6
109
1,454
77,022
Thanks to everyone for watching my talk! Here are the slides used: (video re-post will be handled by @nahamsec) pdf: drive.google.com/file/d/1iC0… pptx: drive.google.com/file/d/1XQ9… (has the animations)
7
231
586
7
28
248
20,875
So naturally the first thing I want to try is MiniPC M.2 M-key -> M.2 M-key to PCIe x16 adapter -> PCIe to PCI adapter -> PCI to PCIe adapter -> a TPLink PCIe Gigabit Ethernet controller. Any takers on if this monstrosity of a PCI hierarchy will link up and enumerate?
9
52
213
I developed a 1-python file snapshot-based fuzzer example to show the power of snapshot fuzzing even if your fuzzer loop is in pure python. This is just an educational toy fuzzer. Inspired by @gamozolabs, based on @h0mbre_ 's blog github.com/defparam/Coldsnap
6
39
223
Practical Attacks using HTTP Request Smuggling from #NahamCon2020 piped.video/watch?v=3tpnuzFL…
9
52
211
Hey all! first blog post. Are the popular fuzzers just for binary exploitation? In this blog post I outline how you can find logic issues in web-related regular expressions using differential fuzzing. (spoiler: 29 lines of python using Google Atheris) defparam.medium.com/finding-…
1
86
200
So I did promise blog posts on RS CLTE-style attacks, I guess this will have to do for now. Often times with RS hijacking you can throw a victim into an open redirect to steal their tokens/cookies. Many thanks to @SlackHQ for fixing this within 24-hours of discovery #bugbounty
Slack disclosed a bug submitted by defparam: hackerone.com/reports/737140 - Bounty: $6,500 #hackerone #bugbounty
21
52
200
Example of using Turbo Intruder in a "listen and attack" mode. A hidden secret: you can have turbo intruder scripts use the burp plugin API. Here we use burp.IProxyListener to intercept requests and reissue them inside turbo intruder mutating the method. gist.github.com/defparam/840…
5
42
180
Be careful running turbo intruder on an endpoint that triggers snail mail. Luckily it was only 40 requests📨♻️
4
9
163
New blog post for pentesters and bug bounty hunters: A walk though on how to set up Burp Suite for iOS App testing on both a physical jailbroken iOS device and also an emulated jailbroken iOS device on @CorelliumHQ #bugbounty defparam.medium.com/ios-app-…
4
62
149
Can anyone take a guess what my talk will be on? Practical HTTP Request Smuggling Attacks :)
Excited to announce #NahamCon with @stokfredrik, @_johnhammond and @thecybermentor on Junst 13, 2020 with talks from @samwcyo, @TomNomNom, @snyff, @Jhaddix, @intigriti, @Jhaddix, @zseano, @defparam, @ChloeMessdaghi, @jcran, and more! Website will be live later :)
6
19
136
What is HTTP Response Queue Poisoning? Check out my talk "Practical Attacks using HTTP Request Smuggling" this Saturday There I will share 3 common techniques I used in past RS reports and 2 PoCs demonstrations of session stealing :) Bonus: I may be releasing some tools ;)
Everything you need to know about #NahamCon: Schedule: nahamcon.com Discord: discord.gg/ucCz7uh CTF: ctf.nahamcon.com Donate: wicys.org/donate Thank you @TheParanoids, @eLearnSecurity, @intigriti, @yeswehack, @Bugcrowd, @SynackRedTeam & @Hacker0x01!
9
26
140
Here are a couple of things some HTTP reverse proxies normalize which requires careful parsing #bugbountytip Absolute Endpoint Normalization: Frontend: GET https://<host>:<port>/ep HTTP/1.1 ... Backend: GET /ep HTTP/1.1 Host: <host>:<port> ...
