@kepano@obsdmd Samsung keyboard. There seems to be a bug report already submitted.
A temporary fix which worked for me was to disable Predictive Text in the Samsung Keyboard settings.
@iamnoahfranklin@Bugcrowd Joke's on me because I decided to take a stab at ZAP after this comment and have since switched entirely to it. A little more highlighting in HTTP requests would be appreciated, though.
@ion_kip@intigriti $_GET simply retrieves the value of the "lang" parameter without doing any validation whatsoever. This means that you can set its value to a path like ../../etc/passwd and it will be included by the include statement. The null-byte makes PHP ignore the suffix 'en.php'.
@patrickdibia @0x_rood Once you reach the root (/) of the file system in Linux, any additional "../" sequences are ignored. So you can just spam "../" to be sure.
@binitamshah@danboneh Anyone who is *not* studying cryptography at a university level and does not like math or theory should stay away from this as it is not nearly as practical as you would imagine. It is dry theory with a lot of math which you will never need in your career as an ethical hacker.