Sim4n6 @ Security Bug Focus 🐞
@sim4n6.bsky.social
It started with:
"When making a request using (Node.js) HTTP get with the path set to '/café🐶', the server receives /café=6"
Ended with: SSRF via Request Splitting, impressive and scary at the same time, indeed.
www.rfk.id.au/blog/entry/s...
"When making a request using (Node.js) HTTP get with the path set to '/café🐶', the server receives /café=6"
Ended with: SSRF via Request Splitting, impressive and scary at the same time, indeed.
www.rfk.id.au/blog/entry/s...
November 5, 2025 at 5:43 PM
It started with:
"When making a request using (Node.js) HTTP get with the path set to '/café🐶', the server receives /café=6"
Ended with: SSRF via Request Splitting, impressive and scary at the same time, indeed.
www.rfk.id.au/blog/entry/s...
"When making a request using (Node.js) HTTP get with the path set to '/café🐶', the server receives /café=6"
Ended with: SSRF via Request Splitting, impressive and scary at the same time, indeed.
www.rfk.id.au/blog/entry/s...
is #curl still being developed?
Well, that's wrap-up the matter, interesting insights on the matter from uncle curl himself... I still though have the same question 🙋 but from the financial perspective?
daniel.haxx.se/blog/2025/11...
Well, that's wrap-up the matter, interesting insights on the matter from uncle curl himself... I still though have the same question 🙋 but from the financial perspective?
daniel.haxx.se/blog/2025/11...
Yes really, curl is still developed
A lot! One of the most common reactions or questions I get about curl when I show up at conferences somewhere and do presentations: -- is curl still being actively developed? How many more protocols c...
daniel.haxx.se
November 5, 2025 at 10:24 AM
is #curl still being developed?
Well, that's wrap-up the matter, interesting insights on the matter from uncle curl himself... I still though have the same question 🙋 but from the financial perspective?
daniel.haxx.se/blog/2025/11...
Well, that's wrap-up the matter, interesting insights on the matter from uncle curl himself... I still though have the same question 🙋 but from the financial perspective?
daniel.haxx.se/blog/2025/11...
The path to venv is the sourcebut it's not sanitized properly and injected 💉 into the activate script leading to is command injection.
🗞️ The peril of unquoted Python strings, and how they caused CVE-2024-9287
🔗 https://pythonkoans.substack.com/p/koan-12-the-blacksmiths-hammer
🔗 https://pythonkoans.substack.com/p/koan-12-the-blacksmiths-hammer
October 31, 2025 at 7:39 PM
The path to venv is the sourcebut it's not sanitized properly and injected 💉 into the activate script leading to is command injection.
Reposted by Sim4n6 @ Security Bug Focus 🐞
I guess 02 vulnerabilities:
when resolving the symlink, attacker can switch it after the resolving (race condition, aftertime Check).
Have you thought about nested symlinks, I love ♥️ this one. Very scarce. Realpath would resolve the symlink once. How About if the destination is another symlink
when resolving the symlink, attacker can switch it after the resolving (race condition, aftertime Check).
Have you thought about nested symlinks, I love ♥️ this one. Very scarce. Realpath would resolve the symlink once. How About if the destination is another symlink
October 28, 2025 at 7:26 PM
I guess 02 vulnerabilities:
when resolving the symlink, attacker can switch it after the resolving (race condition, aftertime Check).
Have you thought about nested symlinks, I love ♥️ this one. Very scarce. Realpath would resolve the symlink once. How About if the destination is another symlink
when resolving the symlink, attacker can switch it after the resolving (race condition, aftertime Check).
Have you thought about nested symlinks, I love ♥️ this one. Very scarce. Realpath would resolve the symlink once. How About if the destination is another symlink
`CTRL+SHIFT+T` on Firefox is the best keyboard shortcut ever. It can instantly reopen the last closed tab.
Amazing, Special thanks fly to the @firefox member of team who did that.
Amazing, Special thanks fly to the @firefox member of team who did that.
October 28, 2025 at 10:54 AM
`CTRL+SHIFT+T` on Firefox is the best keyboard shortcut ever. It can instantly reopen the last closed tab.
Amazing, Special thanks fly to the @firefox member of team who did that.
Amazing, Special thanks fly to the @firefox member of team who did that.
Oncle curl got a gold medal 👏👏 daniel.haxx.se/blog/2025/1...
A royal gold medal
The Royal Swedish Academy of Sciences (IVA, the same org that selects winners for three of the Nobel prize categories) awards me a gold medal 2025 for my work on curl. This academy, established 1919 by the Swedish king Gustav V, has been awarding great achievers for over one hundred years and the simple idea … Continue reading A royal gold medal →
daniel.haxx.se
October 21, 2025 at 6:47 AM
Oncle curl got a gold medal 👏👏 daniel.haxx.se/blog/2025/1...