6
25
105
Gist of the Day - Turbo Intruder Cluster Bomb with Smart Filtering. 100 line script to dirsearch a host using different HTTP methods with Smart Filtering of responses with common status+length gist.github.com/defparam/806…
4
41
102
Fuzzing community: any write ups on clever tips/tricks/methods around developing harnesses? I would love to read more about practical harness development when hard to reach surfaces aren’t given to you in a nice clean API. i.e: enjoyed reading this one: research.checkpoint.com/2018…
3
26
99
When choosing a good bounty program on h1 you really need to look at all the program data altogether. Unfortunately the h1 directory doesn't list all data and all programs in a single view. I wrote a tool called h1stats to scrape data into 1 CSV github.com/defparam/h1stats
5
21
96
Why go for impact? Write descriptive reports? Give PoC + Video? because your duplicate may turn into a paid out Crit if the program prefers your report over the first finder. Shout outs to this h1 priv program, thats how you run a bounty program. #togetherwehitharder #bugbounty
4
5
94
Replying to @hakluke
I don’t understand how anyone could say that with such confidence. I’d be reluctant to say that with my simple home network. I guess blind confidence gets you that top job
1
85
7,958
I'm glad a lot of people are resonating with the way I explained this RS CL.TE attack in the report. I'm a visual learner so I always go to diagrams to understand or convey technical concepts. Here are the diagrams from the report
6
22
91
Today is the day, come join #NAHAMCON2020 and watch the talks. Come see my talk (roughly 1:30PM PDT), I'll have a couple new git repos going live 😎
1
10
86
Page Walking Cheat Sheet: Architecting a page walker on FPGA. Tired off looking up this info over and over. Placing it here hoping that it helps others and "future me" #wininternals #fpga
3
21
90
For a few months, @samwcyo, @bbuerhaus, @rhyselsmore and I focused on hacking EPP servers / ccTLD zones. We're disclosing our work today on the hackcompute blog: hackcompute.com/hacking-epp-… Our efforts in this space led to the ability to control the DNS zones of the following ccTLDs: .ai, .bj, .bw, .ci, .gl, .ke, .kn, .lb, .ly, .mr, .ms, .mz, .ng, .pyc, .rw, .so, .ss, .td, .zm.
1
7
81
12,589
Finally made it to the 4-digit club. You guys are tough to keep up with. #togetherwehitharder
9
1
86
Sigh... people keep getting startled by double HTTP responses in burp thinking that it is HTTP Request Smuggling when it's actually HTTP Request Pipelining gist.github.com/Glassware123…
4
20
77
To continue research into how broken HTTP/1.1 reverse proxies are I wrote a fuzzing framework to throw mutations at reverse proxies (with backend observation). I've only gone couple hours into testing before I found some serious issues. Time to report!
4
9
71
Haptyc - A Test Generation Framework for Turbo Intruder. This library adds payload position support and Sniper/Clusterbomb/Batteringram/Pitchfork attack types into Turbo Intruder. Enjoy! github.com/defparam/haptyc
31
73
Welcome all new followers, I didn’t expect my work to attract so many, thanks a ton for your interest in niche bugs! I’m not necessarily a content creator but I do love to share my findings/work/research with the community when possible. Pax et Amor ☮️❤️
5
67
I don't know about y'all but over the weekend I played around with single-packet attacks on stateful endpoints. There's a lot of weirdness out there... It's super easy to issue them in the repeater too. I have a hunch that this is going to create a lot of "fun" problems
Thanks to everyone who came to the #DEFCON31 edition of Smashing the State Machine! I'll be hanging around chilling for the next couple of days; feel free to say hi. Hope the techniques yield many crazy bugs for you in future :) portswigger.net/research/sma…
1
6
68
19,697
Any interest on a starting a discord server primarily focused on Web Security Research and Tooling? No discussion of bug bounty, bug bounty support. Sort of keeping it research based/academic for researchers + tool devs? Does this exist already? @garethheyes @albinowax @Agarri_FR
15
4
68
In a recent @Hacker0x01 collaboration with none other than Mr. @NahamSec, We got a HIGH on one HTTP Request Smuggling report that turned into an MS IIS Advisory. If you run IIS take a look portal.msrc.microsoft.com/en…
Did some hacking with @defparam a while ago and didn't expect this to come out of it: ADV200008 | Microsoft Guidance for Enabling Request Smuggling Filter on IIS Servers 😂 portal.msrc.microsoft.com/en…
2
3
67
10 Triaged Crit/P1, 1 Triaged High, 2 Triaged Medium. All of them HTTP Desync bugs in the span of 2 months (The crits being session cookie/token stealing). This bug class is real and needs more attention...
