Nicolas Grégoire
@agarri.fr
Web hacker 😈
Burp Suite Pro trainer 👨🏫
Maintainer of @mastering-burp.agarri.fr 🛠️
Burp Suite Pro trainer 👨🏫
Maintainer of @mastering-burp.agarri.fr 🛠️
Both Chrome and Firefox will disable XSLT in 2026 🪦
I fully agree with them: nobody uses this technology anymore in a browser, and it's full of bugs (as my previous research demonstrates)
bugzilla.mozilla.org/show_bug.cgi...
developer.chrome.com/docs/web-pla...
I fully agree with them: nobody uses this technology anymore in a browser, and it's full of bugs (as my previous research demonstrates)
bugzilla.mozilla.org/show_bug.cgi...
developer.chrome.com/docs/web-pla...
November 12, 2025 at 4:10 PM
Both Chrome and Firefox will disable XSLT in 2026 🪦
I fully agree with them: nobody uses this technology anymore in a browser, and it's full of bugs (as my previous research demonstrates)
bugzilla.mozilla.org/show_bug.cgi...
developer.chrome.com/docs/web-pla...
I fully agree with them: nobody uses this technology anymore in a browser, and it's full of bugs (as my previous research demonstrates)
bugzilla.mozilla.org/show_bug.cgi...
developer.chrome.com/docs/web-pla...
Reposted by Nicolas Grégoire
The release candidate of the OWASP Top 10 2025 has been released
owasp.org/Top10/2025/0...
The definitive release should be out on November 20th
owasp.org/Top10/2025/0...
The definitive release should be out on November 20th
Introduction - OWASP Top 10:2025 RC1
OWASP Top 10:2025 RC1
owasp.org
November 7, 2025 at 12:19 PM
The release candidate of the OWASP Top 10 2025 has been released
owasp.org/Top10/2025/0...
The definitive release should be out on November 20th
owasp.org/Top10/2025/0...
The definitive release should be out on November 20th
Bizarrement, personne ne brandit l’article 40 du CPP pour les vidéos de Sainte-Soline publiées par Libération… 🥴
www.dailymotion.com/video/k1Tvpm...
www.dailymotion.com/video/k1Tvpm...
Tirs interdits et volonté de blesser : révélations sur les violences des gendarmes à Sainte-Soline
Dailymotion video by Libération
www.dailymotion.com
November 9, 2025 at 6:58 PM
Bizarrement, personne ne brandit l’article 40 du CPP pour les vidéos de Sainte-Soline publiées par Libération… 🥴
www.dailymotion.com/video/k1Tvpm...
www.dailymotion.com/video/k1Tvpm...
The release candidate of the OWASP Top 10 2025 has been released
owasp.org/Top10/2025/0...
The definitive release should be out on November 20th
owasp.org/Top10/2025/0...
The definitive release should be out on November 20th
Introduction - OWASP Top 10:2025 RC1
OWASP Top 10:2025 RC1
owasp.org
November 7, 2025 at 12:19 PM
The release candidate of the OWASP Top 10 2025 has been released
owasp.org/Top10/2025/0...
The definitive release should be out on November 20th
owasp.org/Top10/2025/0...
The definitive release should be out on November 20th
Reposted by Nicolas Grégoire
If you still haven't: set up a JS file monitor to send you notifications via Telegram or Slack every time your target app JavaScript gets updated, a great way to stay on top of updates 👾
https://github.com/robre/jsmon
There's also a fork with Discord support:
https://github.com/robre/jsmon
There's also a fork with Discord support:
GitHub - seczq/jsmon: a javascript change monitoring tool for bugbounties
a javascript change monitoring tool for bugbounties - GitHub - seczq/jsmon: a javascript change monitoring tool for bugbounties
github.com
November 7, 2025 at 9:38 AM
If you still haven't: set up a JS file monitor to send you notifications via Telegram or Slack every time your target app JavaScript gets updated, a great way to stay on top of updates 👾
https://github.com/robre/jsmon
There's also a fork with Discord support:
https://github.com/robre/jsmon
There's also a fork with Discord support:
Reposted by Nicolas Grégoire
"who radicalized you"
Nothing radicalized me, I was born with basic empathy. The world decided that was radical.
Nothing radicalized me, I was born with basic empathy. The world decided that was radical.
November 5, 2025 at 5:47 PM
"who radicalized you"
Nothing radicalized me, I was born with basic empathy. The world decided that was radical.
Nothing radicalized me, I was born with basic empathy. The world decided that was radical.
