How I Gained Root Access on a Vulnerable Web Server: From Reconnaissance to Privilege Escalation

Image

Web Server Exploitation & Privilege Escalation - Full Walkthr … ⌘ Read more

M0SS-101 Synth with BL616 RISC-V Delivers Classic Controls in a Compact DIY Kit
The M0SS-101 is a compact virtual analog monosynth designed for hands-on subtractive synthesis. It features 42 editable parameters accessible through 26 buttons and a rotary encoder, with RGB LEDs providing visual feedback for signal flow and modulation. The synth includes dual oscillators, a multi-mode filter, envelope and LFO control, delay effects, and 17 preset slots […] ⌘ Read more

Accessibility on Linux sucks, but GNOME and KDE are making progress
Accessibility in the software world is a problem in general, but it’s an even bigger problem on open source desktops, as painfully highlighted by this excellent article detailing the utterly broken state of accessibility on Linux. Reading the article is soul-crushing as it starts to dawn on you just how bad the situation really is for those among us who require accessibility features, making it vir … ⌘ Read more

Touch Bar Not Working After MacOS Update? Troubleshooting Black Touch Bar on MacBook Pro
A fair number of MacBook Pro users with Touch Bar equipped Macs have discovered the Touch Bar stops working or goes black after installing a MacOS update. Given that the Touch Bar serves as Function keys, F1, F2, F3 etc keys, as well as toggles for adjusting brightness, system audio, and accessing many MacOS and … Read More ⌘ Read more

Our pledge to help improve the accessibility of open source software at scale
GitHub takes the Global Accessibility Awareness Day (GAAD) pledge.

The post Our pledge to help improve the accessibility of open source software at scale appeared first on The GitHub Blog. ⌘ Read more

@prologic@twtxt.net that will not be a problem; as long as it doesn’t affect authenticated users it wouldn’t make a difference. But we are comparing apples and eggs here. I don’t access GitHub while unauthenticated, but I can see how others might. It comes across as anti-web in general.

@movq@www.uninformativ.de, “60 requests per hour”, eh? Was that a thing (that is, unauthenticated access to GitHub)?! I know I am on the minority, perhaps, as I rarely (or never) access GitHub unauthenticated.

Apple unveils powerful accessibility features coming later this year
Comments ⌘ Read more

An accessibility update – GTK Development Blog
Comments ⌘ Read more

Bug Chain: pre-auth takeover to permanent access. ⌘ Read more

SSRF via PDF Generator? Yes, and It Led to EC2 Metadata Access

Image

👨‍💻Free Article Link

[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/ssrf-via-pdf-generator-yes-and-it-led-to-ec2-metadata-access-39b8e5b41840 … ⌘ Read more

API Key Exposure in NASA GitHub Repository Leads to Unauthorized Access to Academic Data

Image

🔓Free Article Link

[Continue reading on InfoSec Write-ups »](https://infosecwriteu … ⌘ Read more

Raspberry Pi Connect Exits Beta with Version 2.5 Release
Raspberry Pi has officially ended the beta phase of Raspberry Pi Connect, its remote access platform for connecting to Raspberry Pi devices from anywhere. With the release of version 2.5, the service now includes major updates to connection management, significantly reducing data usage and improving responsiveness. Launched in early 2024, Raspberry Pi Connect quickly gained […] ⌘ Read more

SiFive and Kinara Partner to Launch USB-Based X280 RISC-V Vector Development Board
SiFive and Kinara have announced a new partnership to offer developers direct access to the SiFive Intelligence X280 RISC-V vector processor through a compact USB-based enablement board. The HiFive Xara X280 board, based on Kinara’s Ara-2 processor, is designed to allow early-stage evaluation and development of RISC-V vector software, particularly for AI and machine learning […\ … ⌘ Read more

Design system annotations, part 2: Advanced methods of annotating components
How to build custom annotations for your design system components or use Figma’s Code Connect to help capture important accessibility details before development.