6
5
70
I’m super happy people are finding weird issues and responses with smuggler.py. Sadly I can’t help everyone escalate from there. Every infrastructure is different. Similar to finding signs of SQLi or Java Deserialization, Desync attacks may need very specific payloads
3
4
64
Random tip: If you watched a technical con talk several months ago on a topic you've been researching/testing since then, go back and re-watch the old talks. It's amazing how many subtle details start to "click in" and make sense the second/third/fourth time around. #bugbountytip
2
11
60
Youtube links aren’t up yet but If you want to check out the video to my talk “Practical Attacks using HTTP Request Smuggling” you can hit up the Nahamcon2020 twitch archive link here: twitch.tv/videos/649748420?t… (at 4:28:00) Response Queue Poisoning explained at the end of the talk
1
8
59
With "Cached and Confused: Web Cache Deception in the Wild" taking the #1 spot, and @albinowax 's HTTP Desync Attacks being the community favorite can we all admit now that proxying HTTP traffic through these "transparent proxies" fundamentally breaks HTTP?
2
14
55
@s0md3v Here in an example of a JSON/Structure aware fuzzer I wrote for turbo intruder. On queueRequests I create a nice abstraction to parse, iterate, modify every value in a JSON body and issue out a test for each mutation/value. gist.github.com/defparam/b60…
1
18
56
It would have never crossed my mind to realize that as hobbyists we have the PCB manufacturing capabilities today to completely interpose a 150 pin CPU from the 2000s... blog.ret2.io/2023/08/09/jtag…
3
9
54
4,897
An older write-up but a good story of using structure aware fuzzing to find bugs in PHP unserialize. Specialized fuzzers like this can be very powerful. evonide.com/fuzzing-unserial…
14
52
Looking to give back to the community, I studied .@albinowax 's HTTP Request Smuggling research, took his payloads from his BURP plugin code and create a testing tool in python called Smuggler. !!TIMEOUT!! == potential issue. Hoping to release by next week. #togetherwehitharder
10
10
51
h2echo - an extremely permissive h2 webserver for the purpose of visualizing malformed h2 requests. finishing up this and h2smuggler in order to provide commandline alternatives to burp's h2 testing tools and to make it easier for others to research in this area (more to come)
3
3
51
If you enjoy FPGAs and hacking PCI, here is a reference platform for all that I've used to build PCI devices on the DE0-Nano FPGA board and test on x86 SBCs. I can confirm it working enumerating my "1337"-Communication Controller. Enjoy! github.com/defparam/PCI2Nano
2
6
49
It certainly does! PCI/PCIe is a fairly well written spec with special care to backwards compatibility. Those pericom chips on the Startech adapter boards are pretty nifty too.
2
1
45
Everyone purchase your ferraris, I found naffy's secret hes been trying to hide from us
like $120k USD in the past couple weeks we out here
4
6
46
16,663
This is actually my first bounty ever awarded to me. Thanks @NahamSec for your @Twitch streams which got me started on this journey. I'm glad to hear that you are back! #TogetherWeHitHarder
6
2
45
New server day🎉 Supermicro 92 cores - Quad Xeon - 768GB ECC DDR4. Just in time for several fuzzing harnesses I whipped up, also I get to warm my cold basement a little, Win/Win.
5
2
47
This LK-99 stuff feels like a insane CVE with everyone patch-diffing for a PoC
1
4
40
16,374
github.com/defparam/BAR-Tend… - I finally released BAR-Tender v0.1 - A UMDF2 driver/app framework to provide easy local physical memory access through the PicoEVB FPGA mapped I/O device. Use this as a foundation for your DKOM/Kernel hacking and Win64 FPGA acceleration needs 😈
2
16
41
Learn how to reverse engineer Android application APIs yasoob.me/posts/reverse-engi…
1
15
36
PCIe is a little too modern for me. So I decided to create a PCI adapter board for my DE0-Nano and hook it up to the Startech PEX1PCI1 . I have no functions to show yet but I am writing my config space driver in verilog and able to see the queries in signaltap. That is all!
4
3
32
People upset about bug dupe rules on Pwn2Own/ZDI. Hackers on @Hacker0x01 @Bugcrowd with hundreds of non-paid dupes over the years:
Replying to @ryanaraine
Sincerely I don’t get it. So many folks have been burned by that, changing that rule at this time would be exactly the wrong message to send. And frankly I don’t think it’s changeable. Vendors are always restrictive with bounties, first one in gets the prize, literally.
