Mikhail Shcherbakov
@yu5k3.bsky.social
Doing security research. For fun and profit...
🌊 2025 YTD #BugBounty stats update, June:
📄 13 issues Reported (5 Crit, 2 High, 6 Medium)
💰 10 issues Paid
⚪ 1 Informative
Late update this time, just came back from vacation and started digging for new targets to research. I've had my eye on browser extensions for a while.
📄 13 issues Reported (5 Crit, 2 High, 6 Medium)
💰 10 issues Paid
⚪ 1 Informative
Late update this time, just came back from vacation and started digging for new targets to research. I've had my eye on browser extensions for a while.
🤓 2025 YTD #BugBounty stats update, May:
📄 11 issues Reported (4 Crit, 2 High, 5 Medium)
💰 9 issues Paid
A new month means 2 more RCEs reported 👌
This time I hit Chromium headless browser for the first time in BBPs.
📄 11 issues Reported (4 Crit, 2 High, 5 Medium)
💰 9 issues Paid
A new month means 2 more RCEs reported 👌
This time I hit Chromium headless browser for the first time in BBPs.
👌 2025 YTD #BugBounty stats update, April:
📄 9 issues Reported (2 Crit, 2 High, 5 Medium)
💰 8 issues Paid
Switched to monthly updates instead of weekly. Why? I don't drop new vulns every week 😅 My stats from the last months confirm my "capacity": ~2 RCEs per month.
📄 9 issues Reported (2 Crit, 2 High, 5 Medium)
💰 8 issues Paid
Switched to monthly updates instead of weekly. Why? I don't drop new vulns every week 😅 My stats from the last months confirm my "capacity": ~2 RCEs per month.
July 23, 2025 at 9:56 AM
🌊 2025 YTD #BugBounty stats update, June:
📄 13 issues Reported (5 Crit, 2 High, 6 Medium)
💰 10 issues Paid
⚪ 1 Informative
Late update this time, just came back from vacation and started digging for new targets to research. I've had my eye on browser extensions for a while.
📄 13 issues Reported (5 Crit, 2 High, 6 Medium)
💰 10 issues Paid
⚪ 1 Informative
Late update this time, just came back from vacation and started digging for new targets to research. I've had my eye on browser extensions for a while.
🤓 2025 YTD #BugBounty stats update, May:
📄 11 issues Reported (4 Crit, 2 High, 5 Medium)
💰 9 issues Paid
A new month means 2 more RCEs reported 👌
This time I hit Chromium headless browser for the first time in BBPs.
📄 11 issues Reported (4 Crit, 2 High, 5 Medium)
💰 9 issues Paid
A new month means 2 more RCEs reported 👌
This time I hit Chromium headless browser for the first time in BBPs.
👌 2025 YTD #BugBounty stats update, April:
📄 9 issues Reported (2 Crit, 2 High, 5 Medium)
💰 8 issues Paid
Switched to monthly updates instead of weekly. Why? I don't drop new vulns every week 😅 My stats from the last months confirm my "capacity": ~2 RCEs per month.
📄 9 issues Reported (2 Crit, 2 High, 5 Medium)
💰 8 issues Paid
Switched to monthly updates instead of weekly. Why? I don't drop new vulns every week 😅 My stats from the last months confirm my "capacity": ~2 RCEs per month.
🫡 2025 YTD #BugBounty stats update, March:
📄 7 issues Reported (2 Crit, 1 High, 4 Medium)
💰 2 issues Paid
Reported 2 RCEs and some "collateral damage" for March. Still investigating new targets and developing my own tools.
📄 7 issues Reported (2 Crit, 1 High, 4 Medium)
💰 2 issues Paid
Reported 2 RCEs and some "collateral damage" for March. Still investigating new targets and developing my own tools.
June 11, 2025 at 11:47 AM
🤓 2025 YTD #BugBounty stats update, May:
📄 11 issues Reported (4 Crit, 2 High, 5 Medium)
💰 9 issues Paid
A new month means 2 more RCEs reported 👌
This time I hit Chromium headless browser for the first time in BBPs.
📄 11 issues Reported (4 Crit, 2 High, 5 Medium)
💰 9 issues Paid
A new month means 2 more RCEs reported 👌
This time I hit Chromium headless browser for the first time in BBPs.