The post [Design system annotations, part 2: Advanced methods of annotating components](https://github.blog/engineering/user-experience/design-system-annotations-part-2-advanced-methods-of-annotating-component … ⌘ Read more

Design system annotations, part 1: How accessibility gets left out of components
The Accessibility Design team created a set of annotations to bridge the gaps that design systems alone can’t fix and proactively addresses accessibility issues within Primer components.

The post [Design system annotations, part 1: How accessibility gets left out of components](https://github.blog/engineering/user-experience/design-system-annotations-part-1-how … ⌘ Read more

UUIDs: A False Sense Of Security

Image

Hi Hunters, would you like to learn about a broken access control vulnerability that I discovered recently for a client.

[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/uuids-a-false-sense-of-security-10467497daae?source=rss—-7b7 … ⌘ Read more

$50,000 Bounty: GitHub Access Token

Image

How a hidden token in a desktop app could have compromised one of the world’s biggest e-commerce platforms

[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/50-000-bounty-github-access-token-c29cb6f00182?source=rss—-7b722bf … ⌘ Read more

HydraLink Offers Open USB-to-Automotive Ethernet Interface for Testing and Diagnostics
HydraLink is now available on CrowdSupply as a compact and open-source USB-to-Automotive Ethernet adapter intended for engineers, researchers, and others working with in-vehicle networks. It supports both 100BASE-T1 and 1000BASE-T1 over single-pair Ethernet, enabling direct access to automotive Ethernet without the need for media converters or additional lab equipment. Hy … ⌘ Read more

Are ‘CSS Carousels’ accessible?
Comments ⌘ Read more

**IDOR Attacks Made Simple: How Hackers Access Unauthorized Data **

Image

IDOR Attacks Made Simple: How Hackers Access Unauthorized Data 🔐

[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/idor-attacks-made-simple-h … ⌘ Read more

How i Access The Deleted Files of Someone in Google Drive | Bug Bounty ⌘ Read more

**Path Traversal Attack: How I Accessed Admin Secrets **

Image

Path Traversal Attack: How I Accessed Admin Secrets 📂

[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/path-traversal-attack-how-i-accessed-admin-secrets-fa5de1865031?source … ⌘ Read more

Unrestricted Access to All User Information | REST API Oversharing ⌘ Read more

Steam to highlight accessibility support for games on store pages
The Steam store and desktop client will soon be able to help players find games that feature accessibility support. If your game has accessibility features, you can now enter that information in the Steamworks ‘edit store’ section for your app. ↫ Steam announcements page I have a lot of criticism for the Steam client application – it’s a overly complex, unattractive, buggy, slow, top-heavy Chrome engi … ⌘ Read more

Prepare your application landscape for zero trust with Keycloak 26.2
Strong identity and access management is a key component of a zero trust architecture for cloud native applications. Keycloak is well-known for its single-sign-on capabilities based on open standards. It provides you all the building blocks… ⌘ Read more

**404 to 0wnage: How a Broken Link Led Me to Admin Panel Access **

Image

Hey there!😁

[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/404-to-0wnage-how-a-broken-link-led-me-to-admin-panel-access-2b58e1fffaa3?source=r … ⌘ Read more

** HTTP Parameter Pollution: The Dirty Little Secret That Gave Me Full Backend Access ️**

Image

Free Link🎈

[Continue reading on InfoSec Write-ups »](https://infosecwriteups.co … ⌘ Read more

good morning friends. i don’t know what i’m gonna do today. perhaps work on my patreon and login wall more personal sites behind authelia that i could offer access to via patreon tier

is it like… ethical to offer access to certain self hosted services as patreon exclusives. like i wanna offer the IRC client/bouncer i hosted which seems ok i think because i’ve seen pico.sh offer their instances of that as paid services. but the other ones i have in mind are alt web frontends for stuff like imgur and pinterest. and i just feel weird about it for some reason. idk i’m trying to think of ways to support my server stuff but every time i come up with something it feels weird

