Olivia
Online
David Brosnan
@dbrosn
Security Engineer | DevSecOps | Cloud | AI | Builder/Breaker of the Things
New York
Joined September 2013
464 Following
110 Followers
414 Posts
In collaboration with a couple of other leaders in the industry we are releasing https://t.co/Kssdre4HiX - It's an attempt to provide transparency about role levels, expectations and (just for the US market currently, salary ranges). For leaders writing JDs and candidates alike.
Stop asking LLMs to “find vulns.” Start using them to understand code.
@Sw4mp_f0x walks through using Claude Code as a force multiplier in app assessments - faster analysis, fewer false positives, better outcomes.
Check it out: https://t.co/BpMnOGBMv7
@leune Very solid list 😁. Love to see Mr. Robot make the cut. Was really fun working while the show was coming out and having non security IT folk approach me about the scenarios/accuracy.
@Jhaddix Papa Roach blew me away first time I saw them live. Seeing Rise Against in September!
⚠️ Giveaway time! ⚠️ 👇
📢 Our new course "Attacking AI" will be Feb 27-28!
This two-day course equips security professionals with the tools and methodologies to identify vulnerabilities in AI systems. It's gonna be a BANGER.
Syllabus: https://t.co/cY9vcI7Z5y
We are giving away two seats this week!
⁉️How to enter the giveaway:
♻️ Repost this post = 2 Entries
🗣️ Reply = 1 Entry
❤️ Like = 1 Entry
Nothing helps me understand the "it works" mentality of a full-time dev better than going down a rabbit hole of docs and blogs for what I thought was the simple question "what's the 'best' way to get an IP address from a hostname in Python" 😂
@G0LDEN_infosec Yeah I've found it to be similar to "dreading" the gym. The thought of the session can be a daunting, but once you start you just hit the flow.
Witnessing a Total solar eclipse on an extremely cloudy day that magically got out of the way for totality really was one of the most surreal experiences of my life. Hope everyone got a chance to see!
@mattjay I don't read as much as I used to but friends convinced me to start reading Mistborn and I've been loving it. Sanderson is great!
@coderion_ @LiveOverflow Second this, Ive done gitleaks due to historical reasons. Haven't tried comparing to trufflehog yet
The next cohort of "The Bug Hunter's Methodology Live" will be:
US: March 2nd-3rd
EU: March 9th-10th
https://t.co/VnOqGJ5Yyo
Repost, like, and reply for a chance at a free seat!
New in v2.5 - More Burp, more JS analysis, more IDOR/MFLAC!
@ctbbpodcast Merry Christmas 🎄!
@ippsec Recommend any specific resources? Interested to share your perspective 🙂
Shoutout to @Jhaddix and his TBHM Live course for getting me to embrace mindmapping. All of the course content been game changing for my workflow and I couldn't recommend it more!
Checkout https://t.co/vPdA6f3kIk for when the next set of courses are being held!
@Jhaddix I was also not a fan of the mesh construction of HM. I ended up going with a steelcase Leap and it has lasted me 4 years of punishment (got it at start of COVID) and holding up real well!
Oof that was a tricky one but a good one
I completed the Web Security Academy lab:
Exploiting server-side parameter pollution in a REST URL
@WebSecAcademy
https://t.co/IrLFYOTfqX
Congratulations to @NahamSec for hitting the million-dollar milestone on HackerOne! 🤑 NahamSec’s passion for ethical hacking helps protect the world’s top organizations by finding potential vulnerabilities before cybercriminals. Amazing work! 👏
Working in InfoSec watching the rest of IT
🕵️♂️ Show & Tell: Here's how I exploited a simple Issue on target app using GraphQL that allowed me to take over any user's account 💰💰
This is a classic case of thinking outside the "box." The app I targeted allowed Inviting users to your organization. When an invite is sent to the victim, they get a link like http://targetapp/invitation/{token}.
What was interesting was that the invitation link automatically logged a victim into their account and asked them if they wanted to accept the invitation.
