↳
In-reply-to
»
PSA:
⤋ Read More
setpriv on Linux supports Landlock.
Another example:
$ setpriv \
--landlock-access fs \
--landlock-rule path-beneath:execute,read-file:/bin/ls-static \
--landlock-rule path-beneath:read-dir:/tmp \
/bin/ls-static /tmp/tmp/xorg.atom
The first argument --landlock-access fs says that nothing is allowed.
--landlock-rule path-beneath:execute,read-file:/bin/ls-static says that reading and executing that file is allowed. It’s a statically linked ls program (not GNU ls).
--landlock-rule path-beneath:read-dir:/tmp says that reading the /tmp directory and everything below it is allowed.
The output of the ls-static program is this line:
─rw─r──r────x 3000 200 07-12 09:19 22'491 │ /tmp/tmp/xorg.atom
It was able to read the directory, see the file, do stat() on it and everything, the little x indicates that getting xattrs also worked.
3000 and 200 are user name and group name – they are shown as numeric, because the program does not have access to /etc/passwd and /etc/group.
Adding --landlock-rule path-beneath:read-file:/etc/passwd, for example, allows resolving users and yields this:
─rw─r──r────x cathy 200 07-12 09:19 22'491 │ /tmp/tmp/xorg.atom
↳
In-reply-to
»
This aggressive auto-logout on my bank’s website …
⤋ Read More
@movq@www.uninformativ.de Yeah, it’s a shitshow. MS overconfirms all my prejudices constantly.
Ignoring e-mail after lunch works great, though. :-)
Our timetracking is offline for over a week because of reasons. The responsible bunglers are falling by the skin of their teeth: https://lyse.isobeef.org/tmp/timetracking.png
- The error message neither includes the timeframe nor a link to an announcement article.
- The HTML page needs to download JS in order to display the fucking error message.
- Proper HTTP status codes are clearly only for big losers.
- Despite being down, heaps of resources are still fetched.
I find it really fascinating how one can screw up on so many levels. This is developed inhouse, I’m just so glad that we’re not a software engineering company. Oh wait. How embarrassing.
we should bring back XFN that is the cutest shit in the world i want to link to my friends and have the internet know they are my friends through the markup!!!!!!!!!!!
↳
In-reply-to
»
Just discovered how easy it is to recall my last arg in shell and my brain went 🤯 How come I've never learned about this before!? I wonder how many other QOL shortcuts I'm missing on 🥲
⤋ Read More
@prologic@twtxt.net no, good man. Follow the link, follow eet! :-)
↳
In-reply-to
»
REBORN LIKE A PHOENIX WING ❤️🔥 👼 https://www.youtube.com/watch?v=D-w2HwG18vg
⤋ Read More
@kat@yarn.girlonthemoon.xyz i linked the normal length edit instead of the full 15 minute music video because i’m not gonna subject you all to that amount of my bullshit
(…15 minute version is a great watch though)
↳
In-reply-to
»
@bender Both Gopher and Mastodon are a way for me to “babble”. 😅 I basically shut down Gopher in favor of Mastodon/Fedi last year. But the Fediverse doesn’t really work for me. It’s too focused on people (I prefer topics) and I dislike the addictive nature of likes and boosts (I’m not disciplined enough to ignore them). Self-hosting some Fedi thing is also out of the question (the minimalistic daemons don’t really support following hashtags, which is a must-have for me).
⤋ Read More
@bender@twtxt.net Yeah, well, it’s a bit like twtxt. There is a Gopher community, but it’s small. I actually don’t like that HTTP is so easily accessible. I don’t like it that much when people post links to my site on HackerNews or something like that. Too much exposure.
Gopher is a small world. It’s slow and cozy.
And much like twtxt, the protocol is simple®, so it’s easier to tinker with it.
Passing of Jean-Raymond Abrial
Jean-Raymond Abrial, father (in particular!) of the Z notation, but also of the B method, and then Event-B, passed away on May 26. I was surprised to see that this piece of news, which may be of some interest to formal method folks, doesn’t seem to be very well known (there’s not much material on the web).
