Konstantin :C_H:
@kpwn.infosec.exchange.ap.brid.gy
I'm a hacker and mainly post about web security.
By profession, I am a pentester and team leader @usdAG.
I like to explain and understand things and I am […]
[bridged from https://infosec.exchange/@kpwn on the fediverse by https://fed.brid.gy/ ]
By profession, I am a pentester and team leader @usdAG.
I like to explain and understand things and I am […]
[bridged from https://infosec.exchange/@kpwn on the fediverse by https://fed.brid.gy/ ]
Reposted by Konstantin :C_H:
Tja, Rechenzentren für 1 Billion Dollar im Bau, die mehr Strom und Wasser verbrauchen als die EU — und das alles für eine Technologie, die hauptsächlich blöde Bilder und dumme Texte generiert. Aber klar, der Kapitalismus ist das klügste System ever und der Mensch die Krönung der Evolution. 🤪 […]
Original post on mastodon.social
mastodon.social
November 7, 2025 at 6:44 AM
Tja, Rechenzentren für 1 Billion Dollar im Bau, die mehr Strom und Wasser verbrauchen als die EU — und das alles für eine Technologie, die hauptsächlich blöde Bilder und dumme Texte generiert. Aber klar, der Kapitalismus ist das klügste System ever und der Mensch die Krönung der Evolution. 🤪 […]
CVE Crowd just received an update, hopefully nobody will recognize. I've upgraded Tailwind CSS from v3.4 to v4.1 :D
November 3, 2025 at 9:52 PM
CVE Crowd just received an update, hopefully nobody will recognize. I've upgraded Tailwind CSS from v3.4 to v4.1 :D
„Ich musste immer wieder erzählen, was passiert ist - zuerst der Polizei, dann dem Jugendamt, später vor Gericht. Jedes Mal tat es weh, jedes Mal fühlte ich mich wieder klein und hilflos.“
- ein von sexualisierter Gewalt betroffenes Mädchen.
Die Petition setzt sich für eine kindgerechte Justiz […]
- ein von sexualisierter Gewalt betroffenes Mädchen.
Die Petition setzt sich für eine kindgerechte Justiz […]
Original post on infosec.exchange
infosec.exchange
October 6, 2025 at 1:44 PM
„Ich musste immer wieder erzählen, was passiert ist - zuerst der Polizei, dann dem Jugendamt, später vor Gericht. Jedes Mal tat es weh, jedes Mal fühlte ich mich wieder klein und hilflos.“
- ein von sexualisierter Gewalt betroffenes Mädchen.
Die Petition setzt sich für eine kindgerechte Justiz […]
- ein von sexualisierter Gewalt betroffenes Mädchen.
Die Petition setzt sich für eine kindgerechte Justiz […]
Betreutes Ownen!
Als einer der Referenten in Köln freue ich mich über jede*n, der oder die am usd Hackertag teilnehmen möchte 🧡
Zuerst hacken wir gemeinsam ein paar Kisten und lassen uns danach gemeinsam Pizza, Tschunk und Kölsch schmecken. Kommt vorbei!
📅 07.11.2025
📍Köln (oder Neu-Isenburg […]
Als einer der Referenten in Köln freue ich mich über jede*n, der oder die am usd Hackertag teilnehmen möchte 🧡
Zuerst hacken wir gemeinsam ein paar Kisten und lassen uns danach gemeinsam Pizza, Tschunk und Kölsch schmecken. Kommt vorbei!
📅 07.11.2025
📍Köln (oder Neu-Isenburg […]
Original post on infosec.exchange
infosec.exchange
September 22, 2025 at 7:43 AM
Betreutes Ownen!
Als einer der Referenten in Köln freue ich mich über jede*n, der oder die am usd Hackertag teilnehmen möchte 🧡
Zuerst hacken wir gemeinsam ein paar Kisten und lassen uns danach gemeinsam Pizza, Tschunk und Kölsch schmecken. Kommt vorbei!
