NioZ
@niozow.bsky.social
Reposted by NioZ
🆕 New blog post!
"Offline Extraction of Symantec Account Connectivity Credentials (ACCs)"
Following my previous post on the subject, here is how to extract ACCs purely offline.
👉 itm4n.github.io/offline-extr...
#redteam #pentesting
"Offline Extraction of Symantec Account Connectivity Credentials (ACCs)"
Following my previous post on the subject, here is how to extract ACCs purely offline.
👉 itm4n.github.io/offline-extr...
#redteam #pentesting
June 15, 2025 at 4:33 PM
🆕 New blog post!
"Offline Extraction of Symantec Account Connectivity Credentials (ACCs)"
Following my previous post on the subject, here is how to extract ACCs purely offline.
👉 itm4n.github.io/offline-extr...
#redteam #pentesting
"Offline Extraction of Symantec Account Connectivity Credentials (ACCs)"
Following my previous post on the subject, here is how to extract ACCs purely offline.
👉 itm4n.github.io/offline-extr...
#redteam #pentesting
Reposted by NioZ
Did you miss #SOCON2025? Did you have a favorite talk you'd like to rewatch?
🎥 All presentations from SO-CON 2025 are now live at ghst.ly/socon25-talks.
💻 Slides for each talk are available at ghst.ly/socon25-slides.
🎥 All presentations from SO-CON 2025 are now live at ghst.ly/socon25-talks.
💻 Slides for each talk are available at ghst.ly/socon25-slides.
May 19, 2025 at 4:34 PM
Did you miss #SOCON2025? Did you have a favorite talk you'd like to rewatch?
🎥 All presentations from SO-CON 2025 are now live at ghst.ly/socon25-talks.
💻 Slides for each talk are available at ghst.ly/socon25-slides.
🎥 All presentations from SO-CON 2025 are now live at ghst.ly/socon25-talks.
💻 Slides for each talk are available at ghst.ly/socon25-slides.
Reposted by NioZ
I'm thrilled to announce "HTTP/1 Must Die! The Desync Endgame", at #BHUSA! This is going to be epic, check out the abstract for a teaser ↓
May 14, 2025 at 1:31 PM
I'm thrilled to announce "HTTP/1 Must Die! The Desync Endgame", at #BHUSA! This is going to be epic, check out the abstract for a teaser ↓
Reposted by NioZ
Firefox treats multipart/x-mixed-replace like HTML. Chrome doesn’t.
That tiny difference? It can turn a "non-exploitable" XSS into a real one.
Abuse boundary handling, bypass filters, and make your payload land.
thespanner.co.uk/making-the-u...
That tiny difference? It can turn a "non-exploitable" XSS into a real one.
Abuse boundary handling, bypass filters, and make your payload land.
thespanner.co.uk/making-the-u...
Making the Unexploitable Exploitable with X-Mixed-Replace on Firefox - The Spanner
In this post, we’ll look at an interesting difference in how Firefox and Chrome handle the multipart/x-mixed-replace content type. While Chrome treats it as an image, Firefox renders it as HTML - some...
thespanner.co.uk
April 25, 2025 at 9:50 PM
Firefox treats multipart/x-mixed-replace like HTML. Chrome doesn’t.
That tiny difference? It can turn a "non-exploitable" XSS into a real one.
Abuse boundary handling, bypass filters, and make your payload land.
thespanner.co.uk/making-the-u...
That tiny difference? It can turn a "non-exploitable" XSS into a real one.
Abuse boundary handling, bypass filters, and make your payload land.
thespanner.co.uk/making-the-u...
Reposted by NioZ
In our latest article, @croco-byte.bsky.social and @scaum.bsky.social demonstrate a trick allowing to make Windows SMB clients fall back to WebDav HTTP authentication, enhancing the NTLM and Kerberos relaying capabilities of multicast poisoning attacks!
www.synacktiv.com/publications...
www.synacktiv.com/publications...
Taking the relaying capabilities of multicast poisoning to the next level: tricking Windows SMB clients into falling back to WebDav
www.synacktiv.com
February 27, 2025 at 10:21 AM
In our latest article, @croco-byte.bsky.social and @scaum.bsky.social demonstrate a trick allowing to make Windows SMB clients fall back to WebDav HTTP authentication, enhancing the NTLM and Kerberos relaying capabilities of multicast poisoning attacks!
www.synacktiv.com/publications...
www.synacktiv.com/publications...
Reposted by NioZ
In this blog post, I explain how I was able to create a PowerShell console in C/C++, and disable all its security features (AMSI, logging, transcription, execution policy, CLM) in doing so. 💪
👉 blog.scrt.ch/2025/02/18/r...
👉 blog.scrt.ch/2025/02/18/r...