🚨 This grabbed my attention, prompting the question, "Can I somehow acquire that Invitation token?" Considering its potential to let me take over any person's account, I immediately delved deeper into the app and came across a GraphQL operation for retrieving the list of invited users:
code[{"operationName":"GetPendingMembers","variables":{"ID":"XXXX"},"query":"query GetPendingMembers($ID: ID!) {\n users: GetPendingMembers(ID: $ID) {\n invited { email\n role\n createdAt\n updatedAt\n __typename\n }\n __typename\n }\n}\n"}]
Looking at this, I thought, "What if the 'invited' object has more info than shown?" So, I added the \n token parameter Inside the invited object:
code[{"operationName":"GetPendingMembers","variables":{"ID":"XXXX"},"query":"query GetPendingMembers($ID: ID!) {\n users: GetPendingMembers(ID: $ID) {\n invited {\n token email\n role\n createdAt\n updatedAt\n __typename\n }\n __typename\n }\n}\n"}]
Surprisingly, it worked! The GraphQL operation returned the token that was sent to victims email.
Crafted a URI with the leaked token, like http://targetapp/invitation/{token}, and took over the victim's account.
Lesson: Always think outside the box. Instead of just hunting for vulnerabilities, notice odd app behaviors— they might lead you to unexpected weaknesses. Understand how the app works, find flaws, and outsmart the design. 👾 #BugBounty #AppSecurity #ThinkOutsideTheBox #HackerOne #BugBountyTips #SecurityTips #BugCrowd #InfoSec #Bounties #Bounty #Tips #Follow
![Jayesh25's tweet photo. 🕵️♂️ Show & Tell: Here's how I exploited a simple Issue on target app using GraphQL that allowed me to take over any user's account 💰💰
This is a classic case of thinking outside the "box." The app I targeted allowed Inviting users to your organization. When an invite is sent to the victim, they get a link like http://targetapp/invitation/{token}.
What was interesting was that the invitation link automatically logged a victim into their account and asked them if they wanted to accept the invitation.
🚨 This grabbed my attention, prompting the question, "Can I somehow acquire that Invitation token?" Considering its potential to let me take over any person's account, I immediately delved deeper into the app and came across a GraphQL operation for retrieving the list of invited users:
code[{"operationName":"GetPendingMembers","variables":{"ID":"XXXX"},"query":"query GetPendingMembers($ID: ID!) {\n users: GetPendingMembers(ID: $ID) {\n invited { email\n role\n createdAt\n updatedAt\n __typename\n }\n __typename\n }\n}\n"}]
Looking at this, I thought, "What if the 'invited' object has more info than shown?" So, I added the \n token parameter Inside the invited object:
code[{"operationName":"GetPendingMembers","variables":{"ID":"XXXX"},"query":"query GetPendingMembers($ID: ID!) {\n users: GetPendingMembers(ID: $ID) {\n invited {\n token email\n role\n createdAt\n updatedAt\n __typename\n }\n __typename\n }\n}\n"}]
Surprisingly, it worked! The GraphQL operation returned the token that was sent to victims email.
Crafted a URI with the leaked token, like http://targetapp/invitation/{token}, and took over the victim's account.
Lesson: Always think outside the box. Instead of just hunting for vulnerabilities, notice odd app behaviors— they might lead you to unexpected weaknesses. Understand how the app works, find flaws, and outsmart the design. 👾 #BugBounty #AppSecurity #ThinkOutsideTheBox #HackerOne #BugBountyTips #SecurityTips #BugCrowd #InfoSec #Bounties #Bounty #Tips #Follow](https://pbs.twimg.com/media/F-kddjIWgAAuq-I.jpg)
Last Seen Users on Sotwe
เด็กแว้นชอบเยส
Seen from Philippines
ชอบสาวใหญ่รุ่นป้าน้าอาได้หมด
Seen from Thailand
Syafa
Seen from Malaysia
Cuckold. &. Swinger paylaşımlar
Seen from Turkey
samuel 
Seen from Indonesia
Muscles!
Seen from Latvia
Always good to see
Seen from India
Alexx G
Seen from Mexico
Turuuu
Seen from Indonesia
체크메이트
Seen from Korea
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.9M followers
Taylor Swift
@taylorswift13
80.7M followers
Lady Gaga
@ladygaga
72.2M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.6M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.2M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60M followers