0xWinnerSec @dr_winner6 - Twitter Profile

17 days ago

For anyone who started with a home lab: what was the first thing you actually tested once Kali was up and running? Looking for ideas on where to point this thing first.

0

5

0xWinnerSec @dr_winner6

17 days ago

Day 20/30 w/ @VAInitiatives. SSRF doesn't break into your server. It convinces your server to attack itself from the inside. Also spun up my first Kali Linux lab today. Less reading, more doing. Great lesson from @VictorAkinode #KaliLinux #VACyberMentorship

dr_winner6's tweet photo. Day 20/30 w/ @VAInitiatives. SSRF doesn't break into your server. It convinces your server to attack itself from the inside. Also spun up my first Kali Linux lab today. Less reading, more doing. Great lesson from @VictorAkinode #KaliLinux #VACyberMentorship https://t.co/exK9nvtR5R

4

1

0

20

0xWinnerSec @dr_winner6

17 days ago

Built my first lab today. VirtualBox runs a full isolated computer inside your own. Break it, infect it, blow it up, then delete and start fresh. Your real system never feels it. Snapshots let you roll back instantly. A controlled blast radius for learning.

0

12

0xWinnerSec @dr_winner6

17 days ago

SSRF is brutal in the cloud. Point the server at a metadata endpoint, steal temporary credentials, and full infrastructure compromise is on the table. Root cause is almost always the same: a server blindly trusting a user supplied URL.

0

4

Who to follow

Alimazoya David

@aydcode

Full Stack Developer in JS, React, Next, Node, Java, Spring Framework, I love to learn and grow while helping people around me to be thier best.

Ahmed Algzery

@Ahmed__Algzery

Mobile Developer @ Hadaf Solutions

Hlubi Thunyiswa

@AtherniaT

Blessed🙏🏽 Science | Research | Technology

0xWinnerSec @dr_winner6

17 days ago

SSRF in one line: the attacker doesn't breach your server, they trick your server into making requests on their behalf. Since the server is already trusted inside your network, it reaches internal systems the public internet never could. Borrowed trust.

0

19

0xWinnerSec @dr_winner6

18 days ago

Honest question. What's harder to defend against in your experience, a technical exploit or a well executed social engineering attack? Curious whether people trust their processes or their tools more.

0

3

0xWinnerSec @dr_winner6

18 days ago

Day 19/30 w/ @VAInitiatives & @VictorAkinode. You can spend millions on security and still get breached by someone who just sounds convincing on a phone call. Social engineering doesn't hack code. It hacks people. #Cybersecurity #VACyberMentorship #TheVAInitiatives #CloudSecurity

dr_winner6's tweet photo. Day 19/30 w/ @VAInitiatives & @VictorAkinode. You can spend millions on security and still get breached by someone who just sounds convincing on a phone call. Social engineering doesn't hack code. It hacks people. #Cybersecurity #VACyberMentorship #TheVAInitiatives #CloudSecurity https://t.co/2DNlbejao0

4

0

47

0xWinnerSec @dr_winner6

18 days ago

The #1 risk on the OWASP Top 10 isn't exotic. It's broken access control. Users reaching data or actions they were never authorized for. The most damaging web risk is also one of the most basic to get wrong.

0

8

0xWinnerSec @dr_winner6

18 days ago

Remote work made social engineering easier. When you can't see who you're talking to, a confident voice or a well written email is often all it takes. Verification procedures that don't bend for "urgent" requests are the real defense.

0

10

0xWinnerSec @dr_winner6

18 days ago

Social engineering tactics are disturbingly low tech. Pretexting is a believable fake story. Baiting is an infected USB labeled "Payroll." Tailgating is walking through a secure door behind you. None need a single line of malicious code. They just need you to act normal.