👌 2025 YTD #BugBounty stats update, April:
📄 9 issues Reported (2 Crit, 2 High, 5 Medium)
💰 8 issues Paid
Switched to monthly updates instead of weekly. Why? I don't drop new vulns every week 😅 My stats from the last months confirm my "capacity": ~2 RCEs per month.
📄 9 issues Reported (2 Crit, 2 High, 5 Medium)
💰 8 issues Paid
Switched to monthly updates instead of weekly. Why? I don't drop new vulns every week 😅 My stats from the last months confirm my "capacity": ~2 RCEs per month.
🫡 2025 YTD #BugBounty stats update, March:
📄 7 issues Reported (2 Crit, 1 High, 4 Medium)
💰 2 issues Paid
Reported 2 RCEs and some "collateral damage" for March. Still investigating new targets and developing my own tools.
📄 7 issues Reported (2 Crit, 1 High, 4 Medium)
💰 2 issues Paid
Reported 2 RCEs and some "collateral damage" for March. Still investigating new targets and developing my own tools.
😵💫 2025 YTD #BugBounty stats update, Week 8:
📄 2 issues Reported (1 Crit, 1 Medium)
As you can see, the stats became even worse this week 😆 One RCE got classified as Medium for the first time in my life 🤯 Trying to negotiate and explain its impact, let's see how it goes...
📄 2 issues Reported (1 Crit, 1 Medium)
As you can see, the stats became even worse this week 😆 One RCE got classified as Medium for the first time in my life 🤯 Trying to negotiate and explain its impact, let's see how it goes...
May 13, 2025 at 9:59 AM
👌 2025 YTD #BugBounty stats update, April:
📄 9 issues Reported (2 Crit, 2 High, 5 Medium)
💰 8 issues Paid
Switched to monthly updates instead of weekly. Why? I don't drop new vulns every week 😅 My stats from the last months confirm my "capacity": ~2 RCEs per month.
📄 9 issues Reported (2 Crit, 2 High, 5 Medium)
💰 8 issues Paid
Switched to monthly updates instead of weekly. Why? I don't drop new vulns every week 😅 My stats from the last months confirm my "capacity": ~2 RCEs per month.
Just noticed @elastic.co shipped a bunch of CVEs for the 0-days I reported. Threading them here for memory and tipping my hat to the Elastic Security Team ❤️ top-tier BBP and meticulous triage. Highly recommended for Bug Hunters 😎
#bugbounty #0day #rce
#bugbounty #0day #rce
May 7, 2025 at 7:19 PM
Just noticed @elastic.co shipped a bunch of CVEs for the 0-days I reported. Threading them here for memory and tipping my hat to the Elastic Security Team ❤️ top-tier BBP and meticulous triage. Highly recommended for Bug Hunters 😎
#bugbounty #0day #rce
#bugbounty #0day #rce
🫡 2025 YTD #BugBounty stats update, March:
📄 7 issues Reported (2 Crit, 1 High, 4 Medium)
💰 2 issues Paid
Reported 2 RCEs and some "collateral damage" for March. Still investigating new targets and developing my own tools.
📄 7 issues Reported (2 Crit, 1 High, 4 Medium)
💰 2 issues Paid
Reported 2 RCEs and some "collateral damage" for March. Still investigating new targets and developing my own tools.
😵💫 2025 YTD #BugBounty stats update, Week 8:
📄 2 issues Reported (1 Crit, 1 Medium)
As you can see, the stats became even worse this week 😆 One RCE got classified as Medium for the first time in my life 🤯 Trying to negotiate and explain its impact, let's see how it goes...
📄 2 issues Reported (1 Crit, 1 Medium)
As you can see, the stats became even worse this week 😆 One RCE got classified as Medium for the first time in my life 🤯 Trying to negotiate and explain its impact, let's see how it goes...
😐 2025 YTD #BugBounty stats update, Weeks 6-7:
📄 2 issues Reported (2 Crit)
Reported 2 RCEs and sticking to my plan of focusing on Criticals. Not too much for two weeks, but chaining vulns takes more time than expected.