📅 07.11.2025
📍Köln (oder Neu-Isenburg […]
Als einer der Referenten in Köln freue ich mich über jede*n, der oder die am usd Hackertag teilnehmen möchte 🧡
Zuerst hacken wir gemeinsam ein paar Kisten und lassen uns danach gemeinsam Pizza, Tschunk und Kölsch schmecken. Kommt vorbei!
📅 07.11.2025
📍Köln (oder Neu-Isenburg […]
Reposted by Konstantin :C_H:
Phew... CVE-2025-55241 was a disaster waiting to happen!
> This vulnerability could have allowed me to compromise every Entra ID tenant in the world [...]. If you are an Entra ID admin reading this, yes that means complete access to your tenant […]
> This vulnerability could have allowed me to compromise every Entra ID tenant in the world [...]. If you are an Entra ID admin reading this, yes that means complete access to your tenant […]
Original post on social.tinycyber.space
social.tinycyber.space
September 18, 2025 at 3:06 PM
Phew... CVE-2025-55241 was a disaster waiting to happen!
> This vulnerability could have allowed me to compromise every Entra ID tenant in the world [...]. If you are an Entra ID admin reading this, yes that means complete access to your tenant […]
> This vulnerability could have allowed me to compromise every Entra ID tenant in the world [...]. If you are an Entra ID admin reading this, yes that means complete access to your tenant […]
I will be giving some insights in upcoming posts. Stay tuned and follow so you don't miss anything 😗 https://infosec.exchange/@usdAG/115186153681608978
usd AG (@usdAG@infosec.exchange)
Our security analyst @kpwn identified two #XSS vulnerabilities during web application pentests. 👉 Affected software: Weblication CMS Core and d.3one. These vulnerabilities enable attackers to execute requests on behalf of other users. 📰 Detailed information on our advisories can be found here: https://www.usd.de/en/security-advisories-d-3one-and-weblication-cms-core/ #Pentesting #InfoSec #AppSec #CyberSecurity #Vulnerability #Hacking
infosec.exchange
September 11, 2025 at 2:35 PM
I will be giving some insights in upcoming posts. Stay tuned and follow so you don't miss anything 😗 https://infosec.exchange/@usdAG/115186153681608978
Y‘all killed my server… Sorry for the outage 😅
Internal Server Error: /
OperationalError at /
(1040, 'Too many connections')
Internal Server Error: /
OperationalError at /
(1040, 'Too many connections')
September 8, 2025 at 8:18 PM
Y‘all killed my server… Sorry for the outage 😅
Internal Server Error: /
OperationalError at /
(1040, 'Too many connections')
Internal Server Error: /
OperationalError at /
(1040, 'Too many connections')
New update for CVE Crowd!
You can now:
- Search for vendors or products to see all related CVEs and discussions
- Browse Bluesky posts alongside Fediverse ones
- Enjoy cleaner feeds thanks to the "similar post counter"
And believe it or not... all of that without any ✨AI💩
Learn more below 🧵 […]
You can now:
- Search for vendors or products to see all related CVEs and discussions
- Browse Bluesky posts alongside Fediverse ones
- Enjoy cleaner feeds thanks to the "similar post counter"
And believe it or not... all of that without any ✨AI💩
Learn more below 🧵 […]
Original post on infosec.exchange
infosec.exchange
September 8, 2025 at 1:00 PM
New update for CVE Crowd!
You can now:
- Search for vendors or products to see all related CVEs and discussions
- Browse Bluesky posts alongside Fediverse ones
- Enjoy cleaner feeds thanks to the "similar post counter"
And believe it or not... all of that without any ✨AI💩
Learn more below 🧵 […]
You can now:
- Search for vendors or products to see all related CVEs and discussions
- Browse Bluesky posts alongside Fediverse ones
- Enjoy cleaner feeds thanks to the "similar post counter"
And believe it or not... all of that without any ✨AI💩
Learn more below 🧵 […]
Hi @jerry, since 2 September, I am experiencing great lags when querying the public timeline of infosec.exchange with Mastodon.py.
