RT Porchetta Industries: We're excited to welcome @PythonResponder to Porchetta Industries! With our powers combined we will change the (broken) statu...

We've added a new APT sample to the vx-underground APT sample collection. You can download BlackTech APTs FreeBSD malware TSCookie here:  You can brow...

RT Katie Paxton-Fear: New video! 🚨 This week I show you how to use Kiterunner to make API recon a BREEZE! This nifty API tool ended up straight in ...

RT Jûrgen Schouppe @Inheriti.com @safekeyU2F: Everything is ready to start next week our 2y bounty program on @intigriti, Europe #1 hackers bounty pr...

90 年代，埃隆·马斯克曾在一家游戏公司写 C++。这家游戏公司叫 Rocket Science Games。冥冥之中，自有定数。

Hoisting-based JS Injection '-alert(1); var myObj='

RT KNOXSS: Our new website is coming and with it, our very first informative video! 😀 If you didn't subscribe yet, please do it in the link below. ...

P0 的 lucky day

AzureC2Relay - An Azure Function That Validates And Relays Cobalt Strike Beacon Traffic By Verifying The Incomi...

Adfsbrute - A Script To Test Credentials Against Active Directory Federation Services (ADFS), Allowing Password Spraying Or Bruteforce Attacks

RT Rajvardhan Agarwal: Just here to drop a chrome 0day. Yes you read that right.

Are you only testing for client-side XSS? Or still using traditional bruteforce for content discovery? If yes, you really need to check out this week'...

GitHub上看到某位大佬整理的POC wiki，非常严谨，目前已经超过800的star。用FOFA做的资产采集，用Goby做的exp。我感觉到我们做的事情还是有一些价值的。 大家可以去围观： 网页链接

RT Grzegorz Tworek: Did they tell you "no one will know your password if you do not type it"? They lied. Winlogon.exe will know it anyway. 😈

Re @hakluke @securitytrails 💙

Re @hacktivist1337 Thanks for sharing your feedback! Glad to hear that your issue is resolved. :)

Re @hacktivist1337 Thank you! We will take a look when we receive it

Re @hacktivist1337 It looks like you are sending a request with HTTP/2 in the request line via HTTP/1 (as you originally generated it with HTTP/2 on)....

“杀鸡焉用牛刀”出自《论语》。而且原文不是“杀鸡”，是“割鸡”。

项思醒们你们太过分了，白手起家的爱情你们怎忍心亵渎。请不要再欺骗和你们一起打拼的创业伙伴了，哪怕你们是去骗一个陌生人呢，世上也会少一个为爱伤心的人。杭州的陌生人还不好找么......我和你们又不熟

Re @hacktivist1337 Thanks a lot for reporting this! Can you please share diagnostics (Help > Diagnostics) and screenshots with support@portswigger.net...

征题倒计时！2021 KCTF 春季赛 等你来挑战！征题倒计时！2021 KCTF 春季赛 等你来挑战！一、活动时间2021年3月1日 ～ 5月09日（防守方题目准备阶段）2021年5月10日 ～ 待定（根据攻击方比赛而定）二、活动地点看雪CTF 官方网站：网页链接2021 KCTF 比赛页面：网页链接

如何识别糖衣炮弹？高级对抗技术教你通杀恶意程序如何识别糖衣炮弹？高级对抗技术教你通杀恶意程序恶意程序让很多人感到头疼，尽管安全专家们建议我们谨慎在第三方平台下载软件，可事实是并不只有第三方平台存在恶意程序，即使像Apple Store、Google Play这样的官方应用也照样被恶意程序闯入。 它们窃取你的隐私、诱导你去付 ...全文

微软补丁星期二：修复108个漏洞，含5个0day微软补丁星期二：修复108个漏洞，含5个0day昨天微软迎来2021年度第四个“补丁星期二”，本次更新微软一共修复了108个漏洞，19个标记为“关键漏洞”，89个标记为“重要漏洞”，不包含本月初发布的6个 Chromium Edge 漏洞。覆盖Windows操作系统、Exchange Server、Azure、Office等 ...全文

A64dbg尝鲜——实战某加固so CrackMeA64dbg尝鲜——实战某加固so CrackMe本文为看雪论坛优秀文章看雪论坛作者ID：0x指纹 前言1. Q&AQ1：为什么写这篇文章？ A：因为一方面，目前还没有使用A64dbg工具进行实战并附有详细分析和使用的文章，此文算是新品开箱的尝鲜文章，分享给各位看雪用户。另一方面，作为 ...全文

#网络安全#  #AI# 这种情况下如何鉴别真伪？

牛啊牛啊

Re @kajer533 @thedarktangent We heard that loud and clear least year, no worries this time around.

Re @int0x21h Automatic API is enabled by default when you perform a new Crawl and Audit scan, so you won't need to change any details if your API meet...

