Roman
@securecodeninja
a web builder & defender 🕷️ proud to be pinoy 🇵🇭 appsec quarterback 🛡️
قد يعجبك
It's been fun writing @SemgrepRegistry rules for #AspNetCore and #csharp, you should try creating one too! Wanna learn how to fix these @semgrep findings? Check out my book! amazon.com/dp/180107156X
amazon.com
ASP.NET Core 5 Secure Coding Cookbook: Practical recipes for tackling vulnerabilities in your...
ASP.NET Core 5 Secure Coding Cookbook: Practical recipes for tackling vulnerabilities in your...
We just shipped automated security reviews in Claude Code. Catch vulnerabilities before they ship with two new features: - /security-review slash command for ad-hoc security reviews - GitHub Actions integration for automatic reviews on every PR
Wasting time fuzzing hardened code without hitting new vulnerabilities. Legacy black-box fuzzers stall at validation checks, missing deeper bugs. In Chapter 8 of my new book From Day Zero to Zero Day, you'll explore the advanced techniques behind coverage-guided fuzzing using…
McDonald's uses an AI bot called "Olivia" for hiring. A pair of hackers found they could access every conversation job applicants had with it—including all the personal info they shared—by exploiting security flaws as basic as using the password "123456". wired.com/story/mcdonald…
wired.com
McDonald’s AI Hiring Bot Exposed Millions of Applicants’ Data to Hackers Who Tried the Password...
Basic security flaws left the personal info of tens of millions of McDonald’s job-seekers vulnerable on the “McHire” site built by AI software firm Paradox.ai.
Oktajacking - Using Okta to keylog for initial access or as a sneaky form of SAMLjacking for lateral movement from a compromised SaaS app. Massive shoutout to @_xpn_ as I used his great research for this, I just applied it to different kill chain phases. pushsecurity.com/blog/oktajacki…
pushsecurity.com
Making Okta do keylogging for you
In this article, we'll show you how to use Okta to do keylogging for you, without needing to have your own malicious domain hosting your malicious SAML server.
👔 Security Architect & Principal Security Engineer Interview Questions A consolidated list of questions pulled from Glassdoor From: Netflix, Morgan Stanley, Wiz, & more * Technical * Behavioral and Influential * Frameworks/Design/Threat Modeling github.com/tadwhitaker/Se…
Just because you're using Okta, doesn't mean you're using SSO. I wrote a blog post covering: • What is SWA and what are the risks? • Extracting SWA passwords • Bypassing password reveal restrictions • Detection and response for Okta account breaches pushsecurity.com/blog/okta-swa/…
pushsecurity.com
Abusing Okta's SWA authentication method
We'll cover the implications of using Okta's SWA authentication method. Learn what security teams need to know in an account breach and IR scenario.
🛠️ Building a free Burp Collaborator with Cloudflare Workers How to use Cloudflare Workers to receive out-of-band connections during your web app testing (e.g. track when blind XSS triggers) and pipe the results to Discord blog.gbrls.space/blog/building-…
After the success of our security research, we decided to invest a $120k bounty and share our story and tools with you. Now, we are releasing an Automated Scans feature on VIDOC, allowing you to easily automate your #bugbounty hunting on a large scale! blog.vidocsecurity.com/blog/2022-summ…
blog.vidocsecurity.com
How we made $120k bug bounty in a year with good automation
2022 was very busy for several reasons, today we want to present to you what we did and learned doing large-scale bug bounty hunting
😈 The Offensive ML Playbook A database of offensive ML TTPs covering: * Supply chain attacks * Offensive ML techniques * Adversarial ML Examples: * Poisoning an LLM’s ground truths * How to put malware in a model and distribute it By @WHITEHACKSEC wiki.offsecml.com/Welcome+to+the…
wiki.offsecml.com
Welcome to the Offensive ML Playbook - OffSecML Playbook
Latest: 7/23/25 version: 2.0.8 First published 10/26/23. Shiny new things Garak Improvements Offensive Hackbot Advancements + New threat intel as of 7/23/2025 Additional Techniques for web app test…
Just discovered a full account takeover on Grammarly.com, Vidio.com and more using a new OAuth attack technique. This is the last part of the OAuth trilogy; in total, we could take over 1+ BILLION accounts! salt.security/blog/oh-auth-a… #OAuth #hacking
salt.security
Salt Labs Finds OAuth Abuse Used to Take Over Accounts
OAuth Account Takeover. Salt Labs shows how hackers could abuse OAuth to take over millions of accounts on Grammarly, Vidio, and Bukalapak.