📄 2 issues Reported (2 Crit)
Reported 2 RCEs and sticking to my plan of focusing on Criticals. Not too much for two weeks, but chaining vulns takes more time than expected.
April 2, 2025 at 6:50 PM
🫡 2025 YTD #BugBounty stats update, March:
📄 7 issues Reported (2 Crit, 1 High, 4 Medium)
💰 2 issues Paid
Reported 2 RCEs and some "collateral damage" for March. Still investigating new targets and developing my own tools.
📄 7 issues Reported (2 Crit, 1 High, 4 Medium)
💰 2 issues Paid
Reported 2 RCEs and some "collateral damage" for March. Still investigating new targets and developing my own tools.
😵💫 2025 YTD #BugBounty stats update, Week 8:
📄 2 issues Reported (1 Crit, 1 Medium)
As you can see, the stats became even worse this week 😆 One RCE got classified as Medium for the first time in my life 🤯 Trying to negotiate and explain its impact, let's see how it goes...
📄 2 issues Reported (1 Crit, 1 Medium)
As you can see, the stats became even worse this week 😆 One RCE got classified as Medium for the first time in my life 🤯 Trying to negotiate and explain its impact, let's see how it goes...
😐 2025 YTD #BugBounty stats update, Weeks 6-7:
📄 2 issues Reported (2 Crit)
Reported 2 RCEs and sticking to my plan of focusing on Criticals. Not too much for two weeks, but chaining vulns takes more time than expected.
📄 2 issues Reported (2 Crit)
Reported 2 RCEs and sticking to my plan of focusing on Criticals. Not too much for two weeks, but chaining vulns takes more time than expected.
🚀 2025 YTD #BugBounty stats update, Week 5:
📄 0 issues Reported
I took the last days of my parental leave in Jan and spent most of the time with kids and family. No reports, no vulns, just quality time 👨👩👧👦
📄 0 issues Reported
I took the last days of my parental leave in Jan and spent most of the time with kids and family. No reports, no vulns, just quality time 👨👩👧👦
February 25, 2025 at 11:18 AM
😵💫 2025 YTD #BugBounty stats update, Week 8:
📄 2 issues Reported (1 Crit, 1 Medium)
As you can see, the stats became even worse this week 😆 One RCE got classified as Medium for the first time in my life 🤯 Trying to negotiate and explain its impact, let's see how it goes...
📄 2 issues Reported (1 Crit, 1 Medium)
As you can see, the stats became even worse this week 😆 One RCE got classified as Medium for the first time in my life 🤯 Trying to negotiate and explain its impact, let's see how it goes...
😐 2025 YTD #BugBounty stats update, Weeks 6-7:
📄 2 issues Reported (2 Crit)
Reported 2 RCEs and sticking to my plan of focusing on Criticals. Not too much for two weeks, but chaining vulns takes more time than expected.
📄 2 issues Reported (2 Crit)
Reported 2 RCEs and sticking to my plan of focusing on Criticals. Not too much for two weeks, but chaining vulns takes more time than expected.
🚀 2025 YTD #BugBounty stats update, Week 5:
📄 0 issues Reported
I took the last days of my parental leave in Jan and spent most of the time with kids and family. No reports, no vulns, just quality time 👨👩👧👦
📄 0 issues Reported
I took the last days of my parental leave in Jan and spent most of the time with kids and family. No reports, no vulns, just quality time 👨👩👧👦
February 17, 2025 at 5:27 PM
😐 2025 YTD #BugBounty stats update, Weeks 6-7:
📄 2 issues Reported (2 Crit)
Reported 2 RCEs and sticking to my plan of focusing on Criticals. Not too much for two weeks, but chaining vulns takes more time than expected.
📄 2 issues Reported (2 Crit)
Reported 2 RCEs and sticking to my plan of focusing on Criticals. Not too much for two weeks, but chaining vulns takes more time than expected.
