Leaking File Contents with a Blind File Oracle in Flarum – Assetnote
Flarum is a free, open source PHP-based forum software used for everything from gaming hobbyist sites to cryptocurrency discussion. A quick survey on Shodan suggests…
Category: Mix
API5:2023 Broken Function Level Authorization
Welcome to the 6th post in our weekly series on the new 2023 OWASP API Security Top-10 list, with a particular focus on security practitioners.…
API Abuse – Lessons from the Duolingo Data Scraping Attack
It’s been reported that 2.6 million user records sourced from the Duolingo app are for sale. The attacker apparently obtained them from an open API…
The Prompt Injection Primer · rez0
Bringing clarity to questions about Prompt Injection Security Everyone loves talking about prompt injection, but the real impact to an application is often hard to…
Act Now to Prepare for New NCUA Cyber Incident Reporting Requirements
We recently discussed the new SEC rule requiring all registered companies to report material cyber incidents within four (4) days. Now the National Credit Union…
[tl;dr sec] #196 – How Secrets Leak in CI/CD, AI Threat Modeling, Supply Chain
I hope you’ve been doing well! What We’re Known For It’s long had a place in my heart, as I loved the TV show as…
What Happens to Content When Top-Tier Presentation is Commoditized?
I think AI is about to massively improve the quality of our best content. But not for the reason you might expect. Not because AI…
Thoughts on the Eliezer vs. Hotz AI Safety Debate
The debate was quite fun to watch, but also frustrating. What irked me about the debate—and all similar debates—is that they fail to isolate the…
Punicoder – discover domains that are phishing you – honoki
So we’re seeing homograph attacks again. Examples show how ‘apple.com’ and ‘epic.com’ can be mimicked by the use of Internationalized Domain Names (IDN) consisting entirely…
RCE in Slanger, a Ruby implementation of Pusher – honoki
While researching a web application last February, I learned about Slanger, an open source server implementation of Pusher. In this post I describe the discovery…
Bug Bytes #209 – The only graphQL wordlist you need, ML bug hunting and VDP submissions
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The second series is curated by InsiderPhD. Every week, she keeps…
I’ve Got You Under My Skin, Bill Evans Solo Transcription – honoki
Download my transcription of Bill Evans’ piano solo in I’ve Got You Under My Skin below. The solo starts around the 1:04 mark on the…