LightNews
steven.srcincite.io
ϻг_ϻε
@steven.srcincite.io
1.1K followers 110 following 48 posts
Hermetic Initiate. Exploring conscience and the nature of reality. I also hack things.
Posts Media Videos Starter Packs
Reposted by ϻг_ϻε
ulldma.bsky.social
Peter Stöckli @ulldma.bsky.social · Mar 12
If you're using ruby-saml or omniauth-saml for SAML authentication make sure to update these libraries as fast as possible! Fixes for two critical authentication bypass vulnerabilities were published today (CVE-2025-25291 + CVE-2025-25292).

github.blog/security/sig...
Sign in as anyone: Bypassing SAML SSO authentication with parser differentials
Critical authentication bypass vulnerabilities were discovered in ruby-saml up to version 1.17.0. See how they were uncovered.
github.blog
1 10 11
Reposted by ϻг_ϻε
astrojaz.bsky.social
Jasmine 🌌🔭 @astrojaz.bsky.social · Feb 5
NEW JWST IMAGE SHOWING A PROTOPLANETARY DISK AROUND A NEWLY FORMED STAR!!! 🤩
A close-in image of a protoplanetary disc around a newly formed star. Many different wavelengths of light are combined and represented by separate and various colors. A dark line across the center is the disc, made of opaque dust: the star is hidden in here and creates a strong glow in the center. A band going straight up is a jet, while other outflows form flares above and below the disc, and a tail coming off to one side.
30 210 1K
Reposted by ϻг_ϻε
artsploit.com
Michael Stepankin @artsploit.com · Jan 22
Last year, I committed to uncovering critical vulnerabilities in Maven repositories. Now it’s time to share the findings: RCE in Sonatype Nexus, Cache Poisoning in JFrog Artifactory, and more! github.blog/security/vul...
1 16 28
steven.srcincite.io
ϻг_ϻε @steven.srcincite.io · Jan 22
a cartoon character is holding a bunch of money and the words shut up and are above him
ALT: a cartoon character is holding a bunch of money and the words shut up and are above him
media.tenor.com
1
steven.srcincite.io
ϻг_ϻε @steven.srcincite.io · Jan 22
This is what I love about Chris, authenticity: muffsec.com/blog/abstain.... Btw I couldn’t agree more with his conclusion about the event.
Abstaining From Pwn2own – muffSec
muffsec.com
3
Reposted by ϻг_ϻε
swiftonsecurity.com
SwiftOnSecurity @swiftonsecurity.com · Jan 17
Bitcoin is enemy of culture because it introduces monetary incentive where only prestige belongs.
2 16 180
Reposted by ϻг_ϻε
stephenfewer.bsky.social
Stephen Fewer @stephenfewer.bsky.social · Jan 16
I wrote a PoC for the recent Ivanti Connect Secure stack buffer overflow, CVE-2025-0282, based on the exploitation strategy watchTowr published, along with an assessment of exploitability given the lack of a suitable info leak to break ASLR: attackerkb.com/assessments/...
1 8 11
Reposted by ϻг_ϻε
kelseyhightower.com
Kelsey Hightower @kelseyhightower.com · Jan 13
What's the point of being rich if you can't afford to do the right thing.
740 4.2K 28K
Reposted by ϻг_ϻε
jameskettle.com
James Kettle @jameskettle.com · Jan 8
Nominations are now open for the Top 10 Web Hacking Techniques of 2024! Browse the contestants and submit your own here:
portswigger.net/research/top...
Top ten web hacking techniques of 2024: nominations open
Nominations are now open for the top 10 new web hacking techniques of 2024! Every year, security researchers from all over the world share their latest findings via blog posts, presentations, PoCs, an
portswigger.net
1 19 28
Reposted by ϻг_ϻε
natashenka.bsky.social
Natalie Silvanovich @natashenka.bsky.social · Jan 10
Just unrestricted an issue that shows a fun new attack surface. Android RCS locally transcribes incoming media, making vulnerabilities audio codecs now fully-remote. This bug in an obscure Samsung S24 codec is 0-click

project-zero.issues.chromium.org/issues/36869...
Project Zero
project-zero.issues.chromium.org
1 16 38
steven.srcincite.io
ϻг_ϻε @steven.srcincite.io · Jan 3
youtu.be/a6EnyQ0Dy50?...
Aleph Bass — an aleph bet song by Darshan :: אלף בית – דרשן
YouTube video by Darshan Project
youtu.be
1
Reposted by ϻг_ϻε
agarri.fr
Nicolas Grégoire @agarri.fr · Dec 27
Positive Technologies published two scenarios they encountered during pentests, where they pivot to the internal network thanks to an Internet-facing Exchange server and its numerous SSRF vectors 💎
static.ptsecurity.com
1 3 6
steven.srcincite.io
ϻг_ϻε @steven.srcincite.io · Dec 27
Nice fail troll
Reposted by ϻг_ϻε
agarri.fr
Nicolas Grégoire @agarri.fr · Dec 20
TIL how easy it is to ask curl to dump TLS session keys to disk 🛠️