Requests sometimes take multiple seconds to finish. It seems, the API itself is responding quite fast (250ms) but the pre- / post-processing is sluggish. While this […]
Requests sometimes take multiple seconds to finish. It seems, the API itself is responding quite fast (250ms) but the pre- / post-processing is sluggish. While this […]
Original post on infosec.exchange
infosec.exchange
September 5, 2025 at 11:45 AM
Hi @jerry, since 2 September, I am experiencing great lags when querying the public timeline of infosec.exchange with Mastodon.py.
Requests sometimes take multiple seconds to finish. It seems, the API itself is responding quite fast (250ms) but the pre- / post-processing is sluggish. While this […]
Requests sometimes take multiple seconds to finish. It seems, the API itself is responding quite fast (250ms) but the pre- / post-processing is sluggish. While this […]
I'm thinking about integrating #bluesky to CVE Crowd. A lot of CVE posts over there...
But turns out: Most of them are #bots just reposting articles from news sites.
In all the time CVE Crowd is running on the Fediverse, I only blocked 8 accounts due to "spamming".
After playing around with […]
But turns out: Most of them are #bots just reposting articles from news sites.
In all the time CVE Crowd is running on the Fediverse, I only blocked 8 accounts due to "spamming".
After playing around with […]
Original post on infosec.exchange
infosec.exchange
August 14, 2025 at 9:38 PM
Two criticals. Two known exploited. One a zero-day.
July saw a spike in high-severity vulnerabilities.
Here are CVE Crowd's Top 3 from the 624 CVEs discussed across the Fediverse last month.
For each CVE, I've included a standout post from the community.
Enjoy exploring! 👇
#pentesting #appsec […]
July saw a spike in high-severity vulnerabilities.
Here are CVE Crowd's Top 3 from the 624 CVEs discussed across the Fediverse last month.
For each CVE, I've included a standout post from the community.
Enjoy exploring! 👇
#pentesting #appsec […]
Original post on infosec.exchange
infosec.exchange
August 4, 2025 at 1:15 PM
Two criticals. Two known exploited. One a zero-day.
July saw a spike in high-severity vulnerabilities.
Here are CVE Crowd's Top 3 from the 624 CVEs discussed across the Fediverse last month.
For each CVE, I've included a standout post from the community.
Enjoy exploring! 👇
#pentesting #appsec […]
July saw a spike in high-severity vulnerabilities.
Here are CVE Crowd's Top 3 from the 624 CVEs discussed across the Fediverse last month.
For each CVE, I've included a standout post from the community.
Enjoy exploring! 👇
#pentesting #appsec […]
CVE Crowd's Top 3 Vulnerabilities from June!
These stood out among the 528 CVEs actively discussed across the Fediverse.
For each CVE, I’ve included a standout post from the community.
Enjoy exploring! 👇
#pentesting #appsec #infosec #cybersecurity #bugbounty #hacking #cve #cvecrowd
These stood out among the 528 CVEs actively discussed across the Fediverse.
For each CVE, I’ve included a standout post from the community.
Enjoy exploring! 👇
#pentesting #appsec #infosec #cybersecurity #bugbounty #hacking #cve #cvecrowd
July 3, 2025 at 1:10 PM
CVE Crowd's Top 3 Vulnerabilities from June!
These stood out among the 528 CVEs actively discussed across the Fediverse.
For each CVE, I’ve included a standout post from the community.
Enjoy exploring! 👇
#pentesting #appsec #infosec #cybersecurity #bugbounty #hacking #cve #cvecrowd
These stood out among the 528 CVEs actively discussed across the Fediverse.
For each CVE, I’ve included a standout post from the community.
Enjoy exploring! 👇
#pentesting #appsec #infosec #cybersecurity #bugbounty #hacking #cve #cvecrowd
I recently ran into an interesting discrepancy:
What you see below are 120-bit Session IDs, one printed as hex and one in the format of a #uuidv4.
After validating their randomness, I would classify the first as secure but raise concerns about the second […]
[Original post on infosec.exchange]
What you see below are 120-bit Session IDs, one printed as hex and one in the format of a #uuidv4.
