Spiders are the only web developers that enjoy finding bugs.
↳
In-reply-to
»
Twtxt as a network is so neat. Sucks it isn't more widely adopted ): I feel like it'd be way easier to host than say, mastodon or GTS. & would require WAYYYY less resources. Not a diss on GTS, I love GTS , just saying because it's text files, I assume the minimum amount of ram needed to host any of the twtxt server software is very low.
⤋ Read More
@lyse@lyse.isobeef.org you will have to agree, though, that Yarn has contributed to make it possible to mass adopt (with its many glitches, bugs, and all) because, still, the web is king.
@twtxt.net@twtxt.net HI KIWU YOUR PROFILE’S A BIT BUGGED ON OUR END BUT IT’S OK IT’LL FIX ITSELF
Thinking about doing “Wayland Wednesday”. Only use Wayland every Wednesday. Collect bugs, report bugs, fix bugs.
↳
In-reply-to
»
QEMU on Wayland unusable, because it can’t grab the mouse … I’ll add it to my TODO list and investigate/report it eventually.
⤋ Read More
… which is probably a GTK bug.
Just realized: One of the reasons why I don’t like “flat UIs” is that they look broken to me. Like the program has a bug, missing pixmaps or whatever.
Take this for example:
https://movq.de/v/8822afccf0/a.png
I’m talking about this area specifically:
https://movq.de/v/8822afccf0/a%2Dhigh.png
One UI element ends and the other one begins – no “transition” between them.
The style of old UIs like these two is deeply ingrained into my brain:
https://movq.de/v/8822afccf0/b.png
https://movq.de/v/8822afccf0/c.png
When all these little elements (borders, handles, even just simple lines, …) are no longer present, then the program looks buggy and broken to me. And I’m not sure if I’ll ever be able to un-learn that.
Saw this on Mastodon:
https://racingbunny.com/@mookie/114718466149264471
18 rules of Software Engineering
- You will regret complexity when on-call
- Stop falling in love with your own code
- Everything is a trade-off. There’s no “best” 3. Every line of code you write is a liability 4. Document your decisions and designs
- Everyone hates code they didn’t write
- Don’t use unnecessary dependencies
- Coding standards prevent arguments
- Write meaningful commit messages
- Don’t ever stop learning new things
- Code reviews spread knowledge
- Always build for maintainability
- Ask for help when you’re stuck
- Fix root causes, not symptoms
- Software is never completed
- Estimates are not promises
- Ship early, iterate often
- Keep. It. Simple.
Solid list, even though 14 is up for debate in my opinion: Software can be completed. You have a use case / problem, you solve that problem, done. Your software is completed now. There might still be bugs and they should be fixed – but this doesn’t “add” to the program. Don’t use “software is never done” as an excuse to keep adding and adding stuff to your code.
OpenBSD has the wonderful pledge() and unveil() syscalls:
https://www.youtube.com/watch?v=bXO6nelFt-E
Not only are they super useful (the program itself can drop privileges – like, it can initialize itself, read some files, whatever, and then tell the kernel that it will never do anything like that again; if it does, e.g. by being exploited through a bug, it gets killed by the kernel), but they are also extremely easy to use.
Imagine a server program with a connected socket in file descriptor 0. Before reading any data from the client, the program can do this:
unveil("/var/www/whatever", "r");
unveil(NULL, NULL);
pledge("stdio rpath", NULL);
Done. It’s now limited to reading files from that directory, communicating with the existing socket, stuff like that. But it cannot ever read any other files or exec() into something else.
I can’t wait for the day when we have something like this on Linux. There have been some attempts, but it’s not that easy. And it’s certainly not mainstream, yet.
I need to have a closer look at Linux’s Landlock soon (“soon”), but this is considerably more complicated than pledge()/unveil():
↳
In-reply-to
»
So I was using this function in Rust:
⤋ Read More
@lyse@lyse.isobeef.org Rust is so different and, at the same time, so complex – it’s not far fetched to assume that I simply don’t understand what’s going on here. The docs appear to be clear, but alas … is it a bugs in the docs? Is it a lack of experience on my part? Who knows.