Here are some links (on LinkedIn, sorry):
[by Bertrand Meyer](https://www.linkedin.com/posts/bertrandmeyer_i-am-saddened-to-report-from-todays-print-activity-7335684948974034944-SJf1? … ⌘ Read more
GraphQL Gatecrash: When an Introspection Query Opened the Whole Backend ️
Free Link 🎈
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/graphql-gatecrash-when-an-intro … ⌘ Read more
Radeon Software For Linux Dropping AMD’s Proprietary OpenGL/Vulkan Drivers
Direct link to upstream release notes.
How a Welcome Email Can Be Used for Malicious Redirection
Free Article Link: Click for free!
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/how-a-welcome-email-can-be-used-for-malicious-redirection-fd833ec71550? … ⌘ Read more
**☠️ CORS of Destruction: How Misconfigured Origins Let Me Read Everything **
Free Link 🎈
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/%EF%B8%8F-cors-of-destruction-how-m … ⌘ Read more
↳
In-reply-to
»
When I chose the MIT license for all of my software, I thought:
⤋ Read More
@lyse@lyse.isobeef.org I cannot / could not imagine that, either – but if it’s publicly available on the internet and something links to it, they’ll eventually find, scrape it, use it. ☹️
Exploiting the Gaps in Password Reset Verification
Free Article Link: Click for free!
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/exploiting-the-gaps-in-password-reset-verification-9bb86ec95d29?source=rss—-7b722bfd1b8d– … ⌘ Read more
Bug Bounty from Scratch | Everything You Need to Know About Bug Bounty
📌Free Article Link
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/bug-bounty-from-scratch-everything-you-need-to-know … ⌘ Read more
A Hidden Backdoor: Bypassing reCAPTCHA on the Sign-up Page
Free Article Link: Click for free!
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/a-hidden-backdoor-bypassing-recaptcha-on-the-sign-up-page-2b5b3c18257f … ⌘ Read more
** Cache Me If You Can: How I Poisoned the CDN and Hijacked User Sessions**
Free Link 🎈
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/cache-me-if-you-can-how-i-poisoned-the-cdn-and-hijacked … ⌘ Read more
Leaking in Plain Sight: How Short Links Expose Sensitive Data ⌘ Read more
hey @prologic@twtxt.net heads up - my pod is suddenly having weird 400 bad request errors on things like posting twts, new user registration, following, and more. it’s not just me because a friend is also having these issues as a new user and can’t post. i saw one exception in the logs but i’m not sure if it’s related, i’ll link it in a reply to this
I Tried 10 Recon Tools for 7 Days — Here’s What Actually Found Bugs
Free Article Link
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/i-tried-10-recon-tools-for-7-days-heres-what-actually-found-bug … ⌘ Read more
$750 Bounty: for HTTP Reset Password Link in Mattermost
How an Unsecured Protocol in a Critical Workflow Opened the Door for Network-Based Account Takeovers
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/750-bounty-for … ⌘ Read more
↳
In-reply-to
»
My website is compatible with many old browsers, but Internet Explorer 3, uhm, not so much.
⤋ Read More
@movq@www.uninformativ.de yes, I think:
<!--[if !IE]><!-->
<link rel="stylesheet" href="../simplicity.css”>
<!--<![endif]-->
Should work, but I haven’t tested it.