If the server-side relies on the browser's incoming Content-Type as a #CSRF protection, you can omit the CT entirely using a Blob object as a fetch() body to perform the state-changing operation, and if #CORS is permitted, leak the unleakable.
nastystereo.com/security/cr... #BugBounty
nastystereo.com/security/cr... #BugBounty
October 20, 2025 at 11:00 AM
If the server-side relies on the browser's incoming Content-Type as a #CSRF protection, you can omit the CT entirely using a Blob object as a fetch() body to perform the state-changing operation, and if #CORS is permitted, leak the unleakable.
nastystereo.com/security/cr... #BugBounty
nastystereo.com/security/cr... #BugBounty
Reposted by Sim4n6 @ Security Bug Focus 🐞
does not that make you vulnerable to RCE somehow from clipboard value as a source of injection to shell pwn ?
L13 : gist.github.com/honoki/c4ec0...
L13 : gist.github.com/honoki/c4ec0...
December 26, 2024 at 5:51 PM
does not that make you vulnerable to RCE somehow from clipboard value as a source of injection to shell pwn ?
L13 : gist.github.com/honoki/c4ec0...
L13 : gist.github.com/honoki/c4ec0...
TBH @zapier is really very practical and awesome ... #KeepUpWithGreatWork
October 18, 2025 at 7:26 PM
TBH @zapier is really very practical and awesome ... #KeepUpWithGreatWork
Mama Mia... When the hacking stars ⭐ ✨ do align... The results are amazing API hacking full pros access samcurry.net/hacking-club...
Hacking the World Poker Tour: Inside ClubWPT Gold’s Back Office
In June, 2025, Shubs Shah and I discovered a vulnerability in the online poker website ClubWPT Gold which would have allowed an attacker to fully access the core back office application that is used f...
samcurry.net
October 18, 2025 at 5:24 PM
Mama Mia... When the hacking stars ⭐ ✨ do align... The results are amazing API hacking full pros access samcurry.net/hacking-club...
AI generat e self contained docker compose files are mind blowing 🎉
September 27, 2025 at 7:45 AM
AI generat e self contained docker compose files are mind blowing 🎉
AI can't do that jineeshak.github.io/posts/Chaini...
How I Chained Directory Traversal and CSV Parser Abuse for RCE in a Django App
While testing a web application as part of a bug bounty program, I uncovered a critical RCE vulnerability by chaining directory traversal with a subtle CSV parsing abuse. The exploit chain involved a ...
jineeshak.github.io
August 22, 2025 at 12:30 PM
AI can't do that jineeshak.github.io/posts/Chaini...
Arbitrary File overwrite... Interesting one
Just had my #bugbounty report disclosed on
#HackerOne 💪
TL;DR
RCE via path traversal in the Mozilla VPN Client through the local websocket server (developer mode).
hackerone.com/reports/2995...
#HackerOne 💪
TL;DR
RCE via path traversal in the Mozilla VPN Client through the local websocket server (developer mode).
hackerone.com/reports/2995...
Unsupported Browser | HackerOne
hackerone.com
July 30, 2025 at 9:30 AM
Arbitrary File overwrite... Interesting one
A code review approach and two bypasses or more
very cool potential SSRF but mostly a trusted origins bypass found on better-auth due to logic failure and how URLs work:
castilho blog
Like starting recon scripts from scratch from time to time just because we feel like it, I decided to do that for my blog and it's design in general. While looking to showcase websites from UI libraries because, why reinvent the wheel when we can just copy paste components from UI libraries, , I found a company named Better-Auth. so I went to their website to get some web design ideias for mine.Better-auth, with over 40,000+ weekly downloads and 350,000+ downloads in total, is a open source library written in Typescript that makes authentication easier for companies to implement into their websites, handling all sorts of authentication types, from the usual email signin, to signin with magic links, social media and others. While looking around the good looking website, and because I work in this field, out of curiosity I checked their security features and security issues on github which was when one feature caught my interest.
castilho.onrender.com
July 26, 2025 at 8:34 AM
A code review approach and two bypasses or more
Reposted by Sim4n6 @ Security Bug Focus 🐞
We are super excited to share that we acquired the Shift Plugin (shiftplugin.com) and we are making it free to Caido paid users 🚀
Shift is a smart AI companion for your hacking. It can craft payloads, Match&Replace rules, HTTPQL queries, etc.
All details here: caido.io/blog/2025-07...
Shift is a smart AI companion for your hacking. It can craft payloads, Match&Replace rules, HTTPQL queries, etc.
All details here: caido.io/blog/2025-07...
July 16, 2025 at 4:47 PM
We are super excited to share that we acquired the Shift Plugin (shiftplugin.com) and we are making it free to Caido paid users 🚀
Shift is a smart AI companion for your hacking. It can craft payloads, Match&Replace rules, HTTPQL queries, etc.
All details here: caido.io/blog/2025-07...
Shift is a smart AI companion for your hacking. It can craft payloads, Match&Replace rules, HTTPQL queries, etc.
All details here: caido.io/blog/2025-07...
Scary beast .. !
For the last 6 months I’ve been helping an incredible team to build
@xbow.com
and there was not a single day without being amazed by XBOW findings and reasoning. It even got to the top of
@hacker0x01.bsky.social
US leaderboard 🤯Stay tuned for blog posts and detailed traces!