2
37
Thinking about updating smuggler to support more test variations and the latest HTTP/2 research. 🤔 I did some work tonight on HTTP/2 and it looks feasible
2
3
35
My talk on Haptyc is up soon at twitch.tv/hackeronetv Being able to specify positional tags on your Turbo Intruder requests gives testers a ton more power to test random mutations in an easily expressible and constrained way. Github link coming up soon. #hacktivitycon2021
1
8
35
#BasementLab , when you need to go deep on a target 😈. prepping the lab for some HW/IoT testing this week
1
35
I'm thinking about starting a twitch stream on low-end FPGA development and my retro projects. There are lots of trick in FPGA dev that I think would be fun and useful to publish...
3
33
Honestly I find this to be the fastest way to set or switch server / protocol configurations in Burp Repeater
Never knew one could "Paste URL as request" in Burp until I watched @defparam's talk at #nahamcon yesterday 🧐
1
6
32
After 8 years working on hardware architecture and FPGAs for @AlteraCorp / @IntelFPGA , yesterday was my last day. I will miss my co-workers. Going forward I’m excited to be shifting my career focus to infosec and web security. More details to come 🙂
4
33
Btw, if you hadn’t figured it out yet Jonathan Scott is just some campaign exploiting Cunningham’s law to DoS infosec researchers into wasting time on Twitter rebutting baseless claims. And it’s working pretty damn well
1
1
34
Just a kind PSA to users of smuggler.py: Please don't report the results of a scan directly to BB programs as a bug without manual confirmation. Smuggler.py errors are not direct evidence of a vulnerability. Show impact, not logs
5
5
32
Oh btw, I have to bring this up because I just watched @G0LDEN_infosec’s amazing defcon talk. If you are thinking about dipping your feet into designing serverless workloads for your automation/semi-automation check out his talk: piped.video/aaDe1ADh5KM
3
2
36
6,926
Thank god they were able to implement native support of Ads and telemetry before these useless features
Windows 11 is getting native support for 7-Zip, RAR, and GZ archives formats in an update coming this week. bleepingcomputer.com/news/mi…
1
6
30
4,036
hehe, good job varnish
2
1
32
Decided to look up the history/format of the "User-Agent" string. It's cursed🤦‍♂️ stackoverflow.com/questions/…
6
33
Replying to @TomNomNom
- Scheduling meetings at comfortable times (if timezone is an issue) - If the co-located team goes out for company sponsored lunch I've been given budget to take my fiancee out to dinner
33
Replying to @robertgraham
Reminds me of the hell one person (a security researcher no less) willingly went through when they decided to purchase the California vanity license plate 'NULL' wired.com/story/null-license…
1
2
27
2,463
Want the easiest start in full automation? Literally create a single python script that does 1 security check and has a slack webhook that fires if the check hits. Throw that script on AWS Lambda or Digitalocean Functions with a daily execution schedule and forget about it.
4
3
32
7,389
Welp, just when I thought I walked away from Request Smuggling @albinowax pulls me back in…
1
33
OK a couple interesting things about this request smuggling bug: 1) My smuggler.py picked up on it for only the DELETE verb (I hadn’t seen that before) 2) The issue manifested somewhere in Akamai
2
5
29
hello world
1
2
31
Next research path will be into binary fuzzing, Looking to buy a decent fuzzing rig to start out, i’m thinking dual-socket Gold Xeons around 32 cores with around 256GB ram. Input welcomed, not cost constrained at the moment but starting small
9
1
30
piped.video/watch?v=T88LhuoQ… While retro enthusiasts argue over FPGA vs. Emulator I went the "Why not both?" path and integrated an FPGA RTL simulation model into Higan (cc @byuu_san). Instead of fighting, both groups can actually help each other move forward to the same goal :)
2
6
28
reconfig.io/2018/05/hello_wo… With a lot of cool FPGA-based projects being written in Migen these days I decided to jump head first into it tonight. Here is a write up of my LED driver written in Migen. My early impressions are that I really enjoy it, but need way more practice.
4
5
31
For those who use Turbo Intruder day-to-day, check out response decorators for response matching/filtering. I created these decorators for everyone to use who wants fuff-like matches/filters applied in turbo intruder as 1 line function decorations. Enjoy!