🚀 2025 YTD #BugBounty stats update, Week 5:
📄 0 issues Reported
I took the last days of my parental leave in Jan and spent most of the time with kids and family. No reports, no vulns, just quality time 👨👩👧👦
📄 0 issues Reported
I took the last days of my parental leave in Jan and spent most of the time with kids and family. No reports, no vulns, just quality time 👨👩👧👦
February 6, 2025 at 9:06 PM
🚀 2025 YTD #BugBounty stats update, Week 5:
📄 0 issues Reported
I took the last days of my parental leave in Jan and spent most of the time with kids and family. No reports, no vulns, just quality time 👨👩👧👦
📄 0 issues Reported
I took the last days of my parental leave in Jan and spent most of the time with kids and family. No reports, no vulns, just quality time 👨👩👧👦
Reposted by Mikhail Shcherbakov
The results are in! We're proud to announce the Top 10 Web Hacking Techniques of 2024! portswigger.net/research/top...
Top 10 web hacking techniques of 2024
Welcome to the Top 10 Web Hacking Techniques of 2024, the 18th edition of our annual community-powered effort to identify the most innovative must-read web security research published in the last year
portswigger.net
February 4, 2025 at 3:02 PM
The results are in! We're proud to announce the Top 10 Web Hacking Techniques of 2024! portswigger.net/research/top...
Reposted by Mikhail Shcherbakov
Server-Side Prototype Pollution gadget collection
https://github.com/KTH-LangSec/server-side-prototype-pollution
#BBRENewsletter87
https://github.com/KTH-LangSec/server-side-prototype-pollution
#BBRENewsletter87
January 25, 2025 at 3:05 PM
Server-Side Prototype Pollution gadget collection
https://github.com/KTH-LangSec/server-side-prototype-pollution
#BBRENewsletter87
https://github.com/KTH-LangSec/server-side-prototype-pollution
#BBRENewsletter87
Now's the time to vote for the Top 10 Web Hacking Techniques of 2024! I'm excited to see my research "Exploiting the Unexploitable Insights from the Kibana Bug Bounty" nominated this year! 😎
Voting is now live for the Top Ten (New) Web Hacking Techniques of 2024! Browse the nominations & cast your votes here: portswigger.net/polls/top-10...
Top 10 web hacking techniques of 2024
Welcome to the community vote for the Top 10 Web Hacking Techniques of 2024.
portswigger.net
January 15, 2025 at 7:39 PM
Now's the time to vote for the Top 10 Web Hacking Techniques of 2024! I'm excited to see my research "Exploiting the Unexploitable Insights from the Kibana Bug Bounty" nominated this year! 😎
🎄 2024 YTD #BugBounty stats update, Week 51:
📄 12 issues Reported (5 Crit, 3 High, 4 Medium)
💰 4 issues Paid
⚪ 1 Informational
🔴 1 OOS
Reported Prompt Injection, so I'm in the club now, bro 😎
📄 12 issues Reported (5 Crit, 3 High, 4 Medium)
💰 4 issues Paid
⚪ 1 Informational
🔴 1 OOS
Reported Prompt Injection, so I'm in the club now, bro 😎
🫡 2024 YTD #BugBounty stats update, Week 50:
📄 11 issues Reported (5 Crit, 3 High, 3 Medium)
💰 4 issues Paid
⚪ 1 Informational
🔴 1 OOS
Keeping my promise to report something every week, even if it's not super critical or exciting.
📄 11 issues Reported (5 Crit, 3 High, 3 Medium)
💰 4 issues Paid
⚪ 1 Informational
🔴 1 OOS
Keeping my promise to report something every week, even if it's not super critical or exciting.
🤒 2024 YTD #BugBounty stats update, Week 48-49:
📄 9 issues Reported (5 Crit, 3 High, 1 Medium)
💰 4 issues Paid
⚪ 1 Informational
🔴 1 OOS
me: Starting full-time BB 😎💻✨
Universe: Here, have the flu and a fever for a week 😜
me: Cool... not quite the "hot start" I had in mind 🥲
📄 9 issues Reported (5 Crit, 3 High, 1 Medium)
💰 4 issues Paid
⚪ 1 Informational
🔴 1 OOS
me: Starting full-time BB 😎💻✨
Universe: Here, have the flu and a fever for a week 😜
me: Cool... not quite the "hot start" I had in mind 🥲
December 27, 2024 at 9:13 PM
🎄 2024 YTD #BugBounty stats update, Week 51:
📄 12 issues Reported (5 Crit, 3 High, 4 Medium)
💰 4 issues Paid
⚪ 1 Informational
🔴 1 OOS
Reported Prompt Injection, so I'm in the club now, bro 😎
📄 12 issues Reported (5 Crit, 3 High, 4 Medium)
💰 4 issues Paid
⚪ 1 Informational
🔴 1 OOS
Reported Prompt Injection, so I'm in the club now, bro 😎
🫡 2024 YTD #BugBounty stats update, Week 50:
📄 11 issues Reported (5 Crit, 3 High, 3 Medium)
💰 4 issues Paid
⚪ 1 Informational
🔴 1 OOS
Keeping my promise to report something every week, even if it's not super critical or exciting.