@xbow.com
and there was not a single day without being amazed by XBOW findings and reasoning. It even got to the top of
@hacker0x01.bsky.social
US leaderboard 🤯Stay tuned for blog posts and detailed traces!
XBOW – Breaking the Shield: How XBOW Discovered Multiple XSS Vulnerabilities in Palo Alto’s GlobalProtect VPN
XBOW discovered multiple cross-site scripting (XSS) vulnerabilities in Palo Alto Networks’ GlobalProtect VPN web application
xbow.com
July 16, 2025 at 4:34 PM
Scary beast .. !
300$ for a Jira full read SSRF... What a waste of time and skill! #BugBounty
bugcrowd.com/disclosures/...
bugcrowd.com/disclosures/...
Bypass of Wildcard Allowlist which leads to Full SSRF - CrowdStream - Bugcrowd
Bugcrowd's bug bounty and vulnerability disclosure platform connects the global security researcher community with your business. Crowdsourced security testing, a better approach! Run your bug bounty ...
bugcrowd.com
July 15, 2025 at 3:41 AM
300$ for a Jira full read SSRF... What a waste of time and skill! #BugBounty
bugcrowd.com/disclosures/...
bugcrowd.com/disclosures/...
To level up my #BugBounty game I use #Scribe, it Ai generates a steps to follow screenshots basedd on a recording www.scribehow.com/lp/home?via=a
June 29, 2025 at 10:08 PM
To level up my #BugBounty game I use #Scribe, it Ai generates a steps to follow screenshots basedd on a recording www.scribehow.com/lp/home?via=a
Amazing 🐺
June 27, 2025 at 12:29 PM
Amazing 🐺
Reposted by Sim4n6 @ Security Bug Focus 🐞
SQL Injection despite using prepared statements? 🧐
Turns out that SQL syntax can be ambiguous! Learn how this has led to vulnerabilities in several popular PostgreSQL client libraries:
www.sonarsource.com/blog/double-...
#appsec #security #vulnerability
Turns out that SQL syntax can be ambiguous! Learn how this has led to vulnerabilities in several popular PostgreSQL client libraries:
www.sonarsource.com/blog/double-...
#appsec #security #vulnerability
Double Dash, Double Trouble: A Subtle SQL Injection Flaw
Can a simple dash character introduce a security risk? Discover how SQL line comments can open the door to unexpected injection vulnerabilities in several PostgreSQL client libraries!
www.sonarsource.com
June 10, 2025 at 3:20 PM
SQL Injection despite using prepared statements? 🧐
Turns out that SQL syntax can be ambiguous! Learn how this has led to vulnerabilities in several popular PostgreSQL client libraries:
www.sonarsource.com/blog/double-...
#appsec #security #vulnerability
Turns out that SQL syntax can be ambiguous! Learn how this has led to vulnerabilities in several popular PostgreSQL client libraries:
www.sonarsource.com/blog/double-...
#appsec #security #vulnerability
A nice and a sunny day 🌞
June 8, 2025 at 12:01 PM
A nice and a sunny day 🌞
"Please provide your professional email address to subscribe"
... sure , @wearehackerone.com
follow me for more free bypasses 😎
... sure , @wearehackerone.com
follow me for more free bypasses 😎
a man in a hoodie is standing in front of a group of people .
ALT: a man in a hoodie is standing in front of a group of people .
media.tenor.com
May 24, 2025 at 6:05 PM
"Please provide your professional email address to subscribe"
... sure , @wearehackerone.com
follow me for more free bypasses 😎
... sure , @wearehackerone.com
follow me for more free bypasses 😎
Reposted by Sim4n6 @ Security Bug Focus 🐞
TIL it's possible to search among opened Firefox tabs by prefixing your search with "%" 🤯
As a keyboard maximalist, the workflow should be "Ctrl-T + %search criteria + up/down + Enter" 🦥
support.mozilla.org/en-US/kb/add...
As a keyboard maximalist, the workflow should be "Ctrl-T + %search criteria + up/down + Enter" 🦥
support.mozilla.org/en-US/kb/add...
Address bar autocomplete suggestions in Firefox | Firefox Help
When you type into the address bar, Firefox suggests pages you've bookmarked, tagged, visited before or have open in tabs. Learn more.
support.mozilla.org
May 12, 2025 at 9:20 AM
TIL it's possible to search among opened Firefox tabs by prefixing your search with "%" 🤯
As a keyboard maximalist, the workflow should be "Ctrl-T + %search criteria + up/down + Enter" 🦥
support.mozilla.org/en-US/kb/add...
As a keyboard maximalist, the workflow should be "Ctrl-T + %search criteria + up/down + Enter" 🦥
support.mozilla.org/en-US/kb/add...
Impressive what we can quickly fire with AI
May 11, 2025 at 2:19 PM
Impressive what we can quickly fire with AI
I have great respect for the unknown and occasional vulnerability researcher who emerges from time to time with a killer discovery...
May 7, 2025 at 7:53 PM
I have great respect for the unknown and occasional vulnerability researcher who emerges from time to time with a killer discovery...