Fajr
@fajrsv.bsky.social
LoL Security | Web App Security Specialist | Bug Bounty Hunter
Reposted by Fajr
Meta illegaly downloaded 80+ terabytes of books from LibGen, Anna's Archive, and Z-library to train their AI models.
In 2010, Aaron Swartz downloaded only 70 GBs of articles from JSTOR (0.0875% of Meta). Faced $1 million in fine and 35 years in jail. Took his own life in 2013.
In 2010, Aaron Swartz downloaded only 70 GBs of articles from JSTOR (0.0875% of Meta). Faced $1 million in fine and 35 years in jail. Took his own life in 2013.
February 7, 2025 at 4:45 PM
Meta illegaly downloaded 80+ terabytes of books from LibGen, Anna's Archive, and Z-library to train their AI models.
In 2010, Aaron Swartz downloaded only 70 GBs of articles from JSTOR (0.0875% of Meta). Faced $1 million in fine and 35 years in jail. Took his own life in 2013.
In 2010, Aaron Swartz downloaded only 70 GBs of articles from JSTOR (0.0875% of Meta). Faced $1 million in fine and 35 years in jail. Took his own life in 2013.
Reposted by Fajr
More here 😁 gist.github.com/tomnomnom/14...
Ways to alert(document.domain)
Ways to alert(document.domain). GitHub Gist: instantly share code, notes, and snippets.
gist.github.com
January 28, 2025 at 10:26 AM
More here 😁 gist.github.com/tomnomnom/14...
Reposted by Fajr
New blog post with @shubs.io:
We found a vulnerability in Subaru where an attacker, with just a license plate, could retrieve the full location history, unlock, and start vehicles remotely.
Full post here: samcurry.net/hacking-subaru
We found a vulnerability in Subaru where an attacker, with just a license plate, could retrieve the full location history, unlock, and start vehicles remotely.
Full post here: samcurry.net/hacking-subaru
Hacking Subaru: Tracking and Controlling Cars via the STARLINK Admin Panel
On November 20, 2024, Shubham Shah and I discovered a security vulnerability in Subaru’s STARLINK admin panel that gave us unrestricted access to all vehicles and customer accounts in the United State...
samcurry.net
January 23, 2025 at 5:44 PM
New blog post with @shubs.io:
We found a vulnerability in Subaru where an attacker, with just a license plate, could retrieve the full location history, unlock, and start vehicles remotely.
Full post here: samcurry.net/hacking-subaru
We found a vulnerability in Subaru where an attacker, with just a license plate, could retrieve the full location history, unlock, and start vehicles remotely.
Full post here: samcurry.net/hacking-subaru
Reposted by Fajr
Reposted by Fajr
Here is (finally) the writeup and conclusion of the challenge:
joaxcar.com/blog/2024/12...
Maybe not the best write-up, but I have to allow myself to actually post, rather than refactor, posts. I hope someone finds it useful. And thanks everyone that participated. Special shoutout to @terjanq.me
joaxcar.com/blog/2024/12...
Maybe not the best write-up, but I have to allow myself to actually post, rather than refactor, posts. I hope someone finds it useful. And thanks everyone that participated. Special shoutout to @terjanq.me
December 20, 2024 at 10:52 PM
Here is (finally) the writeup and conclusion of the challenge:
joaxcar.com/blog/2024/12...
Maybe not the best write-up, but I have to allow myself to actually post, rather than refactor, posts. I hope someone finds it useful. And thanks everyone that participated. Special shoutout to @terjanq.me
joaxcar.com/blog/2024/12...
Maybe not the best write-up, but I have to allow myself to actually post, rather than refactor, posts. I hope someone finds it useful. And thanks everyone that participated. Special shoutout to @terjanq.me
Reposted by Fajr
I put together a VERY limited (for now) list of web hackers in a Starter pack:
go.bsky.app/9uay4Ad
A lot of people are missing (I will try to add more as I find them) but make sure you follow people already in the list!
go.bsky.app/9uay4Ad
A lot of people are missing (I will try to add more as I find them) but make sure you follow people already in the list!
December 18, 2024 at 12:54 AM
I put together a VERY limited (for now) list of web hackers in a Starter pack:
go.bsky.app/9uay4Ad
A lot of people are missing (I will try to add more as I find them) but make sure you follow people already in the list!
go.bsky.app/9uay4Ad
A lot of people are missing (I will try to add more as I find them) but make sure you follow people already in the list!
Awesome presentation. To help discover WorstFit style issues in the wild by @orange.tw from his talk at Blackhat EU. His said "A detailed blog is on the way, but in the meantime, check out the pre-alpha website worst.fit for early access and the slides!". Go get it!
WorstFit!
worst.fit
December 12, 2024 at 7:38 AM
Awesome presentation. To help discover WorstFit style issues in the wild by @orange.tw from his talk at Blackhat EU. His said "A detailed blog is on the way, but in the meantime, check out the pre-alpha website worst.fit for early access and the slides!". Go get it!
Reposted by Fajr
Want to level up your learning in security? 🚀 Stop scrolling and start reflecting.
'Reading Between the Lines' challenges you to dig deeper:
1️⃣ What can I learn from this?
2️⃣ What patterns apply elsewhere?
3️⃣ Why didn’t I spot this?
The real breakthroughs come when you ask the right questions. 💡
👇
'Reading Between the Lines' challenges you to dig deeper:
1️⃣ What can I learn from this?
