Chris Dale
@chrisdale.bsky.social
Principal instructor at SANS Institute. CHO (Chief Hacking Officer) and co-founder of River Security. Occasionally put content on YT: https://www.youtube.com/@chrisdale
Hackers don't wait, why should we? SANS 2025 Attack Surface & Vulnerability Management Survey – We Need Your Voice! survey.sans.org/jfe/form/SV_...
April 29, 2025 at 7:57 AM
Hackers don't wait, why should we? SANS 2025 Attack Surface & Vulnerability Management Survey – We Need Your Voice! survey.sans.org/jfe/form/SV_...
Reposted by Chris Dale
Reposted by Chris Dale
For instance, if your Slack workspace blocks example[.]com, share a link with an explicit port left-padded with enough zeroes, e.g. httpx//:example[.]com:000443, and your link will be unfurled.
Admittedly not much of a security impact; just a broken functionality. 🤷
youtu.be/uI0JrHkLAXA
2/2
Admittedly not much of a security impact; just a broken functionality. 🤷
youtu.be/uI0JrHkLAXA
2/2
Slack: lack of port normalisation allows bypass of Blocked Previews
YouTube video by jub0bs
youtu.be
April 4, 2025 at 9:14 AM
For instance, if your Slack workspace blocks example[.]com, share a link with an explicit port left-padded with enough zeroes, e.g. httpx//:example[.]com:000443, and your link will be unfurled.
Admittedly not much of a security impact; just a broken functionality. 🤷
youtu.be/uI0JrHkLAXA
2/2
Admittedly not much of a security impact; just a broken functionality. 🤷
youtu.be/uI0JrHkLAXA
2/2
I couldn't help myself do a kiosk escape considering the entire table is a touch screen menu
March 8, 2025 at 5:02 PM
I couldn't help myself do a kiosk escape considering the entire table is a touch screen menu
The most fun time of the year is not Christmas! It's our hacker spaces youtu.be/u6DdqrmylZQ
Hacker Space - Skjelbred Poiree - River Security Hacking Team
YouTube video by River Security
youtu.be
February 28, 2025 at 12:52 PM
The most fun time of the year is not Christmas! It's our hacker spaces youtu.be/u6DdqrmylZQ
We're looking for passionate cybersecurity professionals, both junior and senior roles, to join our remote pentesting team. There is a hacking challenge below... Does this sound enticing?Message me.
209.38.109.251 (Reach out if you need hints) 💪
209.38.109.251 (Reach out if you need hints) 💪
February 21, 2025 at 12:25 PM
We're looking for passionate cybersecurity professionals, both junior and senior roles, to join our remote pentesting team. There is a hacking challenge below... Does this sound enticing?Message me.
209.38.109.251 (Reach out if you need hints) 💪
209.38.109.251 (Reach out if you need hints) 💪
Coaching a CTF team was one of last years highlights. I hope I get to do it again. www.htx.gov.sg/whats-happen...
February 20, 2025 at 1:14 PM
Coaching a CTF team was one of last years highlights. I hope I get to do it again. www.htx.gov.sg/whats-happen...
In this podcast I am discussing things like how peneration testing is changing, modern penetration testing methodlogy, and more. www.youtube.com/watch?v=kRwG...
ktrlpanel ep 3 - Chris Dale | The evolution of pentesting, becoming a SANS instructor, remote teams
YouTube video by ktrlpanel
www.youtube.com
February 20, 2025 at 8:58 AM
In this podcast I am discussing things like how peneration testing is changing, modern penetration testing methodlogy, and more. www.youtube.com/watch?v=kRwG...
🍿 DOGE.gov breached: doge.gov/workforce?or...
Workforce | DOGE: Department of Government Efficiency
Workforce data for the U.S. government.
doge.gov
February 14, 2025 at 8:58 AM
🍿 DOGE.gov breached: doge.gov/workforce?or...
ORM vs Raw SQL queries - Careful Either Way - www.nodejs-security.com/blog/raw-sql...
Raw SQL Queries are Actually Better for Security Than ORMs?
Have I gone mad? Do I actually recommend not using an ORM and actually gaining a security advantage? Sort of. It's more nuanced but if we're trying to fix SQL injection and related vulnerabilities the...
www.nodejs-security.com
February 6, 2025 at 7:03 PM
ORM vs Raw SQL queries - Careful Either Way - www.nodejs-security.com/blog/raw-sql...
Reposted by Chris Dale
The results are in! We're proud to announce the Top 10 Web Hacking Techniques of 2024! portswigger.net/research/top...
Top 10 web hacking techniques of 2024
Welcome to the Top 10 Web Hacking Techniques of 2024, the 18th edition of our annual community-powered effort to identify the most innovative must-read web security research published in the last year
portswigger.net
February 4, 2025 at 3:02 PM
The results are in! We're proud to announce the Top 10 Web Hacking Techniques of 2024! portswigger.net/research/top...
Very cool write-up on a deanonymizing attack using Cloudflare's Cache - gist.github.com/hackermondev...
Unique 0-click deanonymization attack targeting Signal, Discord and hundreds of platform
Unique 0-click deanonymization attack targeting Signal, Discord and hundreds of platform - research.md
gist.github.com
January 23, 2025 at 7:16 PM
Very cool write-up on a deanonymizing attack using Cloudflare's Cache - gist.github.com/hackermondev...
Credential stuffing — no advanced hacking skills needed. A short 6 minute video to explain the concept www.youtube.com/watch?v=1BTF...