February 19, 2025 at 9:13 AM
In this blog post, I explain how I was able to create a PowerShell console in C/C++, and disable all its security features (AMSI, logging, transcription, execution policy, CLM) in doing so. 💪
👉 blog.scrt.ch/2025/02/18/r...
👉 blog.scrt.ch/2025/02/18/r...
Reposted by NioZ
The results are in! We're proud to announce the Top 10 Web Hacking Techniques of 2024! portswigger.net/research/top...
Top 10 web hacking techniques of 2024
Welcome to the Top 10 Web Hacking Techniques of 2024, the 18th edition of our annual community-powered effort to identify the most innovative must-read web security research published in the last year
portswigger.net
February 4, 2025 at 3:02 PM
The results are in! We're proud to announce the Top 10 Web Hacking Techniques of 2024! portswigger.net/research/top...
Reposted by NioZ
THC RELEASE: Article - Practical HTTPS Interception - exploiting the cleartext ACME-HTTP-AUTH loophole (Let's Encrypt, ...) to retrieve valid HTTPS certificates. #tls #https
blog.thc.org/practical-ht...
blog.thc.org/practical-ht...
February 3, 2025 at 10:30 AM
THC RELEASE: Article - Practical HTTPS Interception - exploiting the cleartext ACME-HTTP-AUTH loophole (Let's Encrypt, ...) to retrieve valid HTTPS certificates. #tls #https
blog.thc.org/practical-ht...
blog.thc.org/practical-ht...
Reposted by NioZ
This is smart. I had to read it twice to figure out why they weren't just using eBPF, but it works for non-superusers: it dynamically creates network namespaces, tun devices, and an intercepting CA (like Burp) to capture all the HTTP requests made by a Linux program.
github.com/monasticacad...
github.com/monasticacad...
GitHub - monasticacademy/httptap: View HTTP/HTTPS requests made by any Linux program
View HTTP/HTTPS requests made by any Linux program - monasticacademy/httptap
github.com
February 3, 2025 at 8:53 PM
This is smart. I had to read it twice to figure out why they weren't just using eBPF, but it works for non-superusers: it dynamically creates network namespaces, tun devices, and an intercepting CA (like Burp) to capture all the HTTP requests made by a Linux program.
github.com/monasticacad...
github.com/monasticacad...
Reposted by NioZ
New blog post on the abuse of the IDispatch COM interface to get unexpected objects loaded into a process. Demoed by using this to get arbitrary code execution in a PPL process. googleprojectzero.blogspot.com/2025/01/wind...
Windows Bug Class: Accessing Trapped COM Objects with IDispatch
Posted by James Forshaw, Google Project Zero Object orientated remoting technologies such as DCOM and .NET Remoting make it very easy ...
googleprojectzero.blogspot.com
January 30, 2025 at 6:37 PM
New blog post on the abuse of the IDispatch COM interface to get unexpected objects loaded into a process. Demoed by using this to get arbitrary code execution in a PPL process. googleprojectzero.blogspot.com/2025/01/wind...
Reposted by NioZ
Hot out of the oven! The Cookie Sandwich – a technique that lets you bypass the HttpOnly protection! This isn't your average dessert; it’s a recipe for disaster if your app isn’t prepared: portswigger.net/research/ste...
Stealing HttpOnly cookies with the cookie sandwich technique
In this post, I will introduce the "cookie sandwich" technique which lets you bypass the HttpOnly flag on certain servers. This research follows on from Bypassing WAFs with the phantom $Version cookie
portswigger.net
January 22, 2025 at 3:06 PM
Hot out of the oven! The Cookie Sandwich – a technique that lets you bypass the HttpOnly protection! This isn't your average dessert; it’s a recipe for disaster if your app isn’t prepared: portswigger.net/research/ste...
Reposted by NioZ
Really great blog post about bypassing BitLocker using "PXE soft reboot" (even if PXE boot is disabled in the BIOS).
"Windows BitLocker -- Screwed without a Screwdriver"
👉 neodyme.io/en/blog/bitl...
👉 media.ccc.de/v/38c3-windo...
"Windows BitLocker -- Screwed without a Screwdriver"
👉 neodyme.io/en/blog/bitl...
👉 media.ccc.de/v/38c3-windo...
Windows BitLocker -- Screwed without a Screwdriver
Breaking up-to-date Windows 11 BitLocker encryption -- on-device but software-only
neodyme.io
January 20, 2025 at 10:03 AM
Really great blog post about bypassing BitLocker using "PXE soft reboot" (even if PXE boot is disabled in the BIOS).
"Windows BitLocker -- Screwed without a Screwdriver"
👉 neodyme.io/en/blog/bitl...
👉 media.ccc.de/v/38c3-windo...
"Windows BitLocker -- Screwed without a Screwdriver"
👉 neodyme.io/en/blog/bitl...
👉 media.ccc.de/v/38c3-windo...