d4d
@zakfedotkin.bsky.social
Zak Fedotkin
All thought are mine and mine alone
All thought are mine and mine alone
I’m excited to announce that I’ll be presenting The Fragile Lock: Novel Bypasses for SAML Authentication at Black Hat Europe! In this talk, I’ll show how I was able to continuously bypass security patches to achieve complete auth bypass for major libraries. #BHEU @blackhatevents.bsky.social
October 7, 2025 at 2:55 PM
I’m excited to announce that I’ll be presenting The Fragile Lock: Novel Bypasses for SAML Authentication at Black Hat Europe! In this talk, I’ll show how I was able to continuously bypass security patches to achieve complete auth bypass for major libraries. #BHEU @blackhatevents.bsky.social
Thrilled to announce: I’ll be presenting a major new version of WebSocket Turbo Intruder at Black Hat Arsenal 2025! This open-source toolkit makes high-speed, advanced WebSocket attacks practical and painless.
June 26, 2025 at 1:56 PM
Thrilled to announce: I’ll be presenting a major new version of WebSocket Turbo Intruder at Black Hat Arsenal 2025! This open-source toolkit makes high-speed, advanced WebSocket attacks practical and painless.
Active Scan++ just got sharper - we’ve added new checks for OS command injection, powered by our latest ASCII Control Characters research. Install via Extensions -> BApp Store
May 28, 2025 at 2:56 PM
Active Scan++ just got sharper - we’ve added new checks for OS command injection, powered by our latest ASCII Control Characters research. Install via Extensions -> BApp Store
Think you’ve seen every OS command injection trick?
Think again, read our latest blog post!
Link in the comments👇
Think again, read our latest blog post!
Link in the comments👇
April 30, 2025 at 12:44 PM
Think you’ve seen every OS command injection trick?
Think again, read our latest blog post!
Link in the comments👇
Think again, read our latest blog post!
Link in the comments👇
I’m excited to introduce Namespace Confusion, a novel attack discovered during Gareth's and mySAML Roulette: The Hacker Always Wins research. We uncovered a brutal attack on XML signature validation that destroys authentication in Ruby-SAML!
March 18, 2025 at 3:01 PM
I’m excited to introduce Namespace Confusion, a novel attack discovered during Gareth's and mySAML Roulette: The Hacker Always Wins research. We uncovered a brutal attack on XML signature validation that destroys authentication in Ruby-SAML!
Today's update to the URL Validation Bypass Cheat Sheet includes a new trick: bypassing domain allow lists using a full URL in the query, submitted by Alexis Hapiot!
This idea came after our previous update from @dyak0xdb, which sparked great discussions! More updates are live. Link in the reply 👇
This idea came after our previous update from @dyak0xdb, which sparked great discussions! More updates are live. Link in the reply 👇
March 5, 2025 at 1:35 PM
Today's update to the URL Validation Bypass Cheat Sheet includes a new trick: bypassing domain allow lists using a full URL in the query, submitted by Alexis Hapiot!
This idea came after our previous update from @dyak0xdb, which sparked great discussions! More updates are live. Link in the reply 👇
This idea came after our previous update from @dyak0xdb, which sparked great discussions! More updates are live. Link in the reply 👇
We've updated our URL validation bypass cheat sheet with this shiny Domain allow list bypass payload contributed by dyak0xdb!
February 6, 2025 at 9:17 AM
We've updated our URL validation bypass cheat sheet with this shiny Domain allow list bypass payload contributed by dyak0xdb!
Ruby secret_key_base can be decrypted from credentials.yml.enc file using following java code:
December 20, 2024 at 2:01 PM
Ruby secret_key_base can be decrypted from credentials.yml.enc file using following java code:
New in SignSaboteur v1.0.6!
Now supports Ruby on Rails Encrypted Cookies:
- Brute force secret keys
- Decrypt cookie values
Update now:
Now supports Ruby on Rails Encrypted Cookies:
- Brute force secret keys
- Decrypt cookie values
Update now:
December 20, 2024 at 1:40 PM
New in SignSaboteur v1.0.6!
Now supports Ruby on Rails Encrypted Cookies:
- Brute force secret keys
- Decrypt cookie values
Update now:
Now supports Ruby on Rails Encrypted Cookies:
- Brute force secret keys
- Decrypt cookie values
Update now: