Aron Molnar

We're hiring a senior pentester. * 40h, m/w/d, remote * German and English speaking * Permanent residence in Austria https://t.co/OKXb7IeALb Please support us by spreading the word ❤️

If you don't know something, there's only one correct answer: I don't know. Everything else is hallucinating. You know it from AI.

But there are two exceptions: Browsers cannot access the "Set-Cookie" and "Set-Cookie2" headers, as they are blacklisted. Cookies can thus not be exposed cross-origin. 3/3

Steal cookies via misconfigured CORS? Let's see if that works. TLDR: Cookies cannot be exposed cross-origin. The response header "Access-Control-Allow-Origin" allows other origins to access the body of the cross-origin request. 1/3

It also allows access to "CORS-safelisted" response headers (like "Content-Type" or "Last-Modified"). The "Access-Control-Expose-Headers" header specifies additional header names that the user-agent (the browser) can access. 2/3

https://t.co/TnwQtvdmnI.

On-Premise is wrong. Premises is not the plural of Premise. Premise ≠ Premises Based on the premise that "on-premises" is wrongly used, we prefer "self-hosted". But you can also use "on-premises" or "on-prem".

"There is only one place to store the most important passwords: the handwritten password book in the safe." It depends. If you want to protect them from a random hacker, maybe. But if from your government, it's a bad idea. And the worst thing about it is usability. Opinions?

I want to compile a list of good screenshotting tools. Which one do you use and why do you like it? I'll start: I use Flameshot. It's open source and has built-in blur and rectangle. (I will, of course, publish the list later.)

Legend: - People we knew personally contacted us (”Known, inbound”) - People we knew personally we contacted (”Known, outbound”) - People who found us (on the Internet) and contacted us (”Inbound Request”) - People who contacted us based on a recommendation (”Recommendation”)