After validating their randomness, I would classify the first as secure but raise concerns about the second […]
[Original post on infosec.exchange]
July 1, 2025 at 12:37 PM
I recently ran into an interesting discrepancy:
What you see below are 120-bit Session IDs, one printed as hex and one in the format of a #uuidv4.
After validating their randomness, I would classify the first as secure but raise concerns about the second […]
[Original post on infosec.exchange]
What you see below are 120-bit Session IDs, one printed as hex and one in the format of a #uuidv4.
After validating their randomness, I would classify the first as secure but raise concerns about the second […]
[Original post on infosec.exchange]
Reposted by Konstantin :C_H:
Long before the internet, the global phone network was hackable by playing a single tone at 2600Hz.
Whistled into a payphone, it could grant you unrestricted access, a skill made famous by legends like Cap'n Crunch. Do you have the vocal chops to be an old-school phone phreak?
I built a web […]
Whistled into a payphone, it could grant you unrestricted access, a skill made famous by legends like Cap'n Crunch. Do you have the vocal chops to be an old-school phone phreak?
I built a web […]
Original post on infosec.exchange
infosec.exchange
June 18, 2025 at 10:59 AM
Long before the internet, the global phone network was hackable by playing a single tone at 2600Hz.
Whistled into a payphone, it could grant you unrestricted access, a skill made famous by legends like Cap'n Crunch. Do you have the vocal chops to be an old-school phone phreak?
I built a web […]
Whistled into a payphone, it could grant you unrestricted access, a skill made famous by legends like Cap'n Crunch. Do you have the vocal chops to be an old-school phone phreak?
I built a web […]
Set your password:
QUrMotr8nSEe0YprOPEu
Error: Your password must contain a special character!
QUrMotr8nSEe0YprOPEu!
So more secure!
QUrMotr8nSEe0YprOPEu
Error: Your password must contain a special character!
QUrMotr8nSEe0YprOPEu!
So more secure!
June 3, 2025 at 7:26 AM
Set your password:
QUrMotr8nSEe0YprOPEu
Error: Your password must contain a special character!
QUrMotr8nSEe0YprOPEu!
So more secure!
QUrMotr8nSEe0YprOPEu
Error: Your password must contain a special character!
QUrMotr8nSEe0YprOPEu!
So more secure!
May 27, 2025 at 10:01 AM
May 22, 2025 at 8:31 PM
- 403 Forbidden
- 403 Forbidden
May 7, 2025 at 12:27 PM
- 403 Forbidden
- 403 Forbidden
Am 16.05. empfangen mein Kollege Nick Lorenz und ich euch in Köln zu den usd Hackertagen. Bei Pizza und Tschunk reden wir übers Hacken und Pentesten.
Praktische Hands-On Erfahrung könnt ihr in unserer Trainingsumgebung, dem PentestLab, sammeln.
Wir freuen uns auf alle, die vorbeischauen.
📅 16 […]
Praktische Hands-On Erfahrung könnt ihr in unserer Trainingsumgebung, dem PentestLab, sammeln.
Wir freuen uns auf alle, die vorbeischauen.
📅 16 […]
Original post on infosec.exchange
infosec.exchange
May 2, 2025 at 1:32 PM
Am 16.05. empfangen mein Kollege Nick Lorenz und ich euch in Köln zu den usd Hackertagen. Bei Pizza und Tschunk reden wir übers Hacken und Pentesten.
Praktische Hands-On Erfahrung könnt ihr in unserer Trainingsumgebung, dem PentestLab, sammeln.
Wir freuen uns auf alle, die vorbeischauen.
📅 16 […]
Praktische Hands-On Erfahrung könnt ihr in unserer Trainingsumgebung, dem PentestLab, sammeln.
Wir freuen uns auf alle, die vorbeischauen.
📅 16 […]
Reposted by Konstantin :C_H:
I boosted several posts about this already, but since people keep asking if I've seen it....