📄 11 issues Reported (5 Crit, 3 High, 3 Medium)
💰 4 issues Paid
⚪ 1 Informational
🔴 1 OOS
Keeping my promise to report something every week, even if it's not super critical or exciting.
🤒 2024 YTD #BugBounty stats update, Week 48-49:
📄 9 issues Reported (5 Crit, 3 High, 1 Medium)
💰 4 issues Paid
⚪ 1 Informational
🔴 1 OOS
me: Starting full-time BB 😎💻✨
Universe: Here, have the flu and a fever for a week 😜
me: Cool... not quite the "hot start" I had in mind 🥲
📄 9 issues Reported (5 Crit, 3 High, 1 Medium)
💰 4 issues Paid
⚪ 1 Informational
🔴 1 OOS
me: Starting full-time BB 😎💻✨
Universe: Here, have the flu and a fever for a week 😜
me: Cool... not quite the "hot start" I had in mind 🥲
🫡 2024 YTD #BugBounty stats update:
📄 7 issues Reported (4 Crit, 2 High, 1 Medium)
💰 4 issues Paid
⚪ 1 Informational
🔴 1 OOS
📄 7 issues Reported (4 Crit, 2 High, 1 Medium)
💰 4 issues Paid
⚪ 1 Informational
🔴 1 OOS
December 16, 2024 at 11:15 AM
🫡 2024 YTD #BugBounty stats update, Week 50:
📄 11 issues Reported (5 Crit, 3 High, 3 Medium)
💰 4 issues Paid
⚪ 1 Informational
🔴 1 OOS
Keeping my promise to report something every week, even if it's not super critical or exciting.
📄 11 issues Reported (5 Crit, 3 High, 3 Medium)
💰 4 issues Paid
⚪ 1 Informational
🔴 1 OOS
Keeping my promise to report something every week, even if it's not super critical or exciting.
✌️ Bug Bounty Tip: If you don't have time to watch the full video, just check out this slide!
If you find a very restricted Prototype Pollution where you can only add empty objects or arrays to the prototype, but the gadget requires properties with payloads..
#bugbounty #bugbountytips #bugbountytip
If you find a very restricted Prototype Pollution where you can only add empty objects or arrays to the prototype, but the gadget requires properties with payloads..
#bugbounty #bugbountytips #bugbountytip
December 11, 2024 at 12:02 PM
✌️ Bug Bounty Tip: If you don't have time to watch the full video, just check out this slide!
If you find a very restricted Prototype Pollution where you can only add empty objects or arrays to the prototype, but the gadget requires properties with payloads..
#bugbounty #bugbountytips #bugbountytip
If you find a very restricted Prototype Pollution where you can only add empty objects or arrays to the prototype, but the gadget requires properties with payloads..
#bugbounty #bugbountytips #bugbountytip
Reposted by Mikhail Shcherbakov
Dear Bug Bounty programs,
You cannot simultaneously prohibit bug escalation and pivoting _and_ insist reports include accurate evidenced risk calculations.
Regards,
A tired bug hunter
You cannot simultaneously prohibit bug escalation and pivoting _and_ insist reports include accurate evidenced risk calculations.
Regards,
A tired bug hunter
December 9, 2024 at 2:17 PM
Dear Bug Bounty programs,
You cannot simultaneously prohibit bug escalation and pivoting _and_ insist reports include accurate evidenced risk calculations.
Regards,
A tired bug hunter
You cannot simultaneously prohibit bug escalation and pivoting _and_ insist reports include accurate evidenced risk calculations.