Credential Stuffing: Hacking Without Being a Hacker
YouTube video by Chris Dale
www.youtube.com
January 21, 2025 at 3:52 PM
Credential stuffing — no advanced hacking skills needed. A short 6 minute video to explain the concept www.youtube.com/watch?v=1BTF...
I'm not sure which is more frustrating: interacting with a support system run by an LLM or dealing with technicians who seem to rely solely on predefined playbooks without critical thinking...
January 8, 2025 at 7:24 AM
I'm not sure which is more frustrating: interacting with a support system run by an LLM or dealing with technicians who seem to rely solely on predefined playbooks without critical thinking...
Setting up an unmarked malicous cable and it comes with a warning: "Do Not Eat"... Wow 🙈
December 24, 2024 at 12:26 PM
Setting up an unmarked malicous cable and it comes with a warning: "Do Not Eat"... Wow 🙈
Feel like Santa Claus 🎅 Bug bounty on Christmas Eve. An IDOR which at first seemed impossible to enumerate, but once I reduced the JSON object to the least parameters that would still make the request work, I found two enumerable values which ended up in a nice vulnerability. Happy holidays!
December 24, 2024 at 11:32 AM
Feel like Santa Claus 🎅 Bug bounty on Christmas Eve. An IDOR which at first seemed impossible to enumerate, but once I reduced the JSON object to the least parameters that would still make the request work, I found two enumerable values which ended up in a nice vulnerability. Happy holidays!
Honey, the browser plugin with godmode to your browser activity, found to rewrite afilliate links. Keep your browsers clean all, you use it for too much important stuff. www.youtube.com/watch?v=vc4y...
Exposing the Honey Influencer Scam
YouTube video by MegaLag
www.youtube.com
December 23, 2024 at 2:48 PM
Honey, the browser plugin with godmode to your browser activity, found to rewrite afilliate links. Keep your browsers clean all, you use it for too much important stuff. www.youtube.com/watch?v=vc4y...
I don't particularly enjoy questions like these, but then again, how would you answer it? I'd say: "Start with a problem, and what you want to achieve. Seek the answers by firmly understanding the problem and the technology you operate.".
December 10, 2024 at 11:13 AM
I don't particularly enjoy questions like these, but then again, how would you answer it? I'd say: "Start with a problem, and what you want to achieve. Seek the answers by firmly understanding the problem and the technology you operate.".
FBI PSA; Some good tips on protecting against threat actors using AI against us. My favorite is to have a secret passphrase between family members to validate on another is not AI. www.ic3.gov/PSA/2024/PSA...
Internet Crime Complaint Center (IC3) | Criminals Use Generative Artificial Intelligence to Facilitate Financial Fraud
www.ic3.gov
December 6, 2024 at 9:17 PM
FBI PSA; Some good tips on protecting against threat actors using AI against us. My favorite is to have a secret passphrase between family members to validate on another is not AI. www.ic3.gov/PSA/2024/PSA...
A common question (or rather, statement) I often hear from everyday users is, "Clearly, my phone is listening to everything I say—I keep getting targeted ads based on my conversations." Well, they are listening, just not in the way most people think. The EFF breaks it down for us here:
Is My Phone Listening To Me?
Is My Phone Listening To Me?
www.digitalrightsbytes.org
November 18, 2024 at 10:10 PM
A common question (or rather, statement) I often hear from everyday users is, "Clearly, my phone is listening to everything I say—I keep getting targeted ads based on my conversations." Well, they are listening, just not in the way most people think. The EFF breaks it down for us here:
Ever since the Gen AI revolution started I've found myself more and more skeptical about any and all content I read. Even direct messages with people sometimes make me go 🤨
November 18, 2024 at 6:15 PM
Ever since the Gen AI revolution started I've found myself more and more skeptical about any and all content I read. Even direct messages with people sometimes make me go 🤨
Reposted by Chris Dale
Intentionally vague post:
If you've pentested an org and they later have "an incident," I recommend you don't write speculative blog posts about how you think it maybe went down. 💩
If you've pentested an org and they later have "an incident," I recommend you don't write speculative blog posts about how you think it maybe went down. 💩
November 18, 2024 at 6:12 PM
Intentionally vague post:
If you've pentested an org and they later have "an incident," I recommend you don't write speculative blog posts about how you think it maybe went down. 💩
If you've pentested an org and they later have "an incident," I recommend you don't write speculative blog posts about how you think it maybe went down. 💩
Reposted by Chris Dale
And another thing - if you make a commit with an e-mail that belongs to an existing account, GitHub will happily pull that account's name and avatar :)
Here's MSFT fixing a bug in my project :)
Here's MSFT fixing a bug in my project :)
November 18, 2024 at 9:31 AM
And another thing - if you make a commit with an e-mail that belongs to an existing account, GitHub will happily pull that account's name and avatar :)
Here's MSFT fixing a bug in my project :)
Here's MSFT fixing a bug in my project :)
One of the tips I give for getting started in cyber security is to study kill chains and the corresponding TTP's in them. Every day, a new TTP. Up for the challenge? Start with attack.mitre.org . Every day, study a new TTP and make sure you understand it.
MITRE ATT&CK®
attack.mitre.org
November 18, 2024 at 8:55 AM
One of the tips I give for getting started in cyber security is to study kill chains and the corresponding TTP's in them. Every day, a new TTP. Up for the challenge? Start with attack.mitre.org . Every day, study a new TTP and make sure you understand it.