Re @bitquark You can URL-encode single highlighted characters by configuring a hotkey for 'Editor: URL-encode all characters'. Have you tried this? Ca...

#特斯拉model3# #网络安全# 有研究人员公开了特斯拉 Model 3 车载大屏浏览器漏洞利用过程～  CVE-2020-6418   网页链接

网页链接 更新完毕[呲牙] 继续看看gg致谢榜 这个应该就是p2o的漏洞 而且有“泄露”到野外利用[愉快] 相比漏洞我更加喜欢漏洞背后的故事

alert(10) is the new alert(9)

我希望跟我讨论问题的人，是一群有着使命感的，具有最高技术要求和产品要求的人。妥协那是商务去做的事情，技术人员和产品人员不能降低质量和品味标准，时刻都要有激情。两句话就把我拉回到“客户要……”的对话，我就推给我们的其他合伙人。客户的需求当然是第一位的，我更想做出超出预期的东西。

alert(7) is the new alert(6)

RT hakluke: Surface browser is so good that I've ditched most of my recon automation and just replaced it with this. @securitytrails & I have teamed u...

前面在朋友圈说过：“致谢是一个重要的信息来源”，这里当然包括有技术方向的观察，比如某些大佬研究方向、漏洞攻击面等，当然也报告一些可以yy的8挂信息，比如通过MS致谢搜索ExChange：网页链接 当然很多8挂的东西往往只能意会，不可说 ：）

日本人搞伪科学养生是有一套的。国内很多此类玩意儿都是日本人先鼓捣出来的。氢在日语里叫“水素”。日本人就搞过一个东西叫“水素水”。传到国内后有些还叫水素水，有些改叫“富氢水”。氚在日语里叫“三重水素”。那么搞出“水素水”的小机灵鬼们，如果哪天再搞个“三重水素水”我也不会意外。

对于手机来说，覆写是比较可行的做法。关于销毁硬盘，可参考希捷给出的建议  网页链接    查看图片   查看图片 //@涂山鸿水: 固态硬盘数据存储方式和机械硬盘完全不一样，要完全删除（覆盖）特别难，因为ssd的寿命就是写入次数，理论上大多数仅仅标注清空的文件都能恢复//@GeekPwn:

#信息安全# #隐私保护# 加强监管……

RT CVE-COVID-19: If you can't handle me at my @defcon, you don't deserve me at my wfh

中出了一个叛徒

一个高级知识分子教育出来的子女，也都是受过高等教育，连相册和日记都不要了，还被人拿走了毛选，我怎么这么难受。培养子女出国就干这事？//@tombkeeper:所以要发微博。微博是我们的魂器。

Re @landaire It might be related, although it's not the same code. That would be changes in the SAMR protocol most likely. I had a hard enough time fi...

I've opened CVE-2021-27086

RT DC858 / DC619 (San Diego): ** WEDNESDAY April 14th 7-9 PM ** DEFCON 619/858 (San Diego) Meeting - "Demystifying Hardware Implants - Exploiting UART...

RT DC010: Fellow @defcongroups We want to hear from you！Because of Covid-19, we are going to do a online meetup to conduct some casual conversations,...

RT hakluke: Surface browser is so good that I've ditched most of my recon automation and just replaced it with this. @securitytrails & I have teamed u...

其实不用设计新的，可以直接上氚普

回复@新poker付:即便魂器不在了，粉丝里的食死徒们也各自携带了一部分灵魂碎片。//@新poker付:那也得微博不倒闭才行吧//@tombkeeper:所以要发微博。微博是我们的魂器。

RT hakluke: Surface browser is so good that I've ditched most of my recon automation and just replaced it with this. @securitytrails & I have teamed u...

Windows: SCM Remote Access Check Limit Bypass EoP

#分享# 为什么getpwnam(daemon)失败

Reverse Engineering, Debugging and Malware Analysis - 2021 Free for 2 days Code REVERSEFREE

Gotestwaf - Go Test WAF Is A Tool To Test Your WAF Detection Capabilities Against Different Types Of Attacks An...

Traitor - Automatic Linux Privesc Via Exploitation Of Low-Hanging Fruit E.G. GTFOBin

Re @irsdl Sadly not, yet... TBH I think all the good bugs have now been fixed ;-)

RT Nasko Oskov: A new blog post from Chromium folks on heap allocator work -

好看！有趣的是Disco在中国也一样同“反叛” “解放天性”有关——大概那个时代不会回来了。这么一看，Disco还真是一种快乐自由的音乐，YMCA！

When is the last time you saw malware for FreeBSD?

Re @HackingLZ @Flangvik Sneaky bastards

KNR-XSS-Payloads:- Almost all XSS Payloads. "XSS All" file contain all the XSS Payloads.

Re @buherator I'll open CVE-2021-27086 later today, just want to check how it got fixed. It is potentially interesting for red-teamers :-)

Re @buherator @guhe120 For which bugs?

