Luke Turvey

VULNSY - A Pentest Reporting Platform for Security Teams Built by pentesters, for pentesters.

@ZackKorman This is hilarious because I was going to comment Darktrace but then my experience of them was from like 10 years ago. So they're still terrible? 💀

It turns out people really don’t like Darktrace.

@IceSolst I cant prove it but honestly, I don't believe this. There's no way that Azerbaijan IDOR was a false positive.

Claude is CRAZY here are all my hackerone payouts just from today

@Itx_Shad0w Yes vulnsy.com/free-tools/gem…

For years, Google API keys (AIza...) had little to no real-world impact. But recently, many of them unexpectedly gained access to Google Gemini. curl "generativelanguage.googleapis.com/v1/models?key=…" This appears to be a widespread misconfiguration that can be hunted in the wild.

@ZackKorman @IceSolst

@TurvSec @IceSolst Glad to see you’ve pivoted from nut jokes to embroidery jokes so seamlessly

Niche post, but: Anthropic’s audit logs for Claude Code don’t tell you enough to detect misaligned / malicious behavior. You unfortunately need to use hooks instead to get the necessary data.

@ZackKorman Tell Vistaprint that. Again.

@TurvSec Color scheme is on point and that’s all that matters.

Which cybersecurity companies have the worst sales and marketing tactics? And follow up question: Do you / your company use their products anyway?

@Ross_Starkey_ @robprogressive Completely agree. Can’t be having money just appear out of nowhere. Much better when it slowly appears via an ISA instead. And in fact, I actually make a point of asking for a pay cut whenever I’m offered a raise. Got to stay humble and grind as hard as possible.

I don't play the lottery. Never have. Not even because of the odds. I just think if I ever built real wealth, I'd want to know I earned it. Winning it would feel like cheating. £58.70 a week, invested into an ISA for 20 years, would change someone's life. And they'd actually understand how they got there.

A lady in front of me in the queue spent £58.70 on the lottery 3 people before her all bought lottery tickets, spending £2 to £12 The odds of winning the lottery in the UK are 1 in 45,057,474 This highlights everything that is wrong with how people are taught about money in this country That £2 or £5 or £10 a week, if invested & compounded over decades, could meaningfully contribute to their future financial security

@IAMERICAbooted I just finished an engagement where user accounts are just UN00001 to UN99999 and they have an AD connected login portal externally facing. They have a 5 wrong password and manual unlock policy 💀

Uncomfortable reminder: real attackers dont care about locking users out. They'll just wait until theyre reset and try again :p

@UK_Daniel_Card Cybersecurity and having kids

Science says: don’t get a job in cybersecurity 😅😆

@ZackKorman @j2k3k Well now I know its up for grabs, I'm considering making a cybersecurity start up that uses AI.

@TurvSec @j2k3k Don’t worry it can always be Almond in your heart

My new company now has a name: Embroidery. Might even launch an actual product at some point. embroidery.io

Read yesterday that @grok now analyses all posts to build a great timeline. Looks like its going well @elonmusk

@UK_Daniel_Card I think i use Claude almost everyday now. Coding, making gym routines, helping organise things, research. My life has improved considerably lol

@TurvSec Some things are easier

used claude to make a tool to extract and decrypt a unifi backup and then produce an html report.

@sickdotdev Why don't you prove yourself right?

Prove me wrong: Vibe coding = security risks

@UK_Daniel_Card For real though, how incredible is it that we can just make basically anything we dream of now. Life is so easy

@UK_Daniel_Card Yeah but its irrelevant because you didnt code it yourself so its useless and vulnerable and slop.

@hetmehtaa This reminds me of when a client got mad at a colleague of mine. He was using a common wordlist to find web paths and the wordlist contained a bunch of swear words that appeared in the clients logs.

spent 3 hours today doing a full penetration test on our production server found nothing very secure went home proud our client called at 11pm saying their website is showing a directory listing of every internal file including something called "salaries_real_final_2024.xlsx" i told them that's actually a feature it's called "transparency" they did not agree with my interpretation i have been asked to redo the pentest i retried the same thing again found nothing again i think the issue is on their end honestly

@WebSecAcademy Get those alternative IP representations here vulnsy.com/free-tools/alt…

Your SSRF filter blocks 127.0.0.1 and localhost. That's okay! Try these: 2130706433 (decimal) 017700000001 (octal) 127.1 (shorthand) 127.0.0.0 (with subnet tricks) 0x7f000001 (hex) They all resolve to localhost. Many blacklists don't catch all of them. Try this technique, and plenty of other SSRF techniques, in our free SSRF labs! portswigger.net/web-security/s…

@rezoundous I genuinely dont get why people can't just send each other concise emails to avoid the pointless small talk and other wasted time on calls

I genuinely don’t get why people use zoom over google meet