MITRE has announced that its funding for the Common Vulnerabilities and Exposures (CVE) program and related programs, including the Common Weakness Enumeration […]
[Original post on infosec.exchange]
MITRE has announced that its funding for the Common Vulnerabilities and Exposures (CVE) program and related programs, including the Common Weakness Enumeration […]
[Original post on infosec.exchange]
April 15, 2025 at 8:33 PM
I boosted several posts about this already, but since people keep asking if I've seen it....
MITRE has announced that its funding for the Common Vulnerabilities and Exposures (CVE) program and related programs, including the Common Weakness Enumeration […]
[Original post on infosec.exchange]
MITRE has announced that its funding for the Common Vulnerabilities and Exposures (CVE) program and related programs, including the Common Weakness Enumeration […]
[Original post on infosec.exchange]
The bots ain't going away - but neither am I.
This is the start of a long-running thread where I will be tracking bot activity on CVE Crowd.
The first few posts will be references to earlier updates I shared before deciding to compile everything here.
Let's see where this takes us […]
This is the start of a long-running thread where I will be tracking bot activity on CVE Crowd.
The first few posts will be references to earlier updates I shared before deciding to compile everything here.
Let's see where this takes us […]
Original post on infosec.exchange
infosec.exchange
March 25, 2025 at 10:19 PM
The bots ain't going away - but neither am I.
This is the start of a long-running thread where I will be tracking bot activity on CVE Crowd.
The first few posts will be references to earlier updates I shared before deciding to compile everything here.
Let's see where this takes us […]
This is the start of a long-running thread where I will be tracking bot activity on CVE Crowd.
The first few posts will be references to earlier updates I shared before deciding to compile everything here.
Let's see where this takes us […]
With #cveref="/hashtag/cve_2025_29927" class="hover:underline text-blue-600 dark:text-sky-400 no-card-link">#cve_2025_29927, Next.js has now suffered its second major vulnerability in just three months, following #cve_2024_51479.
I originally built CVE Crowd with #nextjs.
However, as the application became more complex (especially with authentication), I decided to switch to a framework I was […]
I originally built CVE Crowd with #nextjs.
However, as the application became more complex (especially with authentication), I decided to switch to a framework I was […]
Original post on infosec.exchange
infosec.exchange
March 23, 2025 at 11:02 PM
With #cveref="/hashtag/cve_2025_29927" class="hover:underline text-blue-600 dark:text-sky-400 no-card-link">#cve_2025_29927, Next.js has now suffered its second major vulnerability in just three months, following #cve_2024_51479.
I originally built CVE Crowd with #nextjs.
However, as the application became more complex (especially with authentication), I decided to switch to a framework I was […]
I originally built CVE Crowd with #nextjs.
However, as the application became more complex (especially with authentication), I decided to switch to a framework I was […]
I've just published the code to run the vulnerable Ping Service, I am attacking in my blog post: https://github.com/KwnyPwny/js-deobfuscation-cmd-inj
https://infosec.exchange/@kpwn/110446195657516997
https://infosec.exchange/@kpwn/110446195657516997
GitHub - KwnyPwny/js-deobfuscation-cmd-inj: Lab enviroment to follow along https://kpwn.de/2023/05/javascript-analysis-for-pentesters/
Lab enviroment to follow along https://kpwn.de/2023/05/javascript-analysis-for-pentesters/ - KwnyPwny/js-deobfuscation-cmd-inj
github.com
March 23, 2025 at 10:56 PM
I've just published the code to run the vulnerable Ping Service, I am attacking in my blog post: https://github.com/KwnyPwny/js-deobfuscation-cmd-inj
https://infosec.exchange/@kpwn/110446195657516997
https://infosec.exchange/@kpwn/110446195657516997
Anyone knows what happens to Not Simon 🐐 screaminggoat@infosec.exchange?
March 21, 2025 at 9:21 PM
Anyone knows what happens to Not Simon 🐐 screaminggoat@infosec.exchange?
That moment when Apache Felix HTTP Webconsole Plugin destroys your layout… 🫠
March 13, 2025 at 7:02 PM
That moment when Apache Felix HTTP Webconsole Plugin destroys your layout… 🫠