Louis Dion-Marcil
@ldionmarcil.bsky.social
vegan btw. appsec @ mandiant/google cloud. opinions my own etc
Reposted by Louis Dion-Marcil
I'm happy to release a script gadgets wiki inspired by the work of @slekies, @kkotowicz, and @sirdarckcat in their Black Hat USA 2017 talk! 🔥
The goal is to provide quick access to gadgets that help bypass HTML sanitizers and CSPs 👇
gmsgadget.com
1/4
The goal is to provide quick access to gadgets that help bypass HTML sanitizers and CSPs 👇
gmsgadget.com
1/4
July 24, 2025 at 3:31 PM
I'm happy to release a script gadgets wiki inspired by the work of @slekies, @kkotowicz, and @sirdarckcat in their Black Hat USA 2017 talk! 🔥
The goal is to provide quick access to gadgets that help bypass HTML sanitizers and CSPs 👇
gmsgadget.com
1/4
The goal is to provide quick access to gadgets that help bypass HTML sanitizers and CSPs 👇
gmsgadget.com
1/4
wrote some words about vulnerabilities i found in Aviatrix during a red team cloud.google.com/blog/topics/...
Trix Shots: Remote Code Execution on Aviatrix Controller | Google Cloud Blog
Red team case study detailing the discovery of two critical vulnerabilities in the Aviatrix Controller software.
cloud.google.com
June 23, 2025 at 3:04 PM
wrote some words about vulnerabilities i found in Aviatrix during a red team cloud.google.com/blog/topics/...
Reposted by Louis Dion-Marcil
TeleMessage, the Israeli company that makes the modified Signal app used by Trump officials, was hacked. “I would say the whole process took about 15-20 minutes,” the hacker said micahflee.com/the-signal-c...
The Signal Clone the Trump Admin Uses Was Hacked
TeleMessage, a company that makes a modified version of Signal that archives messages for government agencies, was hacked.
micahflee.com
May 4, 2025 at 10:03 PM
TeleMessage, the Israeli company that makes the modified Signal app used by Trump officials, was hacked. “I would say the whole process took about 15-20 minutes,” the hacker said micahflee.com/the-signal-c...
Reposted by Louis Dion-Marcil
🚀 Another plugin in the Caido Store!
Introducing "Data Grep" by @bebiksior.
Extract data from requests and responses. Great for building wordlists, finding secrets, or powering your recon.
Check it out: github.com/caido-commun...
Introducing "Data Grep" by @bebiksior.
Extract data from requests and responses. Great for building wordlists, finding secrets, or powering your recon.
Check it out: github.com/caido-commun...
April 24, 2025 at 7:37 PM
🚀 Another plugin in the Caido Store!
Introducing "Data Grep" by @bebiksior.
Extract data from requests and responses. Great for building wordlists, finding secrets, or powering your recon.
Check it out: github.com/caido-commun...
Introducing "Data Grep" by @bebiksior.
Extract data from requests and responses. Great for building wordlists, finding secrets, or powering your recon.
Check it out: github.com/caido-commun...
Reposted by Louis Dion-Marcil
Got sniped into the challenge and ended up doing some cool XSS research :D
11 char XSS with mind-boggling race-conditions.
TL;DR the final payload is location=x (10 chars) and the longest is top.Z.x=x.d (11 char)
It's shorter than location=name !!
terjanq.me/solutions/jo...
11 char XSS with mind-boggling race-conditions.
TL;DR the final payload is location=x (10 chars) and the longest is top.Z.x=x.d (11 char)
It's shorter than location=name !!
terjanq.me/solutions/jo...
December 14, 2024 at 1:17 PM
Got sniped into the challenge and ended up doing some cool XSS research :D
11 char XSS with mind-boggling race-conditions.
TL;DR the final payload is location=x (10 chars) and the longest is top.Z.x=x.d (11 char)
It's shorter than location=name !!
terjanq.me/solutions/jo...
11 char XSS with mind-boggling race-conditions.
TL;DR the final payload is location=x (10 chars) and the longest is top.Z.x=x.d (11 char)
It's shorter than location=name !!
terjanq.me/solutions/jo...
I wrote a thing with my colleague Ilyass El Hadi (0xc0ffee_) & Charles Prevost, about how we've been leveraging offensive webapp testing during Red Teams. 4 use cases of external breaches using webapps inside, enjoy! #appsec
cloud.google.com/blog/topics/...
cloud.google.com/blog/topics/...
Bridging the Gap: Elevating Red Team Assessments with Application Security Testing | Google Cloud Blog
Red team and targeted external assessments should incorporate application security expertise to better simulate modern adversaries.
cloud.google.com
December 6, 2024 at 8:12 PM
I wrote a thing with my colleague Ilyass El Hadi (0xc0ffee_) & Charles Prevost, about how we've been leveraging offensive webapp testing during Red Teams. 4 use cases of external breaches using webapps inside, enjoy! #appsec
cloud.google.com/blog/topics/...
cloud.google.com/blog/topics/...
Reposted by Louis Dion-Marcil
My latest blog post is live! nastystereo.com/security/cro...
Read how to send a cross-site POST without including a Content-Type header (without CORS). It even works with navigator.sendBeacon
Read how to send a cross-site POST without including a Content-Type header (without CORS). It even works with navigator.sendBeacon
November 27, 2024 at 9:10 AM
My latest blog post is live! nastystereo.com/security/cro...
Read how to send a cross-site POST without including a Content-Type header (without CORS). It even works with navigator.sendBeacon
Read how to send a cross-site POST without including a Content-Type header (without CORS). It even works with navigator.sendBeacon
Been having a ton of fun solving these, only 2/3 done and i'm quite humbled so far
challenge-xss.quiz.flatt.training
challenge-xss.quiz.flatt.training
Flatt Security XSS Challenge
Execute alert(origin) on each challenge origins.
challenge-xss.quiz.flatt.training
November 21, 2024 at 5:58 PM
Been having a ton of fun solving these, only 2/3 done and i'm quite humbled so far
challenge-xss.quiz.flatt.training
challenge-xss.quiz.flatt.training
Reposted by Louis Dion-Marcil
add that to the reasons to stop using bash in production pipelines yossarian.net/til/post/som... #security #cicd #appsec
TIL: Some surprising code execution sources in bash
yossarian.net
November 21, 2024 at 5:16 PM
add that to the reasons to stop using bash in production pipelines yossarian.net/til/post/som... #security #cicd #appsec