infosex.exchange <3

You are probably looking for the infosec.exchange Mastodon instance

This host is mostly for my random stuff, and in little part acts like a well-intentioned placeholder for the typosquatted domain.

Discoverability and Archiving

Currently I'm using this host for saving the items from my own feeds to the Wayback Machine and provide in-links for search engines. I hate that I have to do this, but the non-sense ideology of Mastodon pretty much ruined the search feature for Fediverse as a whole, and this wasn't changed by the fact that they owned their mistake and implemented search eventually.

Yes, I (or anyone else) could do similar things with other peoples published feeds, regardless of the tantrum. No, you can't defederate this, because the process doesn't rely on an instance.

Gluttony Section for Search Engines

@alecmuffett @dave_aitel You are right, bugs are part of the reasoning, and I think we agree on that part. I still think that everything else (incl. "targeting methodology") makes this whole situation interesting.
this post | permalink
PSA: My notifications have been broken for some time, your message may not reach me.
this post | permalink
@alecmuffett @dave_aitel Is this really about the bugs or other details of the operation? It seems reasonable the G redacted C2 servers for example, but there's plenty of info about post-exploitation that has little to do with bugs, but seem quite useful for forensics.
this post | permalink
I mentioned the other day that I don't really like video content.

Now I realized I'd love to watch a good tutorial video(series) on #IPv6.

Any recommendations?
this post | permalink
[RSS] plORMbing your Django ORM

https://www.elttam.com/blog/plormbing-your-django-orm/
this post | permalink
@freddy @swapgs thanks, it was a detour really, but I hope I'll get back to the topic sometime :)
this post | permalink
@swapgs if control over the dst of the request is the differentiator I'd argue that controlling the host vs route vs ... is conceptually the same, eg:

- /api/foo can be proxied differently than /api/static
- /?action=... can lead to totally different parsers
this post | permalink
@swapgs SSRF, but maybe I misunderstand
this post | permalink

The V8 Heap Sandbox by Samuel Gross

https://www.youtube.com/watch?v=5otAw81AHQ0

Finally managed to watch this (h/t @swapgs for the reminder), some things that struck me:

  • Browsers are OS’s and now they demand CPU features for security
  • We need security boundaries that are testable - so happy to see this concept implemented at such a fundamental component!

Also, make sure to watch the Q&A part :D

#OffensiveCon24

this post | permalink
@foone Weren't they called TrueType exploits?
this post | permalink
Next Page