Regards,
A tired bug hunter
🤒 2024 YTD #BugBounty stats update, Week 48-49:
📄 9 issues Reported (5 Crit, 3 High, 1 Medium)
💰 4 issues Paid
⚪ 1 Informational
🔴 1 OOS
me: Starting full-time BB 😎💻✨
Universe: Here, have the flu and a fever for a week 😜
me: Cool... not quite the "hot start" I had in mind 🥲
📄 9 issues Reported (5 Crit, 3 High, 1 Medium)
💰 4 issues Paid
⚪ 1 Informational
🔴 1 OOS
me: Starting full-time BB 😎💻✨
Universe: Here, have the flu and a fever for a week 😜
me: Cool... not quite the "hot start" I had in mind 🥲
🫡 2024 YTD #BugBounty stats update:
📄 7 issues Reported (4 Crit, 2 High, 1 Medium)
💰 4 issues Paid
⚪ 1 Informational
🔴 1 OOS
📄 7 issues Reported (4 Crit, 2 High, 1 Medium)
💰 4 issues Paid
⚪ 1 Informational
🔴 1 OOS
December 9, 2024 at 10:23 AM
🤒 2024 YTD #BugBounty stats update, Week 48-49:
📄 9 issues Reported (5 Crit, 3 High, 1 Medium)
💰 4 issues Paid
⚪ 1 Informational
🔴 1 OOS
me: Starting full-time BB 😎💻✨
Universe: Here, have the flu and a fever for a week 😜
me: Cool... not quite the "hot start" I had in mind 🥲
📄 9 issues Reported (5 Crit, 3 High, 1 Medium)
💰 4 issues Paid
⚪ 1 Informational
🔴 1 OOS
me: Starting full-time BB 😎💻✨
Universe: Here, have the flu and a fever for a week 😜
me: Cool... not quite the "hot start" I had in mind 🥲
Developers: “Finally…”
Bug Hunters: “We had a good run, old friend!”
Bug Hunters: “We had a good run, old friend!”
Tomorrow, 10am, BinaryFormatter dies.
December 3, 2024 at 5:40 PM
Developers: “Finally…”
Bug Hunters: “We had a good run, old friend!”
Bug Hunters: “We had a good run, old friend!”
Reposted by Mikhail Shcherbakov
Reposted by Mikhail Shcherbakov
oh.. 2 days is very optimistic for me 😆 I've got a few stories where I spent a LOT of time turning Info/Low into Critical. After 1-2 weeks with no results, it becomes obvious that it's not worth it financially, but I just can't stop.. Bug Bounty is kind of an addiction 😳
Here are some of my stories:
Here are some of my stories:
November 30, 2024 at 1:49 PM
oh.. 2 days is very optimistic for me 😆 I've got a few stories where I spent a LOT of time turning Info/Low into Critical. After 1-2 weeks with no results, it becomes obvious that it's not worth it financially, but I just can't stop.. Bug Bounty is kind of an addiction 😳
Here are some of my stories:
Here are some of my stories:
If you missed it, my #DEFCON talk "Exploiting the Unexploitable: Insights from the Kibana Bug Bounty" is now live on YouTube!
youtu.be/H-bhmSwnRdY
youtu.be/H-bhmSwnRdY
DEF CON 32 - Exploiting the Unexploitable Insights from the Kibana Bug Bounty - Mikhail Shcherbakov
YouTube video by DEFCONConference
youtu.be
November 27, 2024 at 9:08 AM
If you missed it, my #DEFCON talk "Exploiting the Unexploitable: Insights from the Kibana Bug Bounty" is now live on YouTube!
youtu.be/H-bhmSwnRdY
youtu.be/H-bhmSwnRdY
🫡 2024 YTD #BugBounty stats update:
📄 7 issues Reported (4 Crit, 2 High, 1 Medium)
💰 4 issues Paid
⚪ 1 Informational
🔴 1 OOS
📄 7 issues Reported (4 Crit, 2 High, 1 Medium)
💰 4 issues Paid
⚪ 1 Informational
🔴 1 OOS
November 25, 2024 at 2:54 PM
🫡 2024 YTD #BugBounty stats update:
📄 7 issues Reported (4 Crit, 2 High, 1 Medium)
💰 4 issues Paid
⚪ 1 Informational
🔴 1 OOS
📄 7 issues Reported (4 Crit, 2 High, 1 Medium)
💰 4 issues Paid
⚪ 1 Informational
🔴 1 OOS
Most common question for freshly defended PhDs: What's next? Honestly... I'd love to know too! God, give me a sign!