0

11

0xWinnerSec @dr_winner6

20 days ago

Want a high paying cyber security career? Here's how to leverage online training with @TryHackMe to get there. Read the blog https://t.co/GKhA4Nlg3H #tryhackme #cybercareers via @tryhackme

0

30

0xWinnerSec @dr_winner6

21 days ago

Day 18/30 w/ @VAInitiatives & @VictorAkinode. Ransomware hits Friday night. Your recovery speed was decided months ago. Backups, governance, risk management, the boring stuff that saves everything. #Cybersecurity #VACyberMentorship #TheVAInitiatives

dr_winner6's tweet photo. Day 18/30 w/ @VAInitiatives & @VictorAkinode. Ransomware hits Friday night. Your recovery speed was decided months ago. Backups, governance, risk management, the boring stuff that saves everything. #Cybersecurity #VACyberMentorship #TheVAInitiatives https://t.co/ev5pZmu1dg

0

12

0xWinnerSec @dr_winner6

22 days ago

Is the shared responsibility model genuinely misunderstood, or do organizations understand it and just deprioritize it? Curious what people actually see on the ground.

0

3

0xWinnerSec @dr_winner6

22 days ago

Day 17/30 w/ @VAInitiatives & @VictorAkinode. The cloud didn't fail them, they failed to understand what it expected of them. Shared responsibility, encryption, key management. The gaps are almost never technical. #Cybersecurity #VACyberMentorship #TheVAInitiatives #CloudSecurity

dr_winner6's tweet photo. Day 17/30 w/ @VAInitiatives & @VictorAkinode. The cloud didn't fail them, they failed to understand what it expected of them. Shared responsibility, encryption, key management. The gaps are almost never technical. #Cybersecurity #VACyberMentorship #TheVAInitiatives #CloudSecurity https://t.co/DsQY6h9hvR

4

0

13

0xWinnerSec @dr_winner6

22 days ago

Every piece of sensitive data you hold is a piece you have to protect and account for. Collecting more than you need doesn't just cost storage, it creates liability. Less data held means a smaller surface to defend.

0

4

0xWinnerSec @dr_winner6

22 days ago

Encrypting stored data but sending it unencrypted is a false sense of security. All three states need protection, at rest, in transit, in use. And encryption is only as strong as how you manage the keys. Rotate them. Never hardcode them.

0

10

0xWinnerSec @dr_winner6

22 days ago

Cloud provider secures the infrastructure. You secure everything on top, data, identities, configs, access. Assuming they watch all of that is exactly how a public S3 bucket sits exposed for months.

0

8

0xWinnerSec @dr_winner6

22 days ago

For developers in security, what's the most common insecure coding pattern you still see in production today? Hardcoded credentials, missing input validation, or something else entirely?

0

5

0xWinnerSec @dr_winner6

22 days ago

Day 16 w/ @VAInitiatives & @VictorAkinode. A hardcoded secret, an unsanitized input, an outdated dependency. Nothing looks broken, until it is. Security isn't a feature you add. It's a practice you maintain. #Cybersecurity #VACyberMentorship #TheVAInitiatives #CloudSecurity #AWS

dr_winner6's tweet photo. Day 16 w/ @VAInitiatives & @VictorAkinode. A hardcoded secret, an unsanitized input, an outdated dependency. Nothing looks broken, until it is. Security isn't a feature you add. It's a practice you maintain. #Cybersecurity #VACyberMentorship #TheVAInitiatives #CloudSecurity #AWS https://t.co/HCmbmKRgB2

4

0

27

0xWinnerSec @dr_winner6

22 days ago

Vulnerability management isn't a scan you run once a quarter. It's a cycle, discover, assess, prioritize, remediate, verify, repeat. Vulnerabilities appear in your code, your dependencies, and your configurations constantly.

0

4

0xWinnerSec @dr_winner6

22 days ago

Shift left security, the most important ideas in software development and one of the most ignored. It means catching security issues during design & development, not after deployment. A vulnerability found in a code review costs a fraction of what it costs to fix after a breach.

0

169

0xWinnerSec

@dr_winner6

Who to follow

Last Seen Users on Sotwe

Trends for you

Most Popular Users