If you want to see beautiful pictures (and that’s an euphemism) in your feed, simply follow @armandsarlangue.bsky.social
November 7, 2025 at 8:15 AM
If you want to see beautiful pictures (and that’s an euphemism) in your feed, simply follow @armandsarlangue.bsky.social
If this is NOT corruption, then I wonder what corruption looks like 🤔
Newsletter: Faced with blowback over his pardon of Binance founder Changpeng Zhao, President Trump has offered a curious defense: he doesn’t even know the guy.
Trump says he has “no idea” who he just pardoned
President Trump reacts to condemnations of his recent pardon of Binance founder Changpeng Zhao by claiming he doesn’t know who he is.
www.citationneeded.news
November 7, 2025 at 7:20 AM
If this is NOT corruption, then I wonder what corruption looks like 🤔
Reposted by Nicolas Grégoire
How an ex-L3Harris Trenchant boss stole and sold cyber exploits to Russia:
techcrunch.com/2025/11/03/h...
#exploit #exploitation #zeroday #infosec #informationsecurity #cybersecurity
techcrunch.com/2025/11/03/h...
#exploit #exploitation #zeroday #infosec #informationsecurity #cybersecurity
How an ex-L3Harris Trenchant boss stole and sold cyber exploits to Russia | TechCrunch
Peter Williams sold eight exploits to a Russian zero-day broker by smuggling them from his employer’s highly secured air-gapped network. A court document, plus exclusive reporting by TechCrunch and in...
techcrunch.com
November 4, 2025 at 9:16 PM
How an ex-L3Harris Trenchant boss stole and sold cyber exploits to Russia:
techcrunch.com/2025/11/03/h...
#exploit #exploitation #zeroday #infosec #informationsecurity #cybersecurity
techcrunch.com/2025/11/03/h...
#exploit #exploitation #zeroday #infosec #informationsecurity #cybersecurity
Ackman’s take is ridiculous 🤡
It’s been fun watching Ackman flip-flop on prediction markets depending on what they show.
Sept 7: “directionally correct”, “you can have much greater confidence in the accuracy of their predictions”
Oct 28: “it takes only a small amount of capital to influence Polymarket trading levels”
Sept 7: “directionally correct”, “you can have much greater confidence in the accuracy of their predictions”
Oct 28: “it takes only a small amount of capital to influence Polymarket trading levels”
November 7, 2025 at 7:06 AM
Ackman’s take is ridiculous 🤡
In France, we had a somewhat related story last year. In the end, Florent Curtet was sentenced for criminal conspiracy and complicity in attempted extortion
www.lemonde.fr/pixels/artic...
www.lemonde.fr/pixels/artic...
November 7, 2025 at 6:56 AM
In France, we had a somewhat related story last year. In the end, Florent Curtet was sentenced for criminal conspiracy and complicity in attempted extortion
www.lemonde.fr/pixels/artic...
www.lemonde.fr/pixels/artic...
Reposted by Nicolas Grégoire
This is a cool attack, create a machine running in Hyper-V on a victim's machine and do all your attacking through that while it runs in the background.
www.theregister.com/2025/11/04/r...
www.theregister.com/2025/11/04/r...
November 5, 2025 at 11:06 AM
This is a cool attack, create a machine running in Hyper-V on a victim's machine and do all your attacking through that while it runs in the background.
www.theregister.com/2025/11/04/r...
www.theregister.com/2025/11/04/r...
Reposted by Nicolas Grégoire
Breaking Into a Brother (MFC-J1010DW): Three Security Flaws in a Seemingly Innocent Printer:
starlabs.sg/blog/2025/11...
#cybersecurity #exploitation #printer #exploit #vulnerability
starlabs.sg/blog/2025/11...
#cybersecurity #exploitation #printer #exploit #vulnerability
November 7, 2025 at 1:14 AM
Breaking Into a Brother (MFC-J1010DW): Three Security Flaws in a Seemingly Innocent Printer:
starlabs.sg/blog/2025/11...
#cybersecurity #exploitation #printer #exploit #vulnerability
starlabs.sg/blog/2025/11...
#cybersecurity #exploitation #printer #exploit #vulnerability
Reposted by Nicolas Grégoire
Reposted by Nicolas Grégoire
Y'all fantastic news! Save the date, @blackhoodie.bsky.social will be at @districtcon.bsky.social this year 😱 the fantastic crew has offered to host us for a day of Malware Reverse Engineering! @synapticrewrite.bsky.social and myself will be hosting a training for women by women on January 23rd!!
October 26, 2025 at 7:37 PM
Y'all fantastic news! Save the date, @blackhoodie.bsky.social will be at @districtcon.bsky.social this year 😱 the fantastic crew has offered to host us for a day of Malware Reverse Engineering! @synapticrewrite.bsky.social and myself will be hosting a training for women by women on January 23rd!!
