brank0x42
@brank0x42.bsky.social
It's not a data breach, it's a surprise backup.
#hacking #bugbounty #cybersecurity Sharing is caring. 😃 Here is a writup of my first earned cve number, CVE-2025-0474 to be precise. A joint effort with @laluka.bsky.social and a totally cool story about a very interesting Server Side Request Forgery, with a twist. Cheers 😃🥳😃🥳😃
Hoy Hoy ! ⚔️
No partner for the Valentine's day? 😭
No trouble, get a shell instead! 🥰
thinkloveshare.com/offenskill/i...
Again, Gg @brank0x42.bsky.social for your first CVE! 🌹
No partner for the Valentine's day? 😭
No trouble, get a shell instead! 🥰
thinkloveshare.com/offenskill/i...
Again, Gg @brank0x42.bsky.social for your first CVE! 🌹
February 14, 2025 at 10:00 AM
#hacking #bugbounty #cybersecurity Sharing is caring. 😃 Here is a writup of my first earned cve number, CVE-2025-0474 to be precise. A joint effort with @laluka.bsky.social and a totally cool story about a very interesting Server Side Request Forgery, with a twist. Cheers 😃🥳😃🥳😃
#hacking Cool read! 😃
ROPing our way to “Yay, RCE” - and a lesson in the importance of a good nights sleep!
Follow our Colleague Michaels journey of developing an ARM ROP chain to exploit a buffer overflow in uc-http
modzero.com/en/blog/ropi...
Follow our Colleague Michaels journey of developing an ARM ROP chain to exploit a buffer overflow in uc-http
modzero.com/en/blog/ropi...
ROPing our way to RCE
modzero.com
February 11, 2025 at 11:25 AM
#hacking Cool read! 😃
CVE-2025-0474 is the number. 🥳 Crazy happy to earn my first CVE number. It was a joint effort with @laluka.bsky.social during the www.offenskill.com level 30 training. Learned a bunch and had lots of fun. What more can one ask for? 😃 #hacking #bugbounty #cve www.cve.org/CVERecord?id...
OffenSkill
Welcome to OffenSkill, where we deliver cybersecurity trainings, mentoring, code audits, and pentests!
www.offenskill.com
January 16, 2025 at 1:25 PM
CVE-2025-0474 is the number. 🥳 Crazy happy to earn my first CVE number. It was a joint effort with @laluka.bsky.social during the www.offenskill.com level 30 training. Learned a bunch and had lots of fun. What more can one ask for? 😃 #hacking #bugbounty #cve www.cve.org/CVERecord?id...
Awesome! 😃
We broke something:
in a recent pentest on a hardened target, we were able to achieve unauthenticated Remote Code Execution (RCE) via Server-Side Template Injection (SSTI) in a Spring Boot application
We wrote it down for you to try at home:
modzero.com/en/blog/spri...
in a recent pentest on a hardened target, we were able to achieve unauthenticated Remote Code Execution (RCE) via Server-Side Template Injection (SSTI) in a Spring Boot application
We wrote it down for you to try at home:
modzero.com/en/blog/spri...
Exploiting SSTI in a Modern Spring Boot Application (3.3.4)
modzero.com
January 11, 2025 at 1:16 PM
Awesome! 😃
Reposted by brank0x42
Golang: because hackers haven’t given up on SQL injection in 2024...
December 30, 2024 at 12:48 AM
Golang: because hackers haven’t given up on SQL injection in 2024...
Cool tip 😃
✌️ Bug Bounty Tip: If you don't have time to watch the full video, just check out this slide!
If you find a very restricted Prototype Pollution where you can only add empty objects or arrays to the prototype, but the gadget requires properties with payloads..
#bugbounty #bugbountytips #bugbountytip
If you find a very restricted Prototype Pollution where you can only add empty objects or arrays to the prototype, but the gadget requires properties with payloads..
#bugbounty #bugbountytips #bugbountytip
December 11, 2024 at 12:34 PM
Cool tip 😃
LOL 🤣🤣🤣
December 9, 2024 at 11:57 AM
LOL 🤣🤣🤣
Reposted by brank0x42
I wrote a thing with my colleague Ilyass El Hadi (0xc0ffee_) & Charles Prevost, about how we've been leveraging offensive webapp testing during Red Teams. 4 use cases of external breaches using webapps inside, enjoy! #appsec
cloud.google.com/blog/topics/...
cloud.google.com/blog/topics/...
Bridging the Gap: Elevating Red Team Assessments with Application Security Testing | Google Cloud Blog
Red team and targeted external assessments should incorporate application security expertise to better simulate modern adversaries.
cloud.google.com
December 6, 2024 at 8:12 PM
I wrote a thing with my colleague Ilyass El Hadi (0xc0ffee_) & Charles Prevost, about how we've been leveraging offensive webapp testing during Red Teams. 4 use cases of external breaches using webapps inside, enjoy! #appsec
cloud.google.com/blog/topics/...
cloud.google.com/blog/topics/...
