Olivia
Online
Suman Basuli
@oversuman
I make the web safer and faster without drama.
Joined September 2019
209 Following
14 Followers
128 Posts
Introducing Lime 🍋
A full-site web accessibility checker with a UI that doesn’t make you want to close the tab. 😏
Give it a sitemap. Lime crawls the site and shows what’s actually wrong, with visuals, not walls of text.
https://t.co/NJKLETBLHE
The Agentic SOC is here.
🛡️Introducing the Alert Triage and Investigation Agent in Google SecOps (Public Preview). It autonomously investigates alerts, runs YARA-L queries, and applies @Mandiant expertise to deliver clear verdicts.
See how it works: https://t.co/AOyqnFpYla
Lately I've been killing it with PostMessage related bugs.
Here is a little PostMessage primer for those of you that aren't comfortable with the topic:
PostMessages, despite the name, are not related at all to HTTP POST requests.
The simplest way to think of them is a pathway for two browser frames to communicate. "What is a frame?" You might ask - I gotchu.
A frame is a:
* Browser tab
* <iframe> frame
* <portal> frame (not yet fully released)
So let's say you've got a browser tab and a iframe within that tab that is on a different origin. The easiest way for these two frames to communicate is via PostMessage.
We set up a PostMessage communication channel via these things called "listeners". For two way communication, each page has to have a listener. But often only one-way communication is necessary.
A listener is defined via "window.addEventListener("message", {YourFunction})" in JavaScript. That {YourFunction} part would be replaced with reference to the function defined to handle the PostMessages.
Let's say the iframe does "parent.postMessage('hi', '*')" the function mentioned in the listener definition above will receive an event object e such that e[.]data is 'hi'. The parent page can then make a decision on what to do with that data.
This essentially provides an API for communication between the two pages.
This can often lead to a vulnerability if the e.origin attribute is not explicitly checked, because the page is not certain which origin (ie, domain) the postMessage came from. It could have come from site[.]com or it could have come from attacker[.]com.
The most useful attack scenario nowadays looks like this:
The attacker has a page that uses "var x = window[.]open('//othersite')". The attacker then sends a PostMessage to that site with malicious data: "x.postMessage('<svg onload=alert(1)>', '*')".
That data is then parsed by the handler function defined in the addEventListener call, and affects the integrity or confidentiality of the page in some way.
That's it! Keep an eye out for cool PostMessage bugs using @fransrosen's PostMessage-Tracker tool on GitHub.
Glhf, find bugs!
Steel Mountain - I have just completed this room! Check it out: https://t.co/brtRP9b5R2 #tryhackme #windows #powershell #nmap #metasploit #steelmountain via @tryhackme
Vulnversity - I have just completed this room! Check it out: https://t.co/HNGL8D6PVD #tryhackme #recon #privesc #webappsec #video #vulnversity via @tryhackme
The best single #XSS vector you'll ever have! 😎
JavaScript://%250Aalert?.(1)//
'/*\'/*"/*\"/*`/*\`/*%26apos;)/*<!-->
</Title/</Style/</Script/</textArea/</iFrame/</noScript>
\74k<K/contentEditable/autoFocus/OnFocus=
/*${/*/;{/**/(alert)(1)}//><Base/Href=//X55.is\76-->
If you are building your career in cybersecurity, focus your attention on understanding APT Attacks and MITRE ATT&CK tactics, techniques, and procedures. You will be either working in detecting/preventing these attacks and techniques in blue team or simulating them in red team
Ransomware hit the election infrastructure in the US at the worst possible time
#ransomware #malware #cybersecurity
https://t.co/6ltWTIqvVT
@hackthebox_eu A course on reconnaissance would be great.
Sometimes just changing the "id / roleid" just works when you cannot find any way to get into the system or network in a pentest scenario.
#bugbountytips #infosec #BugBounty #bugbountytip
#Pentesting #CyberSecurity
My first writeup on the new website :
"Abusing Report Abuse"
It's about a 'logical' bug that I reported that I reported sometime back.
https://t.co/f7pZn2GUuf
#bugbounty #bugbountytip #hackingsimplified
Metasploit lovers! Don't forget about "advanced options!" Some of those might be SUPER helpful to properly fine-tune your scan or your exploit (... especially if the target is... taking a long time... to respond...) `show advanced options` is always worthwhile to check out.
Today I learned that you can check, if your IP is exposing something sensitive to the internet (maybe some open ports), by visiting https://t.co/C2dO8PiZf3. If you see a 404 page then nothing is being exposed.
#infosec #security #cybersecurity
Only 10 retweets ? We can do better guys !
Support the AMA by retweeting . It helps to increase participation .
Thanks !
this is crazy....you can now install VMWare on a Raspberry Pi!!! Want to try it? I'll show you how: https://t.co/YOJeVC8Kp6
I'm also giving away 2 Raspberry Pi 4 (8GB) kits. Check the vid description to enter.
@Raspberry_Pi @VMware #raspberrypi #vmware #esxi
If you're looking to get started as a pentester, I highly recommend this read!
I created this basic chrome extension to find prototype pollution. You won't believe the applications where PP exist, it's everywhere.
I hope you make internet pollution free :xD.
https://t.co/5oO65WBTYC
Finding Technical Weakness with Nikto https://t.co/InFMIchO4b
Last Seen Users on Sotwe
Trends for you
Most Popular Users
Elon Musk 
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.5M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.4M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.7M followers
KATY PERRY
@katyperry
87.1M followers
Taylor Swift
@taylorswift13
80.9M followers
Lady Gaga
@ladygaga
72.5M followers
Kim Kardashian
@kimkardashian
69.5M followers
Virat Kohli
@imvkohli
69M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.6M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.6M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.2M followers