neovim < 0.3.6 via modelines. 😬 Also, why you should not use Vim with default config, or cat without -v. github.com/numirias/secur…

@Rhynorater Spending more time on potential param pollution bugs like messing with bad encoding is a great point

Technical takeaways from H1-415: Using invalid URL encoding sequences (ie %$1) can cause HTTP parameter pollution, do virtual host scanning with ports, find the origin server for things behind CDNs, and brute force GraphQL endpoints if introspection is off.

@LLNSPay @itaibn_ Ah, that's neat! Never dealt with PHP_SESSION_UPLOAD_PROGRESS before. But at least the idea to populate a local file with the payload and chain wrappers/filters to manipulate it to the start of the file was the right direction. :)

Want a riddle for your coffee break (or, if you're me, a weekend full of despair)? Try this tricky "One Line PHP Challenge" from #HITCON #CTF <?php ($_=@$_GET['orange']) && @substr(file($_)[0],0,6) === '@<?php' ? include($_) : highlight_file(__FILE__); ?> http://54.250.246.238/

@LLNSPay Like, say, php://filter/string.strip_tags/convert.base64-decode/resource=/proc/self/environ with a crafted "Accept:" header, hoping Apache sets HTTP_ACCEPT in env. (using strip_tags so that a payload ending with <x cuts off rest). But my blind attempts didn't get me anywhere.

@LLNSPay I was thinking stream filters (php://filter/...) on a local file that reflects parts of the request (maybe /proc/self/environ or logfiles). Chaining some filters cleverly (base64-decode, etc.), the local file wouldn't even need to start with `@<?php`. But had no success.

@orange_8361 I want my weekend back. And my sanity. :-) Gonna dream of PHP filters tonight...

HITCON CTF(also the first DEFCON pre-qualify CTF) is now running! I designed several web challenges and here is the one - One Line PHP Challenge! ctf2018.hitcon.org

My write-up for Hackover CTF "cyberware" challenge. Using dir trav and manually obtaining packfiles from git meta dir. Was a nice little peek into git internals. security.meta.stackexchange.com/a/3087/9538

Where's Bobby Tables when you need him

@StackStatus "He Joel, our Microsoft Access trial is expiring in October" - "Make it a P4 ticket then, still plenty of time"

We're investigating a database overload and working to resolve it ASAP.

@itaibn_ I'll give it about a week. I can DM you the intended solution afterwards if you're interested

@rawsec Will you upload the answer for this later?

Mini XSS challenge 3. Can you solve it? 🤔 <?php $n = bin2hex(random_bytes(8)); header("Content-Security-Policy: script-src 'nonce-$n'"); printf('<script nonce=%s>"%s"</script>%s', $n, str_replace('"', '', $_GET['a']), $_GET['b']); ?> #minixss #ctf