I'm excited to share that I recently found a XSS in Quasar Framework. The CVE-2025-43954 has just been published to document this security issue.
You can learn more about it here:
- github.com/advisories/G...
You might have noticed that the recent SAML writeups omit some crucial details. In "SAML roulette: the hacker always wins", we share everything you need to know for a complete unauthenticated exploit on ruby-saml, using GitLab as a case-study.
portswigger.net/research/sam...
I’ve updated the bug bounty & content creators starter pack with classic research group @hackerschoice.bsky.social! Let me know if you’re not on this list and would like to be added.
go.bsky.app/GD7hKPX
Thanks for your all your votes! The public vote is now closed, and we're kicking off the panel vote with fifteen quality nominations. In the meantime we just published a new technique ourselves - check it out here:
24 hours remaining until voting closes on the Top 10 (new) Web Hacking Techniques of 2024! If you haven't already voted now's the time to do it.
portswigger.net/polls/top-10...
Voting is now live for the Top Ten (New) Web Hacking Techniques of 2024! Browse the nominations & cast your votes here: portswigger.net/polls/top-10...
I've pushed some updates to Dom-Explorer:
- Allow multiple pipeline embed
- Short links for sharing/sync
- Support for DomPurify triggers
- User settings
Give it a try and share your findings!
yeswehack.github.io/Dom-Explorer
Last part/EP with @aethlios.bsky.social & @penthium2.bsky.social 😘
www.youtube.com/watch?v=UeOS...
youtu.be/67DIr_OmXVk
cc @penthium2.bsky.social @aethlios.bsky.social 🌹
A younger me, as a pentester and bug hunter, had exactly the bias described in this article 🤫
Luckily, I later worked with and for "the other side" and it changed my mind 🤯
I hope young people reading it will avoid taking years to understand the complexities of fixing bugs in a timely manner 🤞
www.youtube.com/watch?v=adf3...
with @aethlios.bsky.social & @penthium2.bsky.social 💝
Yo ! 🧙♂️
Prochain stream demain -mardi 10 Dec- à 21h !
Au programme ? We Deep Dive ! 🧐
- Reset-tolkien par @AethliosIK (X) 🗝️
- Portainer & UID remap par @penthium2 (X) 🐳
www.twitch.tv/thelaluka
I feel like this post has wasted my time, but at least now I think my boiled eggs will be cooked to the second (I hope 🫠).
Bonjour,
Bienvenue dans ce live-skeet du procès de Florent Curtet, ce trentenaire poursuivi pour des extorsions numériques, jugé en cette fin de mois à Paris par le tribunal judiciaire.
A really comprehensive resource on CORS attacks. I'm going to rework my course slides based on this research, thank you for your contribution!
Custom lists are super cool! I enjoy reading social posts, but want to make sure I never miss a quality writeup or technique. To achieve this, I'm building a 'high signal web security' list of topic-focused accounts, which you can pin next to 'Following' if you want :)
bsky.app/profile/jame...
I'm glad to see so many people switching over to Bluesky and following me!
Take the time to discover my open source tool on sandwich attacks :
👉 github.com/AethliosIK/r...
In case you're a professional Burp Suite user, there's a few seats left for the Q1 2025 training sessions
hackademy.agarri.fr/2025
Any bug bounty people around? I'm creating a starter pack of people to follow but it's pretty brief currently! Let me know if you'd like to be added: go.bsky.app/GD7hKPX
My second article on time-based secrets has just been published! 🚀
I explore a new usecase of the sandwich attack to set up a scenario for real-time monitoring of web application invitations.
- English version: aeth.cc/public/Artic...
- French version: aeth.cc/public/Artic...
Reset Tolkien
Following #bugbounty findings, I started focusing my research on time-based secrets. This research began for me a year ago, and enabled me to take the time to implement my open source tool: “Reset Tolkien”. 🚀
I've written an article detailing my research :
- 🇬🇧 EN : www.aeth.cc/public/Artic...