Banana Pi BPI-RV2 Gateway Board Integrates Siflower SF21H8898 RISC-V SoC
Banana Pi has introduced the BPI-RV2, an open-source gateway platform developed in collaboration with Siflower. The board is based on the SF21H8898 SoC, a quad-core RISC-V processor designed for industrial and enterprise networking applications such as routers, access points, and control gateways. The Siflower SF21H8898 is built using TSMC’s 12nm FFC process and integrates a […] ⌘ Read more

ActiveX disabled by default in Microsoft 365
ActiveX is a powerful technology that enables rich interactions within Microsoft 365 applications, but its deep access to system resources also increases security risks. Starting this month, the Windows versions of Microsoft Word, Microsoft Excel, Microsoft PowerPoint, and Microsoft Visio will have a new default configuration for ActiveX controls: Disable all controls without notification. ↫ Zaeem Patel at the Microsoft 365 Insider Blog Be ho … ⌘ Read more

$10,000 worth GitHub Access Tokens | Secret Search Operators

Image

Secret but basic GitHub dorks & search operators that can lead to $10k bounty worth Acess Tokens.

[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/10- … ⌘ Read more

Then I cleaned up my shell history of all of the invocations I ever made of dkv rm ... to make sure I never ever have this so easily accessible in my shell history (^R):

$ awk '
  /^#/ { ts = $0; next }
  /^dkv rm/ { next }
  { if (ts) print ts; ts=""; print }
' ~/.bash_history > ~/.bash_history.tmp && mv ~/.bash_history.tmp ~/.bash_history && history -r

GitHub found 39M secret leaks in 2024. Here’s what we’re doing to help
Every minute, GitHub blocks several secrets with push protection—but secret leaks still remain one of the most common causes of security incidents. Learn how GitHub is making it easier to protect yourself from exposed secrets, including today’s launches of standalone Secret Protection, org-wide scanning, and better access for teams of all sizes.

The post [GitHub found 39M secret leaks in 2024. H … ⌘ Read more

Microsoft makes it even harder to use a local account on Windows 11
Do you want to install Windows 11 without internet access or without an online Microsoft Account? It seems Microsoft really doesn’t want you to, as it has removed a very common and popular way of bypassing this requirement. In the release notes for the latest builds from the Dev and Beta channels, the company notes: We’re removing the bypassnro.cmd script from the build to enhance security and use … ⌘ Read more

Cedar: A New Approach to Policy Management for Kubernetes
The challenges organizations face when managing access control and authorization in cloud-native environments continue to grow in complexity. Organizations scaling their Kubernetes deployments, for example, work to balance their security requirements, operational flexibility, and policy manageability…. ⌘ Read more

Raspberry Pi PoE+ Injector Leverages Power-Over-Ethernet for Remote Deployments
This month, Raspberry Pi launched a device capable of powering its single-board computers over Power-over-Ethernet. The Raspberry Pi PoE+ Injector enables both power and data to be transmitted through a single Ethernet cable, simplifying network infrastructure for projects deployed in remote or difficult-to-access locations. Compatible with devices conforming to IEEE 802.3af and 802.3at … ⌘ Read more

How NixOS and reproducible builds could have detected the xz backdoor for the benefit of all
Some more light reading: While it was already established that the open source supply chain was often the target of malicious actors, what is stunning is the amount of energy invested by Jia Tan to gain the trust of the maintainer of the xz project, acquire push access to the repository and then among other perfectly legitimate contributions insert … ⌘ Read more

FOSS infrastructure is under attack by AI companies
What do SourceHut, GNOME’s GitLab, and KDE’s GitLab have in common, other than all three of them being forges? Well, it turns out all three of them have been dealing with immense amounts of traffic from “AI” scrapers, who are effectively performing DDoS attacks with such ferocity it’s bringing down the infrastructures of these major open source projects. Being open source, and thus publicly accessible, means these scrapers have … ⌘ Read more

@kat@yarn.girlonthemoon.xyz Using full-blown Cloud services is good for old people like me who don’t want to do on-call duty when a disk fails. 😂 I like sleep! 😂

Jokes aside, I like IaaS as a middle ground. There are IaaS hosters who allow you to spin up VMs as you wish and connect them in a network as you wish. You get direct access to all those Linux boxes and to a layer 2 network, so you can do all the fun networking stuff like BGP, VRRP, IPSec/Wireguard, whatever. And you never have to worry about failing disks, server racks getting full, cable management, all that. 😅

I’m confident that we will always need people who do bare-bones or “low-level” stuff instead of just click some Cloud service. I guess that smaller companies don’t use Cloud services very often (because it’s way too expensive for them).