Turbo Intruder 1.21 was just released, with a shiny new way of filtering responses by @defparam. Check out the docs: github.com/PortSwigger/turbo…
5
1
28
Taking a little break from websec to do a little hardware hacking tonight (FPGAs/PCIe/PCI specifically). I received my Seeed Odyssey board, these Celeron J4105-based MiniPCs are pretty nifty. I also have some M.2 adapter boards, PCIe-2-PCI bridge and PCI-2-PCIe bridge
2
3
30
We don’t know everyone’s story to pirate, I’ve definitely dabbled in keygens when I was a teen and had no other money. One pro move would be for bounty programs to gift a pro license if they see evidence of cracked software in a valid report. Everyone wins
"ethical" hackers using cracked @Burp_Suite in #bugbounty submissions 🤷‍♀️
2
1
30
10,099
This. This is why at times I enjoy building my own tools even tho there already exists known popular ones in the community. The abstraction some tools create: 1) dulls your knowledge on what is going on at a low level and 2) forces you to follow a specific author's abstraction
Replying to @SwiftOnSecurity
Tools can also dull your skills. When everything you experience about a system is filtered through a disparate set of other people’s interpretations, you cannot connect underlying dots and behaviors you would readily observe if forced to do so directly using the native toolset.
2
5
26
An HTTP Request Smuggling CL.TE bug lets you redirect a victim connection to a forged endpoint with GET parameters. FYI you can execute a forged graphql query this way on the victim by using: GET /graphql?query=<query> #bugbountytip
8
28
Hey all, I open sourced an RTL implementation of a PCI core and an 8250-compat PCI UART function. In the demo I create a serial port function to interface with an on-board nios2 processor. With this design, low-end FPGA devs can start tinkering with PCI ! github.com/defparam/PCI2Nano…
1
5
26
I hate you with the fiery passion of a thousand burning suns, scorching every fiber of my being and leaving nothing but smoldering ashes in its wake
3
2
27
3,443
Give this man a 128-pack of redbull
Extracting sessionID from RXSS on redbull domain #BugBounty
2
24
Orange Tsai is a vuln finding robot 🤖
Originally, I was very depressed about the bug collision(the SSRF part in #ProxyLogon exploit) with bad APT groups☹️ So I decided to sit down and dig for a new one... Here it is!
1
2
24
It's a pleasure working with the @Zomato security team. @prateek_0490 and his team rocks. #togetherwehitharder
1
3
27
My alter ego from Security is #FPGA Architecture. My first patent as .@IntelFPGA was approved! This an architecture that allows for OpenCL kernels on one FPGA to communicate to OpenCL kernels on other FPGAs directly over network to scale on a common workload. #iamintel
1
1
26
Also shout outs to @paypal security, @Grabsg security and @Zomato security who have in the past provided bonuses for descriptive write-ups, fast communication and availability for re-test
2
2
27
What do you get when you combine Turbo Intruder and Burp Collaborator? Turbo Collaborator! Look mom, it auto-binds ping backs to the requests that cause them. Inject those collab urls everywhere Worked on some weird TI scripts last night..
2
3
26
Having the capability of asking "dumb questions" in a vast dataset of a burp project is basically the start of any interesting research. I can see why this is a powerful tool
Wrote a bamda to detect HTTP responses containing a space in the header name... not sure what we were expecting to find but it definitely worked return requestResponse.response().headers().stream().anyMatch(e -> e.name().contains(" "));
1
3
24
4,994
Look at the timeline comparisons between reporting Zenbleed on AMD to reporting Downfall on Intel 💀
1
3
24
22,566
Whispers v0.1 - A conceptual websec tool PoC - About ~450 lines of python + IMGUI bindings I wrote over the weekend. Works on Linux/Win. Perhaps the beginnings of a nice visual open source websec tool. I'm thinking of leveraging MITMProxy for web analysis #bugbounty
4
24
Yay, I was awarded my first 5 figure bounty on @Hacker0x01! And with that I officially paid off my wedding+more since starting bug hunting 4 months ago. Many thanks to H1! hackerone.com/defparam #TogetherWeHitHarder
One of the difficult things I find as a #bugbounty hunter is finding a severe bug with an awesome bug chain and not talking about it until disclosure. First recon day back after a long holiday break, pulled on a thread I noted in Nov., found a crit 😅 (yep, request smuggling)
1
2
26