Yuki Chen @guhe120 on fire this month with RPC bugs. You love to see it :-) Also some Exchange things, I'm sure that's not that important...

RT PT SWARM: New article "From 0 to RCE: Cockpit CMS" by our researcher Nikita Petrov. The story of discovering an unauth NoSQL injection and abusing ...

RT RiotSecurityTeam:  Re @Offxec is an official RiotSecurityTeam member for this announcement we decided to host a giveaway. #tryhackme @brutelogic @t...

We've added some incredibly rare zines to the vx-underground zine collection. - rRlf Issue #8, best of edition View it here:  - rRlf, EOF, DOOMRiderz ...

The April security updates available! Visit

转发微博

原来是这么个逻辑呀 （如果消息都是真的）#福岛渔业界强烈反对核废水入海#（网页链接）#美国支持日本福岛污水入海决定#（网页链接）#美国加州常年倾倒有毒废物入海#（网页链接）

所以要发微博。微博是我们的魂器。

So good discussion that he gave me the next blog post idea! Thank you!

Re @spencer_5cent @HacksInTaiwan 我也喜歡蛋餅XD

Re @spencer_5cent Welcome to @HacksInTaiwan conference this August :)

新消息说是光缆故障 查看图片

RT Kartik Sharma: Hands down, @brutelogic/@rodoassis is a Beast when it comes to XSS! He is one of the most humble guys I have met in the infosec comm...

Re @0xkasper Awesome! Enjoy!

👷 Makers need breakers! Intergamma, Benelux' biggest DIY retail group has just launched their #BugBounty program. Pays up to €2,000. Start hacking...

SNOWCRASH - A Polyglot Payload Generator

Ronin - A Ruby Platform For Vulnerability Research And Exploit Development

RT Responder: Responder 3.0.4.0 is out! DNS SRV Records for LDAP/Kerberos, cldap ping (netlogon), etc :) Thanks to all who sponsors Responder and make...

RT Akash Hamal: HOW TO LEARN XSS ? 1. @brutelogic's  blog as it covers almost all content, bypasses,about CSP etc related to xss and you can also bypa...

RT ProjectDiscovery.io: Did you know?  You can pull subdomains using PTR records for a given list of IPs / CIDRs using 𝗗𝗡𝗦𝗫 𝘤𝘢𝘵 ...

Re @int0x21h If you're interested in scanning APIs you might find this blog post useful,

Re @int0x21h The documentation we produce ourselves is online only as it can quickly become outdated, we're also planning a refresh for our support ce...

很好奇为什么打车和和外卖这种平台软件会采用大数据杀熟这种手段赚灰钱呢？通过大数据分析，不给杀熟的目标人群发代金券，而其余的人群发代金券是不是好点。感觉这样挑不出啥毛病吧，问就是随机做活动？

Re Black or Dark Blue❓

yo 1337, pick the one you like for  Black or Dark Blue❓ (poll attached as reply to this tweet)

当时没看，回头找来看一下。更早还有一部《中国神火》，好像是这个名字，类似题材。

看到社区产生的贡献，超级超级开心，我们的能力和精力毕竟有限，无论是插件还是主题（有两个审美真的特别好），大家愿意一起玩我们就有信心了。有想抽“Goby红队专版”的冲动。

Re @daviey Which version of Burp are you currently using?

Re @tiersigma For adding extensions, have you taken a look at the early adopter releases?

Android 更新服务器遭黑客攻击 ，德产手机被安装恶意软件Android 更新服务器遭黑客攻击 ，德产手机被安装恶意软件随着软件产业的发展，软件的供应链也愈发复杂，对于整体安全保护的难度不断变大，近几年针对软件供应链的攻击事件频频发生。最近，一场新的软件供应链攻击瞄准了一家德国手机厂商。近日，德国手机制造商 Gigaset 透露其 ...全文

深度揭密高通4/5G移动基带消息系统和状态机深度揭密高通4/5G移动基带消息系统和状态机本文为看雪论坛精华文章看雪论坛作者ID：vessial(xee) 背景本文通过对高通的4/5G移动基带系统进行深入逆向工程提示其内部消息通信机制以及核心架构设计逻辑。本文的研究基于高通的4G基带MDM9707以及5G基带模块sdx55的固件，高通 ...全文

#湖南电信回应网络瘫痪##湖南电信网络瘫痪系遭黑客攻击##湖南电信网络崩了#  现阶段这样规模的境外DDoS攻击，究竟有没有可能？原因是什么？

Re @DanShaqFu lol sure 😉

Re @funoverip Thanks for the feedback! :)

Re @intigriti Yeah! Won't last long though with these differences! :) @jackds1986 @iqimpz

网页链接 攻击Tesla Model 3上的大屏浏览器，不错的浏览器入门实战文章