Find Secrets in Hidden Directories Using Fuzzing ️
Free Article Link
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/find-secrets-in-hidden-directories-using-fuzzing-%EF%B8%8F-1666d6f34fd8?source=rss—-7b722bfd1b8d- … ⌘ Read more
I Gave Myself 60 Minutes to Find a Bug — This Is What Happened
Free Article Link
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/i-gave-myself-60-minutes-to-find-a-bug-this-is-what-happened-e5fa76563a33?so … ⌘ Read more
How to install Windows NT 4 Server on Proxmox
Windows NT 4 doesn’t virtualise well. This guide shows how to do it with Proxmox with a minimal amount of pain. ↫ Chris Jones Nothing to add, other than I love the linked website’s design. ⌘ Read more
️My Top 7 Mistakes as a New Bug Hunter (And How to Avoid Them)
Free Article Link only for you
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/%EF%B8%8Fmy-top-7-mistakes-as-a-new-bug-hunter- … ⌘ Read more
Exploiting Unsanitized URL Handling & SQL Injection via Deep Links in iOS App: Write-up of Flipcoin ⌘ Read more
↳
In-reply-to
»
I'm sending out my first newsletter later today. Sign up at https://darch.dk/newsletter if you want it fresh of the press 💌
⤋ Read More
@prologic@twtxt.net it says in the linked page;)
** They Missed This One Tiny Parameter — I Made $500 Instantly**
✨Free Article Link
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/they-missed-this-one-tiny-parameter-i-made-500-instantly-f2f7d1c1c1d9?source=rss—-7 … ⌘ Read more
I Broke Rate Limits and Accessed 1000+ User Records — Responsibly
👉Free Article Link
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/i-broke-rate-limits-and-accessed-1000-user-records-responsibly-8c45f … ⌘ Read more
The Most Dangerous Bug I’ve Ever Found (And No One Was Looking)
👉Free Article Link
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/the-most-dangerous-bug-ive-ever-found-and-no-one-was-looking-2e96e5079a01? … ⌘ Read more
**Token of Misfortune: How a Refresh Token Leak Let Me Regenerate Unlimited Sessions **
Free Link 🎈
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/token-of-misfortune … ⌘ Read more
0 to First Bug: What I’d Do Differently If I Started Bug Bounty Today
Free Article Link
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/0-to-first-bug-what-id-do-differently-if-i-started-bug … ⌘ Read more
Part-2️♂️Bug Bounty Secrets They Don’t Tell You: Tricks From 100+ Reported Bugs
✨Free Article Link
[Continue reading on InfoSec Write-ups »](https://infosecwri … ⌘ Read more
☕Best Tool for Analyzing Java Files (90% of Hackers Don’t Know This)
Free Article Link
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/best-tool-for-analyzing-java-files-90-of-hackers-dont-know-this- … ⌘ Read more
↳
In-reply-to
»
OH MY FUCKING GOD I'M GOING TO CRY I NEED BIG TUX SO BAD https://www.steiner-plueschshop.de/kuscheltiere/arktis-seetiere/pinguin-linux/
⤋ Read More
@kat@yarn.girlonthemoon.xyz I FOUND ANOTHER ONE OF THESE TUX GUYS FROM THIS SAME SHOP ON EBAY, IT’S NOT THE SAME ONE I LINKED BUT I MADE AN OFFER, EVERYONE PRAY FOR ME I WANT A TUX ARMY
** JWT Exploitation: How I Forged Tokens and Took Over Accounts**
🔐Free Article Link
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/jwt-exploitation-how-i-forged-tokens-and-took-over-accounts-2e7ab1cf4df8?sour … ⌘ Read more
How I Found a Way to Prolong Password Reset Code Expiry
Free Article Link: Click for free!
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/how-i-found-a-way-to-prolong-password-reset-code-expiry-6214391023de?source=rss—-7b7 … ⌘ Read more
How I Deleted Any User’s Account— No Interaction Needed
Free Article Link: Click for free!
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/how-i-deleted-any-users-account-no-interaction-needed-faae0442ff4f?source=rss—-7b722bfd1 … ⌘ Read more
↳
In-reply-to
»
made the HTML for one of my static handwritten sites semantic!
⤋ Read More
@eldersnake@we.loveprivacy.club awww ty! it’s mostly fun stuff and links to my friends :) the buttons have been revived by indie web folks and the people at neocities, it’s super fun!