@prologic@twtxt.net oh yeah it’s absolutely epic i love how fast it is. it would be extra peak if it sent a message to every bot that it denies access to that just says “get fucked” or something idk

How to Show QR Code for Wi-Fi on iPhone, Mac, iPad
One very easy and convenient way to share access to a wi-fi router is by generating a QR code for joining that wi-fi router, which can be useful for house guests, offices, waiting rooms, rentals, restaurants, shops, and just about anywhere else with wi-fi that people might want to join. It can also make it … Read More ⌘ Read more

Comet GL-RM1 Enables Remote Control with 2K Video Resolution
Comet (GL-RM1) is a hardware-based remote KVM solution for remote computer access and control. Its open-source design enables hardware-level interaction, making it useful for remote work, IT maintenance, and server management. It allows full control over offline computers, including BIOS access, troubleshooting, and boot failure recovery. The device features a quad-core 1.5GHz processor, 1GB DDR3 […] ⌘ Read more

wahhh i wanna work towards my dream of offering pay as you can web hosting (static & dynamic) but i don’t know how!!!!! i keep drifting towards hosting panels but i don’t exactly have fresh linux servers for those nor do i like the level of access they require. so i’m like ok i can do the static site part with SFTP chroot jails and a front-end like filebrowser or something…. but then what about the dynamic sites!!!!!!! UGH

granted i doubt i’d get much interest in dynamic sites but i’d like to do this old school where i can offer people isolated mySQL databases or something for some project (i’m thinking PHP based fanlistings), which means i could do it the old school way of… people ask me to run it and i do it for them. but i kind of want to let people have access to be able to do it themselves just short of giving them SSH access which isn’t happening

Expose the Kubernetes API and access it anywhere
Accessing the Kubernetes API for your clusters from anywhere or across any network is a powerful lever. It’s even better if you can do so without shipping or extending more messy networks, like VPCs or VPNs…. ⌘ Read more

Emoji Picker Shortcut Not Working in MacOS Sequoia? Let’s Fix It
Some MacOS Sequoia users have discovered the familiar handy Emoji keyboard shortcut to access the Emoji & Symbols panel is no longer working as expected. This can be immensely frustrating, especially if you rely on it for quick access to emojis in messages, emails, documents, and in general. While it might seem like a minor … [Read More](https://osxdaily.com/2025/03/07/emoji-picker-shortcut-not-workin … ⌘ Read more

Announcing the Beta Release of OpenTelemetry Go Auto-Instrumentation using eBPF
The OpenTelemetry community is excited to announce the beta release of the OpenTelemetry Go Auto-Instrumentation project! This milestone brings us closer to our mission of making observability simple, accessible, and effective for Go applications. What is… ⌘ Read more

New Phippy Book Guidelines: Enhancing Community Access & Engagement
Phippy and Friends have long been a beloved part of the cloud native ecosystem, making complex technologies more approachable through storytelling. As interest in these books grows, CNCF is introducing new guidelines to better support, distribute,… ⌘ Read more

Walletverse submits CCS proposal to integrate Monero into their ‘community-driven crypto wallet’
The Walletverse 1 team has submitted a CCS proposal2 looking to integrate Monero into their community-driven crypto wallet 3:

This integration will enhance the privacy and functionality of the Walletverse wallet and contribute to the wider adoption of Monero by making it more accessible.

Total funding: 135 XMR.

ETA: 3+ months.

• M1: Core Moner … ⌘ Read more