Cool read 😃
Did you know you can use an ancient magic cookie to downgrade parsers and bypass WAFs?! Hope you enjoy this quality bit of RFC-diving from @d4d89704243.bsky.social!
portswigger.net/research/byp...
portswigger.net/research/byp...
Bypassing WAFs with the phantom $Version cookie
HTTP cookies often control critical website features, but their long and convoluted history exposes them to parser discrepancy vulnerabilities. In this post, I'll explore some dangerous, lesser-known
portswigger.net
December 7, 2024 at 2:39 PM
Cool read 😃
Reposted by brank0x42
The workflow described in this article is very close to the one I teach during my training sessions
1) use colors to highlight the requests to be replayed
2) use session handling rules (and possibly macros) to automate interactions
1) use colors to highlight the requests to be replayed
2) use session handling rules (and possibly macros) to automate interactions
Logic Flaw: I Can Block You from Accessing Your Own Account
A Logic Bug that allowed me to block anyone from accessing his account on the forum
hashimamin.medium.com
December 7, 2024 at 10:24 AM
The workflow described in this article is very close to the one I teach during my training sessions
1) use colors to highlight the requests to be replayed
2) use session handling rules (and possibly macros) to automate interactions
1) use colors to highlight the requests to be replayed
2) use session handling rules (and possibly macros) to automate interactions
Reposted by brank0x42
In case you missed it...I wrote a book, please support my work by buying a copy. If you've already bought one thank you please can you RT to spread the word!
leanpub.com/javascriptfo...
leanpub.com/javascriptfo...
February 12, 2024 at 5:28 PM
In case you missed it...I wrote a book, please support my work by buying a copy. If you've already bought one thank you please can you RT to spread the word!
leanpub.com/javascriptfo...
leanpub.com/javascriptfo...
Reposted by brank0x42
A joke for infosec nerds...
Knock Knock
Race Condition
Who's there?
Knock Knock
Race Condition
Who's there?
November 30, 2023 at 6:12 PM
A joke for infosec nerds...
Knock Knock
Race Condition
Who's there?
Knock Knock
Race Condition
Who's there?
Reposted by brank0x42
🎉 Introducing Bambdas 🎉
Customize Burp Suite Professional to suit your personal workflow with Bambdas.
Switch to ‘Bambda mode’ whilst in the HTTP Proxy history, and start tailoring Burp to your own needs today.
portswigger.net/burp/pro/fea...
Customize Burp Suite Professional to suit your personal workflow with Bambdas.
Switch to ‘Bambda mode’ whilst in the HTTP Proxy history, and start tailoring Burp to your own needs today.
portswigger.net/burp/pro/fea...
November 14, 2023 at 3:00 PM
🎉 Introducing Bambdas 🎉
Customize Burp Suite Professional to suit your personal workflow with Bambdas.
Switch to ‘Bambda mode’ whilst in the HTTP Proxy history, and start tailoring Burp to your own needs today.
portswigger.net/burp/pro/fea...
Customize Burp Suite Professional to suit your personal workflow with Bambdas.
Switch to ‘Bambda mode’ whilst in the HTTP Proxy history, and start tailoring Burp to your own needs today.
portswigger.net/burp/pro/fea...
Reposted by brank0x42
Reminder: I maintain a page which links to a bunch of FREE posts, videos or slides related to Burp Suite 🎁
It was updated twice this year, in order to include:
- the 30' talk I gave at NorthSec 2023
- the 70' workshop I published during NahamCon 2023
It was updated twice this year, in order to include:
- the 30' talk I gave at NorthSec 2023
- the 70' workshop I published during NahamCon 2023
Freebies - Mastering Burp Suite Pro
Freebies - Mastering Burp Suite Pro
hackademy.agarri.fr
November 9, 2023 at 1:20 PM
Reminder: I maintain a page which links to a bunch of FREE posts, videos or slides related to Burp Suite 🎁
It was updated twice this year, in order to include:
- the 30' talk I gave at NorthSec 2023
- the 70' workshop I published during NahamCon 2023
It was updated twice this year, in order to include:
- the 30' talk I gave at NorthSec 2023
- the 70' workshop I published during NahamCon 2023
Reposted by brank0x42
Solid advice! 🎃
November 1, 2023 at 8:04 PM
Solid advice! 🎃
Reposted by brank0x42
Reposted by brank0x42
Here's a nice challenge (with 7 levels) where the point is to get the AI to disclose a secret piece of information...
Gandalf | Lakera – Test your prompting skills to make Gandalf reveal secret information.
Trick Gandalf into revealing information and experience the limitations of large language models firsthand.
gandalf.lakera.ai
September 29, 2023 at 8:59 PM
Here's a nice challenge (with 7 levels) where the point is to get the AI to disclose a secret piece of information...
Reposted by brank0x42