By the way, looks like there was a bit of a discussion regarding that name:
Hmmm 🧐 Not what I thought was going on… No bug…
time="2025-06-14T15:24:25Z" level=info msg="updating feeds for 8 users"
time="2025-06-14T15:24:25Z" level=info msg="skipping 0 inactive users"
time="2025-06-14T15:24:25Z" level=info msg="skipping 0 subscribed feeds"
time="2025-06-14T15:24:25Z" level=info msg="updating 80 sources (stale feeds)"
Cracking JWTs: A Bug Bounty Hunting Guide [Part 6] ⌘ Read more
Cracking JWTs: A Bug Bounty Hunting Guide [Part 5] ⌘ Read more
$1,000 Bug: Firefox Account Deletion Without 2FA or Authorization
How a Missing Backend Check Let Attackers Nuke Accounts With Just a Password
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/1-000-bu … ⌘ Read more
How can one write blazing fast yet useful compilers (for lazy pure functional languages)?
I’ve decided enough is enough and I want to write my own compiler (seems I caught a bug and lobste.rs is definitely not discouraging it). The language I have in mind is a basic (lazy?) statically-typed pure functional programming language with do notation and records (i.e. mostly Haskell-lite).
I have other ideas I’d like to explore as well, but mainly, I want the compiler to be so fast (w/ optimisations) that … ⌘ Read more
$7,500 Bug: Exposing Any HackerOne User’s Email via Private Program Invite
How One GraphQL Query Turned Private Invites into Public Data Leaks
[Continue reading on InfoSec Write-ups »](https://infosecwrite … ⌘ Read more
Cracking JWTs: A Bug Bounty Hunting Guide [Part 4] ⌘ Read more
Top File Read Bug POCs that made $20000
Learning & Methodology to find File Read from top 5 POCs by Elite hackers
404 to $4,000: Exposed .git, .env, and Hidden Dev Files via Predictable Paths”
How Bug Bounty Hunters Can Turn Common 404s Into Critical Information Disclosure Bounties
[Continue reading on InfoSec Write-u … ⌘ Read more
**2. Setting Up the Ultimate Hacker’s Lab (Free Tools Only) **
“You don’t need a fortune to break into bug bounty. You just need the right mindset — and the right setup.”
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/2-se … ⌘ Read more
Cracking JWTs: A Bug Bounty Hunting Guide [Part 3] ⌘ Read more
GNOME OS ready for more extensive testing
While it’s still early days and it’s not recommended for non-technical audiences, GNOME OS is now ready for developers and early adopters who know how to deal with occasional bugs (and importantly, file those bugs when they occur). ↫ Tobias Bernard This is great news, and means GNOME OS is progressing nicely. I’m a proponent of this and KDE’s equivalent project, because it allows the people working on GNOME and KDE to really showcase their work in … ⌘ Read more
$540 Bounty: How a Misconfigured Warning Endpoint in Apache Airflow Exposed DAG Secrets
CVE-2023–42780: An Improper Access Control Bug That Let Low-Privileged Users View DAG Impo … ⌘ Read more
Bug Bounty from Scratch | Everything You Need to Know About Bug Bounty
📌Free Article Link
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/bug-bounty-from-scratch-everything-you-need-to-know … ⌘ Read more
Bypassing Regex Validations to Achieve RCE: A Wild Bug Story
Free Article Lin
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/bypassing-regex-validations-to-achieve-rce-a-wild-bug-story-6476faccbc23?source=r … ⌘ Read more
GitHub Recon: The Underrated Technique to Discover High-Impact Leaks in Bug Bounty
Master the Art of Finding API Keys, Credentials and Sensitive Data in Public Repositories
[Continue re … ⌘ Read more
Cracking JWTs: A Bug Bounty Hunting Guide [Part 1] ⌘ Read more
I Tried 10 Recon Tools for 7 Days — Here’s What Actually Found Bugs
Free Article Link
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/i-tried-10-recon-tools-for-7-days-heres-what-actually-found-bug … ⌘ Read more
↳
In-reply-to
»
@prologic Mosaic (2.7) works fine, I maintain that package in the AUR and test my website regularly. 😅
⤋ Read More
@bender@twtxt.net Not sure if you’re serious or joking, but: IE3 introduced support for CSS, Mosaic completely ignores it. 😅 Besides, it looks fine in IE3 now as well, after I fixed my CSS bug. 🤪
↳
In-reply-to
»
My website is compatible with many old browsers, but Internet Explorer 3, uhm, not so much.