Reposted by Nicolas Grégoire
I've put together a website which indexes all the recordings my rigs have made thus-far as well as those currently planned:
administraitor.video
(minimalist - I'm a mid-/backend dev! 😋)
administraitor.video
(minimalist - I'm a mid-/backend dev! 😋)
Infosec/hacking videos recorded by Cooper (@Ministraitor)
Infosec/hacking videos recorded by Cooper (@Ministraitor)
administraitor.video
November 14, 2024 at 1:33 PM
I've put together a website which indexes all the recordings my rigs have made thus-far as well as those currently planned:
administraitor.video
(minimalist - I'm a mid-/backend dev! 😋)
administraitor.video
(minimalist - I'm a mid-/backend dev! 😋)
That looks to me like some wild unauthorized hacking…
samcurry.net/hacking-club...
Shubs and Sam are well known, but in my opinion, this kind of publication only encourages others to go out of scope and hit random websites
My advice: don’t do it, even if it’s an easy way to get some fame
samcurry.net/hacking-club...
Shubs and Sam are well known, but in my opinion, this kind of publication only encourages others to go out of scope and hit random websites
My advice: don’t do it, even if it’s an easy way to get some fame
Hacking the World Poker Tour: Inside ClubWPT Gold’s Back Office
In June, 2025, Shubs Shah and I discovered a vulnerability in the online poker website ClubWPT Gold which would have allowed an attacker to fully access the core back office application that is used f...
samcurry.net
October 26, 2025 at 10:15 AM
That looks to me like some wild unauthorized hacking…
samcurry.net/hacking-club...
Shubs and Sam are well known, but in my opinion, this kind of publication only encourages others to go out of scope and hit random websites
My advice: don’t do it, even if it’s an easy way to get some fame
samcurry.net/hacking-club...
Shubs and Sam are well known, but in my opinion, this kind of publication only encourages others to go out of scope and hit random websites
My advice: don’t do it, even if it’s an easy way to get some fame
Reversing a smart vacuum and making it work without access to the Internet 🤖
codetiger.github.io/blog/the-day...
codetiger.github.io/blog/the-day...
The Day My Smart Vacuum Turned Against Me
Would you allow a stranger to drive a camera-equipped computer around your living room? You might have already done so without even realizing it.
The Beginning: A Curious Experiment
It all started ...
codetiger.github.io
October 26, 2025 at 9:28 AM
Reversing a smart vacuum and making it work without access to the Internet 🤖
codetiger.github.io/blog/the-day...
codetiger.github.io/blog/the-day...
Reposted by Nicolas Grégoire
Google Cloud Platform was vulnerable to a HTTP desync attack leading to "responses being misrouted between recipients for certain third-party models". Aka your LLM response goes to someone else. The Expect header strikes again!
Context: http1mustdie.com
cloud.google.com/support/bull...
Context: http1mustdie.com
cloud.google.com/support/bull...
Security Bulletins | Customer Care | Google Cloud
cloud.google.com
October 24, 2025 at 1:11 PM
Google Cloud Platform was vulnerable to a HTTP desync attack leading to "responses being misrouted between recipients for certain third-party models". Aka your LLM response goes to someone else. The Expect header strikes again!
Context: http1mustdie.com
cloud.google.com/support/bull...
Context: http1mustdie.com
cloud.google.com/support/bull...
Asset Notes just published a long writeup on SessionReaper aka CVE-2025-54236, a vulnerability affecting Magento and identified by Blaklis (a French bug hunter who found many bugs affecting this technology)
slcyber.io/assetnote-se...
slcyber.io/assetnote-se...
Why nested deserialization is STILL harmful – Magento RCE (CVE-2025-54236) › Searchlight Cyber
Magento is still one of the most popular e-commerce solutions in use on the internet, estimated to be running on more than 130,000 websites. It is also offered as an enterprise offering by Adobe under...
slcyber.io
October 22, 2025 at 4:47 PM
Asset Notes just published a long writeup on SessionReaper aka CVE-2025-54236, a vulnerability affecting Magento and identified by Blaklis (a French bug hunter who found many bugs affecting this technology)
slcyber.io/assetnote-se...
slcyber.io/assetnote-se...
Reposted by Nicolas Grégoire
Ugly end to Kryptos saga. Two people found the solution to the last encrypted portion of famed Kryptos sculpture at CIA headquarters. They found it in Smithsonian archive. They contacted artist who made sculpture, who is preparing to auction off solution; he threatened to sue them if they reveal it
A C.I.A. Secret Kept for 35 Years Is Found in the Smithsonian’s Vault
www.nytimes.com
October 16, 2025 at 2:02 PM
Ugly end to Kryptos saga. Two people found the solution to the last encrypted portion of famed Kryptos sculpture at CIA headquarters. They found it in Smithsonian archive. They contacted artist who made sculpture, who is preparing to auction off solution; he threatened to sue them if they reveal it