Roman
@securecodeninja
a web builder & defender 🕷️ proud to be pinoy 🇵🇭 appsec quarterback 🛡️
Talvez você curta
It's been fun writing @SemgrepRegistry rules for #AspNetCore and #csharp, you should try creating one too! Wanna learn how to fix these @semgrep findings? Check out my book! amazon.com/dp/180107156X
We just shipped automated security reviews in Claude Code. Catch vulnerabilities before they ship with two new features: - /security-review slash command for ad-hoc security reviews - GitHub Actions integration for automatic reviews on every PR
Wasting time fuzzing hardened code without hitting new vulnerabilities. Legacy black-box fuzzers stall at validation checks, missing deeper bugs. In Chapter 8 of my new book From Day Zero to Zero Day, you'll explore the advanced techniques behind coverage-guided fuzzing using…
McDonald's uses an AI bot called "Olivia" for hiring. A pair of hackers found they could access every conversation job applicants had with it—including all the personal info they shared—by exploiting security flaws as basic as using the password "123456". wired.com/story/mcdonald…
Oktajacking - Using Okta to keylog for initial access or as a sneaky form of SAMLjacking for lateral movement from a compromised SaaS app. Massive shoutout to @_xpn_ as I used his great research for this, I just applied it to different kill chain phases. pushsecurity.com/blog/oktajacki…
pushsecurity.com
Making Okta do keylogging for you
In this article, we'll show you how to use Okta to do keylogging for you, without needing to have your own malicious domain hosting your malicious SAML server.
👔 Security Architect & Principal Security Engineer Interview Questions A consolidated list of questions pulled from Glassdoor From: Netflix, Morgan Stanley, Wiz, & more * Technical * Behavioral and Influential * Frameworks/Design/Threat Modeling github.com/tadwhitaker/Se…
Just because you're using Okta, doesn't mean you're using SSO. I wrote a blog post covering: • What is SWA and what are the risks? • Extracting SWA passwords • Bypassing password reveal restrictions • Detection and response for Okta account breaches pushsecurity.com/blog/okta-swa/…
pushsecurity.com
Abusing Okta's SWA authentication method
We'll cover the implications of using Okta's SWA authentication method. Learn what security teams need to know in an account breach and IR scenario.
🛠️ Building a free Burp Collaborator with Cloudflare Workers How to use Cloudflare Workers to receive out-of-band connections during your web app testing (e.g. track when blind XSS triggers) and pipe the results to Discord blog.gbrls.space/blog/building-…
After the success of our security research, we decided to invest a $120k bounty and share our story and tools with you. Now, we are releasing an Automated Scans feature on VIDOC, allowing you to easily automate your #bugbounty hunting on a large scale! blog.vidocsecurity.com/blog/2022-summ…
😈 The Offensive ML Playbook A database of offensive ML TTPs covering: * Supply chain attacks * Offensive ML techniques * Adversarial ML Examples: * Poisoning an LLM’s ground truths * How to put malware in a model and distribute it By @WHITEHACKSEC wiki.offsecml.com/Welcome+to+the…
Just discovered a full account takeover on Grammarly.com, Vidio.com and more using a new OAuth attack technique. This is the last part of the OAuth trilogy; in total, we could take over 1+ BILLION accounts! salt.security/blog/oh-auth-a… #OAuth #hacking
What are HAR files? A HAR file is a recording of your current session & includes all web traffic including secrets & tokens. Admins usually share these files with customer support when troubleshooting issues. Here's a thread on how you can handle .har files safely. 🧵⬇️
🎓 Free Cybersecurity Course from Harvard An introduction to #cybersecurity for technical and non-technical audiences Self-paced, 2-6 hours/week over 5 weeks edx.org/learn/cybersec…
Chalk is now officially open source. Total visibility of your software engineering lifecycle. Designed for platform and security teams. eu1.hubs.ly/H05xD2d0
Now Generally Available: GitHub Advanced Security for Azure DevOps is ready for you to use devblogs.microsoft.com/devops/now-gen…
🗒️ Source Code Management Platform Configuration Best Practices Guide by @OpenSSF for securing SCM platforms * Harden CI/CD pipelines against supply chain attacks * Branch protection policies and access controls/permissions * Server-level policies best.openssf.org/SCM-BestPracti…
🤖 promptfoo A tool for testing your prompts. Evaluate and compare LLM outputs, catch regressions, and improve prompt quality. github.com/promptfoo/prom…
Just stumbled upon some pretty dope talks by @naugtur ❤️ 📜 "Eval all the strings! Hardened JavaScript" youtube.com/watch?v=Qjeh7Q… and his free workshop he did @defcon on: 📜 "Defensive coding and hardened JavaScript" naugtur.pl/pres3/lava/wor… github.com/naugtur/js-tra…
youtube.com
YouTube
Eval all the strings! Hardened JavaScript - Zbyszek Tenerowicz |...
🧠 Web AppSec Interview Questions A tough set of questions by @0xTib3rius covering: * XSS * CSRF * SQL injection * Web cache deception and poisoning * Session fixation * HTTP request smuggling * DOM clobbering * HTTP parameter pollution + much more tib3rius.com/interview-ques…
🌐 Wapalyzer A community fork of the deleted Wappalyzer project Can detect & identify the technologies used to build any website Supports patterns, regular expressions and coding finterprints By @Lissy_Sykes #bugbountytips github.com/Lissy93/wapaly…
United States Tendências
- 1. Sedition 204K posts
- 2. Texans 21.9K posts
- 3. Lamelo 8,825 posts
- 4. Cheney 96.9K posts
- 5. Treason 109K posts
- 6. Seditious 112K posts
- 7. Commander in Chief 60.3K posts
- 8. TMNT 5,365 posts
- 9. Constitution 127K posts
- 10. Coast Guard 27.7K posts
- 11. UCMJ 11.7K posts
- 12. UNLAWFUL 87.5K posts
- 13. Seager 1,578 posts
- 14. Last Ronin 2,858 posts
- 15. Justin Faulk N/A
- 16. Trump and Vance 38.4K posts
- 17. First Take 49.1K posts
- 18. Dizzy 7,740 posts
- 19. Jay Jones 2,598 posts
- 20. Hornets 8,401 posts
Talvez você curta
Something went wrong.
Something went wrong.