Simply set the environment variable `SSLKEYLOGFILE=/path/to/file` 😅 Note: it also works for Firefox and Chrome

Extremely useful when combined with Wireshark 👍
6 36 130
Reposted by ϻг_ϻε
ajxchapman.bsky.social
Alex Chapman @ajxchapman.bsky.social · Dec 22
CVE-2024-12727 Sophos coming in with an unauthenticated SQLi in their firewall appliance 👏
ajxchapman.bsky.social
Alex Chapman @ajxchapman.bsky.social · Dec 18
CVE-2023-34990 🤦‍♂️🤦‍♂️
2 26 95
steven.srcincite.io
ϻг_ϻε @steven.srcincite.io · Dec 22
These are some really nice blog posts regarding algo confusion bugs in JWT by @pentesterlab.com pentesterlab.com/blog/jwt-alg... & pentesterlab.com/blog/another... nice one @snyff.pentesterlab.com!
PentesterLab Blog: Another JWT Algorithm Confusion Vulnerability: CVE-2024-54150
Discover how a code review uncovered a JWT algorithm confusion vulnerability (CVE-2024-54150). Learn key insights to enhance your security skills and spot vulnerabilities effectively.
pentesterlab.com
1 5 20
Reposted by ϻг_ϻε
cameratrapsue.bsky.social
Sue @cameratrapsue.bsky.social · Dec 21
Happy Winter Solstice!

These photos were taken with a pinhole camera I made from a beer can and left out from Summer to Winter Solstice - a 6 month exposure.

Bottom line = Winter Solstice. Top line = Summer Solstice.

The lines are the Sun moving across the sky w/some reflections. No line = clouds
A pinhole camera photo taken from Summer to Winter Solstice. It's a bit blurry as the aperture was made with a tiny needle and no focus mechanism. There are yellow to green lines across the photo, that's the Sun moving across the sky over the course of a day. The top line is from the Summer Solstice, the bottom line from the Winter Solstice. Cloudy days don't have any lines or broken lines as the Sun was obscured by clouds. There are some trees on the left, right and in the background. A pinhole camera photo, a 6 month exposure from Summer to Winter solstice. There are trees on the right side and background. A house with two cars in the drive are visible almost in the center of the photo. The lines are made from the Sun moving across the sky with the bottom line being the Winter Solstice and the top line the Summer solstice. On cloudy days the lines are broken or not visible as the sun was obscured by clouds. The lines show some reflections from a tree trunk. The lines are mostly a white color with some hints of blue, green and yellow in places. Some of the colors could be from rain or snow staining the paper I was using.
170 1.5K 5.2K
steven.srcincite.io
ϻг_ϻε @steven.srcincite.io · Dec 22
Life doesn’t need to be complicated
2
Reposted by ϻг_ϻε
chudypb.bsky.social
Piotr Bazydło @chudypb.bsky.social · Dec 19
[4/n] My Hexacon 2023 talk about .NET Deserialization. New gadgets, insecure serialization (RCE through serialization) and custom gadgets found in the products codebase.

Talk: www.youtube.com/watch?v=_CJm...

White paper: github.com/thezdi/prese...
HEXACON2023 - Exploiting Hardened .NET Deserialization by Piotr Bazydło
YouTube video by Hexacon
www.youtube.com
2 5
Reposted by ϻг_ϻε
snyff.pentesterlab.com
Louis Nyffenegger @snyff.pentesterlab.com · Dec 18
I put together a VERY limited (for now) list of web hackers in a Starter pack:

go.bsky.app/9uay4Ad

A lot of people are missing (I will try to add more as I find them) but make sure you follow people already in the list!
3 14 31
steven.srcincite.io
ϻг_ϻε @steven.srcincite.io · Dec 18
It’s a different poc per app that’s vulnerable. Most struts apps that use a vuln framework are probably not vuln because they still need to implement an upload feature in a specific way. TL;DR don’t lose sleep over it.
1 1 3
steven.srcincite.io
ϻг_ϻε @steven.srcincite.io · Dec 17
S2-067 is a fantastic bypass of the patch for S2-066. It uses ONGL to re-write the upload filename property in order to bypass the filename path traversal checks.

PoC: if the target bean is called "UploadFile" the your target parameter is "top.UploadFileFileName". 🤯
2 6
Reposted by ϻг_ϻε
phrack.org
Phrack Zine @phrack.org · Dec 16
We updated our CFP for Phrack 72! The deadline is now April 1st 2025. Check the site for specifics on how to contribute, as well as some inspiration! We also posted a link to purchase physical copies of Phrack 71, and a donation link too. Enjoy!

phrack.org
screenshot of the CFP on phrack.org
4 60 120
Reposted by ϻг_ϻε
junlper.beer
onion person @junlper.beer · Dec 17
wokism is out of control
100 380 7K
steven.srcincite.io
ϻг_ϻε @steven.srcincite.io · Dec 16
…and what is your office? My office is that which is in the higher aspirant of the soul - Ma’at