God: Your defense will be in room 1337.
me: Say no more. I shall become a Bug Hunter! Full-time Bug Hunter!
God: 😳
God: Your defense will be in room 1337.
me: Say no more. I shall become a Bug Hunter! Full-time Bug Hunter!
God: 😳
November 22, 2024 at 2:08 PM
Most common question for freshly defended PhDs: What's next? Honestly... I'd love to know too! God, give me a sign!
God: Your defense will be in room 1337.
me: Say no more. I shall become a Bug Hunter! Full-time Bug Hunter!
God: 😳
God: Your defense will be in room 1337.
me: Say no more. I shall become a Bug Hunter! Full-time Bug Hunter!
God: 😳
Reposted by Mikhail Shcherbakov
In case you missed it...the DEF CON video of my talk 'Splitting the Email Atom' is finally here! 🚀 Watch me demonstrate how to turn an email address into RCE on Joomla, bypass Zero Trust defences, and exploit parser discrepancies for misrouted emails. Don’t miss it:
youtu.be/JERBqoTllaE?...
youtu.be/JERBqoTllaE?...
DEF CON 32 - Splitting the email atom exploiting parsers to bypass access controls - Gareth Heyes
YouTube video by DEFCONConference
youtu.be
November 22, 2024 at 7:27 AM
In case you missed it...the DEF CON video of my talk 'Splitting the Email Atom' is finally here! 🚀 Watch me demonstrate how to turn an email address into RCE on Joomla, bypass Zero Trust defences, and exploit parser discrepancies for misrouted emails. Don’t miss it:
youtu.be/JERBqoTllaE?...
youtu.be/JERBqoTllaE?...
Reposted by Mikhail Shcherbakov
Hey BlueSky!
I case you missed it:
I've created cspbypass.com
A site where you can search for known CSP bypass gadgets to gain XSS.
It already contains a bunch of useful gadgets with contributions from your favourite hackers.
If you have some CSP bypasses to share, feel free to contribute!
I case you missed it:
I've created cspbypass.com
A site where you can search for known CSP bypass gadgets to gain XSS.
It already contains a bunch of useful gadgets with contributions from your favourite hackers.
If you have some CSP bypasses to share, feel free to contribute!
November 14, 2024 at 2:57 PM
Hey BlueSky!
I case you missed it:
I've created cspbypass.com
A site where you can search for known CSP bypass gadgets to gain XSS.
It already contains a bunch of useful gadgets with contributions from your favourite hackers.
If you have some CSP bypasses to share, feel free to contribute!
I case you missed it:
I've created cspbypass.com
A site where you can search for known CSP bypass gadgets to gain XSS.
It already contains a bunch of useful gadgets with contributions from your favourite hackers.
If you have some CSP bypasses to share, feel free to contribute!
🎓 Major November Update: I successfully defended my Ph.D. thesis, "Code-Reuse Attacks in Managed Programming Languages and Runtimes"!
📖 Full text: github.com/yuske/PhD_Th...
Check it out if you're interested in attacks based on Prototype Pollutions, Object Injection Vulnerabilities, and want to...
📖 Full text: github.com/yuske/PhD_Th...
Check it out if you're interested in attacks based on Prototype Pollutions, Object Injection Vulnerabilities, and want to...
November 21, 2024 at 4:45 PM
🎓 Major November Update: I successfully defended my Ph.D. thesis, "Code-Reuse Attacks in Managed Programming Languages and Runtimes"!
📖 Full text: github.com/yuske/PhD_Th...
Check it out if you're interested in attacks based on Prototype Pollutions, Object Injection Vulnerabilities, and want to...
📖 Full text: github.com/yuske/PhD_Th...
Check it out if you're interested in attacks based on Prototype Pollutions, Object Injection Vulnerabilities, and want to...