⤋ Read More
… but as it turned out, this was a bug in my CSS. It works now. 🥳
**One Endpoint to Rule Them All: How I Chained 3 Bugs into Full Account Takeover **
Hey there!😁
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/one-endpoint-to-rule-them-all-h … ⌘ Read more
Demystifying Cookies : The Complete Guide for Bug Bounty Hunters — Part 1
Everything you need to know about cookies to expand your attack surface and find real bugs.
[Continue reading on InfoSec Write-ups »](h … ⌘ Read more
The Ultimate Roadmap to Becoming a Bug Bounty Hunter ⌘ Read more
I Gave Myself 60 Minutes to Find a Bug — This Is What Happened
Free Article Link
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/i-gave-myself-60-minutes-to-find-a-bug-this-is-what-happened-e5fa76563a33?so … ⌘ Read more
DietPi May 2025 Update Introduces Security Changes, Kernel Fixes, and Software Cleanups
The latest DietPi release (v9.13) focuses on improving security defaults, enhancing support for specific SBCs, and removing outdated software options. The update also brings kernel upgrades, interface refinements, and dozens of bug fixes for improved stability across platforms. DietPi: DietPi is a lightweight, Debian-based operating system optimized for single-board compu … ⌘ Read more
From Zero to $1000/Month | Bug Bounty Automation Blueprint
Proven Tactics, Tools, and Code to Automate Your Way to Consistent Bounties
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/from-zero-to-1000-month-bug-boun … ⌘ Read more
️My Top 7 Mistakes as a New Bug Hunter (And How to Avoid Them)
Free Article Link only for you
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/%EF%B8%8Fmy-top-7-mistakes-as-a-new-bug-hunter- … ⌘ Read more
Google’s “AI” is convinced Solaris uses systemd
Who doesn’t love a bug bounty program? Fix some bugs, get some money – you scratch my back, I pay you for it. The CycloneDX Rust (Cargo) Plugin decided to run one, funded by the Bug Resilience Program run by the Sovereign Tech Fund. That is, until “AI” killed it. We received almost entirely AI slop reports that are irrelevant to our tool. It’s a library and most reporters didn’t even bother to read the rules or even look at what the intend … ⌘ Read more
$1 Million Tax Payer Grant for “Gender Inclusive Open Source”
A cancelled grant, worth a million bucks, for Oregon State University to create “best practices for fixing gender-bias bugs”. ⌘ Read more
Mastering SQL Injection Recon: Step-by-Step Guide for Bug Bounty Hunters
A practical guide to uncovering SQL injection flaws using automation, payloads and deep reconnaissance techniques.
[Continue reading … ⌘ Read more
$20,000 Bounty: How a Leaked Session Cookie Led to Account Takeover on HackerOne
How one accidental copy-paste exposed sensitive data and what you can learn to find similar bugs
[Continue rea … ⌘ Read more
The Most Dangerous Bug I’ve Ever Found (And No One Was Looking)
👉Free Article Link
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/the-most-dangerous-bug-ive-ever-found-and-no-one-was-looking-2e96e5079a01? … ⌘ Read more
0 to First Bug: What I’d Do Differently If I Started Bug Bounty Today
Free Article Link
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/0-to-first-bug-what-id-do-differently-if-i-started-bug … ⌘ Read more