2️⃣ What patterns apply elsewhere?
3️⃣ Why didn’t I spot this?
The real breakthroughs come when you ask the right questions. 💡
👇
PentesterLab Blog: Reading Between the Lines: A Guide to Thoughtful Learning in Security
Discover how to extract deeper insights from security content by going beyond surface-level understanding. This post explores a reflective approach to learning, helping you uncover patterns, improve y...
pentesterlab.com
December 12, 2024 at 3:16 AM
Want to level up your learning in security? 🚀 Stop scrolling and start reflecting.
'Reading Between the Lines' challenges you to dig deeper:
1️⃣ What can I learn from this?
2️⃣ What patterns apply elsewhere?
3️⃣ Why didn’t I spot this?
The real breakthroughs come when you ask the right questions. 💡
👇
'Reading Between the Lines' challenges you to dig deeper:
1️⃣ What can I learn from this?
2️⃣ What patterns apply elsewhere?
3️⃣ Why didn’t I spot this?
The real breakthroughs come when you ask the right questions. 💡
👇
Reposted by Fajr
If you're interested in the technical details, I wrote the blog post here: flatt.tech/research/pos...
For the further details, please check out the announcement from the OpenWrt team: lists.openwrt.org/pipermail/op... (2/2)
For the further details, please check out the announcement from the OpenWrt team: lists.openwrt.org/pipermail/op... (2/2)
Compromising OpenWrt Supply Chain via Truncated SHA-256 Collision and Command Injection
Introduction Hello, I’m RyotaK (@ryotkak ), a security engineer at Flatt Security Inc.
A few days ago, I was upgrading my home lab network, and I decided to upgrade the OpenWrt on my router.1 After ac...
flatt.tech
December 7, 2024 at 9:47 AM
If you're interested in the technical details, I wrote the blog post here: flatt.tech/research/pos...
For the further details, please check out the announcement from the OpenWrt team: lists.openwrt.org/pipermail/op... (2/2)
For the further details, please check out the announcement from the OpenWrt team: lists.openwrt.org/pipermail/op... (2/2)
Reposted by Fajr
🚀 v0.44.1 is here!
Say hello to Environments, a powerful way to handle context-specific cookies, API keys, and headers. Easily switch between environments to streamline your testing.
We’ve also added tab reordering, CA certificate importing, and SNI overrides.
Say hello to Environments, a powerful way to handle context-specific cookies, API keys, and headers. Easily switch between environments to streamline your testing.
We’ve also added tab reordering, CA certificate importing, and SNI overrides.
November 30, 2024 at 8:01 PM
🚀 v0.44.1 is here!
Say hello to Environments, a powerful way to handle context-specific cookies, API keys, and headers. Easily switch between environments to streamline your testing.
We’ve also added tab reordering, CA certificate importing, and SNI overrides.
Say hello to Environments, a powerful way to handle context-specific cookies, API keys, and headers. Easily switch between environments to streamline your testing.
We’ve also added tab reordering, CA certificate importing, and SNI overrides.
Reposted by Fajr
November 29, 2024 at 11:29 PM
Reposted by Fajr
If you are interested in client-side hacking and browser quirks I strongly recommend going through this writeup by @maitai.bsky.social!
It was also cool to collab w/ him on the second chall 🤜🏿🤛🏻
blig.one/2024/11/29/f...
It was also cool to collab w/ him on the second chall 🤜🏿🤛🏻
blig.one/2024/11/29/f...
Flatt Security XSS Challenge - Writeup | maitai's blog
blig.one
November 30, 2024 at 6:20 AM
If you are interested in client-side hacking and browser quirks I strongly recommend going through this writeup by @maitai.bsky.social!
It was also cool to collab w/ him on the second chall 🤜🏿🤛🏻
blig.one/2024/11/29/f...
It was also cool to collab w/ him on the second chall 🤜🏿🤛🏻
blig.one/2024/11/29/f...
Reposted by Fajr
I just wrote a new blog post! This is how I (ab)used a jailed file write bug in Tomcat/Spring. Enjoy!
Remote Code Execution with Spring Properties :: srcincite.io/blog/2024/11...
Remote Code Execution with Spring Properties :: srcincite.io/blog/2024/11...
Remote Code Execution with Spring Properties
Recently a past student came to me with a very interesting unauthenticated vulnerability in a Spring application that they were having a hard time exploiting...
srcincite.io
November 26, 2024 at 11:57 PM
I just wrote a new blog post! This is how I (ab)used a jailed file write bug in Tomcat/Spring. Enjoy!
Remote Code Execution with Spring Properties :: srcincite.io/blog/2024/11...
Remote Code Execution with Spring Properties :: srcincite.io/blog/2024/11...
Reposted by Fajr
Such a great deepdive into cookies. Read!
Handling Cookies is a Minefield:
Inconsistencies in the HTTP cookie specification and its implementations have caused a situation where countless websites (including Facebook, Netflix, Okta, WhatsApp, Apple, etc.) are one small mistake away from locking their users out.
grayduck.mn/2024/11/21/h...
Inconsistencies in the HTTP cookie specification and its implementations have caused a situation where countless websites (including Facebook, Netflix, Okta, WhatsApp, Apple, etc.) are one small mistake away from locking their users out.
grayduck.mn/2024/11/21/h...
November 26, 2024 at 7:50 AM
Such a great deepdive into cookies. Read!