What are HAR files? A HAR file is a recording of your current session & includes all web traffic including secrets & tokens. Admins usually share these files with customer support when troubleshooting issues. Here's a thread on how you can handle .har files safely. 🧵⬇️
🎓 Free Cybersecurity Course from Harvard An introduction to #cybersecurity for technical and non-technical audiences Self-paced, 2-6 hours/week over 5 weeks edx.org/learn/cybersec…
Chalk is now officially open source. Total visibility of your software engineering lifecycle. Designed for platform and security teams. eu1.hubs.ly/H05xD2d0
Now Generally Available: GitHub Advanced Security for Azure DevOps is ready for you to use devblogs.microsoft.com/devops/now-gen…
devblogs.microsoft.com
Now Generally Available: GitHub Advanced Security for Azure DevOps is ready for you to use - Azure...
We’re excited to announce that GitHub Advanced Security for Azure DevOps is now generally available and is ready for you to use in your own Azure DevOps repos! You can now enable code, secret, and...
🗒️ Source Code Management Platform Configuration Best Practices Guide by @OpenSSF for securing SCM platforms * Harden CI/CD pipelines against supply chain attacks * Branch protection policies and access controls/permissions * Server-level policies best.openssf.org/SCM-BestPracti…
🤖 promptfoo A tool for testing your prompts. Evaluate and compare LLM outputs, catch regressions, and improve prompt quality. github.com/promptfoo/prom…
Just stumbled upon some pretty dope talks by @naugtur ❤️ 📜 "Eval all the strings! Hardened JavaScript" youtube.com/watch?v=Qjeh7Q… and his free workshop he did @defcon on: 📜 "Defensive coding and hardened JavaScript" naugtur.pl/pres3/lava/wor… github.com/naugtur/js-tra…
youtube.com
YouTube
Eval all the strings! Hardened JavaScript - Zbyszek Tenerowicz |...
🧠 Web AppSec Interview Questions A tough set of questions by @0xTib3rius covering: * XSS * CSRF * SQL injection * Web cache deception and poisoning * Session fixation * HTTP request smuggling * DOM clobbering * HTTP parameter pollution + much more tib3rius.com/interview-ques…
🌐 Wapalyzer A community fork of the deleted Wappalyzer project Can detect & identify the technologies used to build any website Supports patterns, regular expressions and coding finterprints By @Lissy_Sykes #bugbountytips github.com/Lissy93/wapaly…
github.com
GitHub - Lissy93/wapalyzer: 🌐 Identify the technologies powering any website. This is a fork of...
🌐 Identify the technologies powering any website. This is a fork of the now deleted Wappalyzer project by @AliasIO and community. - Lissy93/wapalyzer
United States الاتجاهات
- 1. Aaron Gordon 20.4K posts
- 2. Steph 46.9K posts
- 3. Jokic 21.3K posts
- 4. Wentz 24.6K posts
- 5. Vikings 51.5K posts
- 6. Warriors 73K posts
- 7. #criticalrolespoilers 9,563 posts
- 8. Halle 17K posts
- 9. #DubNation 3,988 posts
- 10. #EAT_IT_UP_SPAGHETTI 192K posts
- 11. Chargers 56.6K posts
- 12. #LOVERGIRL 15.2K posts
- 13. hobi 34.9K posts
- 14. Cam Johnson 1,547 posts
- 15. Nuggets 23.4K posts
- 16. Pacers 22.3K posts
- 17. Shai 23.6K posts
- 18. Brosmer 3,823 posts
- 19. SPAGHETTI FT J-HOPE OUT NOW 50.5K posts
- 20. Horford 3,226 posts
Something went wrong.
Something went wrong.