Vulnversity - I have just completed this room! Check it out: https://tryhackme.com/room/vulnversity #tryhackme #recon #privesc #webappsec #video #vulnversity via @RealTryHackMe
#tryhackme #recon #privesc #webappsec #video #vulnversity
Did you note the fact that with #passkey in the cross-device scenario, when a qrcode is scanned the authenticator device makes sure via Bluetooth that the device displaying the qrcode and the one scanning it are in close proximity?!
Can we standardize this security feature at @w3c , please?
This is a really useful security feature, I think
Thoughts, @torgo @dveditz
#webappsec
#hack100days: Day 7d : Kept chipping away at #hackthebox new release broscience. Good challenge for #webappsec testing. Recognized an #owasp top 10 vulnerability, but I needed a nudge on how to get ZAP to help me exploit it--Replacer, ftw. Still have some enumeration to do to figure out initial access. Incremental progress is still progress... #infosec #sharpenthesaw
#hack100days #hackthebox #webappsec #owasp #infosec #sharpenthesaw
Top 25 IDOR bug bounty reports
https://corneacristian.medium.com/top-25-idor-bug-bounty-reports-ba8cd59ad331
#bugbounty #infosecurity #IDOR #infosec #webappsec
I did a thing:
Last week version 1.0.0 of the @zaproxy Encode/Decode/Hash add-on was released with a bunch of work I completed.
https://github.com/zaproxy/zap-extensions/releases/tag/encoder-v1.0.0
#zaproxy #AppSec #WebAppSec #RedTeam #PurpleTeam #OWASP #BugBountyTips #PenTesting
#zaproxy #appsec #webappsec #redteam #purpleteam #owasp #bugbountytips #pentesting
RT @zaproxy@twitter.com
Version 1.0.0 of the Encode/Decode/Hash add-on was released earlier today with a bunch of work from @kingthorin_rm@twitter.com. Thanks!!!!
#zaproxy #AppSec #WebAppSec #RedTeam #PurpleTeam #OWASP #BugBountyTips #PenTesting
https://github.com/zaproxy/zap-extensions/releases/tag/encoder-v1.0.0
#zaproxy #appsec #webappsec #redteam #purpleteam #owasp #bugbountytips #pentesting
@owasp & #OpenSource stuff I've been up to lately:
- A bunch of work on the @zaproxy
Encode/Decode/Hash tool.
- Prep work for @twitter@owasp_wstg release v4.3.
- Work on @zaproxy can rules example alerts & alert refs for documentation generation.
- OWASP VWAD additions.
#opensource #appsec #webappsec
Nov 29th is #GivingTuesday. You can help the @zaproxy team raise money to support the editing and fuzzing of binary HTTP/2 messages.
#PenTest #PenetrationTesting #AppSec #WebAppSec #RedTeam #PurpleTeam #BugBountyTip #BugBountyTips #OpenSource #DevSecOps
#givingtuesday #pentest #penetrationtesting #appsec #webappsec #redteam #purpleteam #bugbountytip #bugbountytips #opensource #devsecops
Support OWASP & ZAP!!!
https://giving.owasp.org/kingthorin_rm
We're still getting the content setup. But we can use any and all help!!!!! So I'm jumping in with both feet, 5 days to go on #GivingTuesday #OWASP #OpenSource #PenTest #RedTeam #PurpleTeam #BlueTeam #WebAppSec #AppSec #VulnerabilityAssessment
#givingtuesday #owasp #opensource #pentest #redteam #purpleteam #blueteam #webappsec #appsec #vulnerabilityassessment
I'm spotting a LOT of tutorials, howtos, and manuals on #JWT based access token-only authorization for frontend applications, like #React. Almost none of them explain the #risk connected with building the authorization layer based on long-living (sometimes infinitely) credential, which is not possible to be invalidated!
Those solutions are copied and pasted to real-life projects, introducing serious #cyberthreat.
Dear #developers! You must stop!
Access tokens should live shortly, and their refreshing process must give a possibility to revoke the access (refresh token invalidation)!
There MUST BE some kind of user session in a web application!
#jwt #react #risk #cyberthreat #developers #owasp #cybersecurity #webappsec
Did you know you can color history items in #zaproxy w/ the Neonmarker add-on? Which now support coloring based on tags as well as arbitrary assignments.
#OWASP #AppSec #WebAppSec #BugBountyTip #RedTeam #PurpleTeam #Pentesting #PenTest
#zaproxy #owasp #appsec #webappsec #bugbountytip #redteam #purpleteam #pentesting #pentest
As appears to be tradition, here's an #introduction from me :) After some time as a #Netware admin, I've been in #infosec for a bit over 20 years.
Started in financial services as a security analyst, moved into #pentesting for banks then as a consultant for various companies and now experiencing the sometimes odd world of Security Advocacy.
Tech-wise these days I focus on #Kubernetes #Docker and all things containerization, but dabble in #webappsec things and code in #ruby and #golang when required.
#introduction #netware #infosec #pentesting #kubernetes #docker #webappsec #ruby #golang
Yahoo! and AOL implement an account recovery flow which can be summed up as "please hijack me." If you use them, you are better be very certain you control that recovery phone number of yours.
#webappsec #infosec #yahoo #aol #verizon