Arminius

@rawsec

Your friendly infosec fanboy. I do bug bounty hunting, CTFs, some FOSS, subpar chess. HoF: Google, Chromium, Firefox, Facebook, Paypal et al

In the wild

Joined October 2013

1.2K Following

1.1K Followers

58 Posts

Pinned Tweet

Arminius @rawsec

over 7 years ago

Mini XSS challenge 3. Can you solve it? 🤔 <?php $n = bin2hex(random_bytes(8)); header("Content-Security-Policy: script-src 'nonce-$n'"); printf('<script nonce=%s>"%s"</script>%s', $n, str_replace('"', '', $_GET['a']), $_GET['b']); ?> #minixss #ctf

3

25

13

1

0

Arminius @rawsec

almost 4 years ago

@nazarpc @qtile Appreciate it! Great to see someone with a developer background using it. :)

0

2

0

0

0

Arminius @rawsec

over 5 years ago

@AlexPopovJr DM'ed you :)

0

1

0

0

0

Arminius @rawsec

over 5 years ago

Well, seems like @kucoincom didn't take their security that seriously in the first place #KuCoinHack #KuCoin

Arminius @rawsec

over 6 years ago

Sigh. It's 2020. Crypto exchange @kucoincom just awarded me a $28.49 bounty for an unconditional XSS vuln on their main domain. (via 3rd party component but still...) A little deceitful to call that a #bugbounty program 🤷 @gan_chun $KCS

0

3

1

0

0

0

3

0

0

0

Who to follow

When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl.

Verified account

I'm also @[email protected]

Nicolas Grégoire

Web hacker and Burp Suite Pro trainer Refer to https://t.co/D5tRH7U2hg for trainings Follow @MasteringBurp for free tips and tricks

Arminius @rawsec

over 6 years ago

@krakensupport Thanks, the security team got back to me!

0

2

0

0

0

Arminius @rawsec

over 6 years ago

Hey @krakenfx @krakensupport. I reported a major security vulnerability on your exchange 74 days ago. It's still open, and both your support and security team are ghosting me. Any help? #bugbounty $btc

1

2

0

0

0

Arminius @rawsec

over 6 years ago

Sigh. It's 2020. Crypto exchange @kucoincom just awarded me a $28.49 bounty for an unconditional XSS vuln on their main domain. (via 3rd party component but still...) A little deceitful to call that a #bugbounty program 🤷 @gan_chun $KCS

0

3

1

0

0

Arminius @rawsec

over 6 years ago

Know someone who needs a Titan security key bundle from Google? Got that promo mail where someone gets a free bundle if I refer them to Google's Advanced Protection Program

0

3

0

0

0

Arminius @rawsec

over 6 years ago

@krakensupport I reported a security vulnerability on @krakenfx a week ago, but you did not reply. Could you have another look?

1

0

0

0

0

Arminius @rawsec

about 7 years ago

@coolfire It got CVE-2019-12735. I had suspected the modeline "sandbox" didn't receive much attention, so it was just an afternoon of manually looking through the vim source and docs.

0

4

1

0

0

Arminius @rawsec

about 7 years ago

Arbitrary code execution vulnerability in Vim < 8.1.1365 and Neovim < 0.3.6 via modelines. 😬 Also, why you should not use Vim with default config, or cat without -v. https://t.co/KFoSO9ABl0

23

1K

621

54

0

Arminius @rawsec

about 7 years ago

@Rhynorater Spending more time on potential param pollution bugs like messing with bad encoding is a great point

1

0

0

0

0

Arminius @rawsec

over 7 years ago

@LLNSPay @itaibn_ Ah, that's neat! Never dealt with PHP_SESSION_UPLOAD_PROGRESS before. But at least the idea to populate a local file with the payload and chain wrappers/filters to manipulate it to the start of the file was the right direction. :)

0

0

0

0

0

Arminius @rawsec

over 7 years ago

Want a riddle for your coffee break (or, if you're me, a weekend full of despair)? Try this tricky "One Line PHP Challenge" from #HITCON #CTF <?php ($_=@$_GET['orange']) && @substr(file($_)[0],0,6) === '@<?php' ? include($_) : highlight_file(__FILE__); ?> http://54.250.246.238/

1

8

4

0

0

Arminius @rawsec

over 7 years ago

@LLNSPay Like, say, php://filter/string.strip_tags/convert.base64-decode/resource=/proc/self/environ with a crafted "Accept:" header, hoping Apache sets HTTP_ACCEPT in env. (using strip_tags so that a payload ending with <x cuts off rest). But my blind attempts didn't get me anywhere.

0

2

0

0

0

Arminius @rawsec

over 7 years ago

@LLNSPay I was thinking stream filters (php://filter/...) on a local file that reflects parts of the request (maybe /proc/self/environ or logfiles). Chaining some filters cleverly (base64-decode, etc.), the local file wouldn't even need to start with `@<?php`. But had no success.

1

0

0

0

0

Arminius @rawsec

over 7 years ago

@orange_8361 I want my weekend back. And my sanity. :-) Gonna dream of PHP filters tonight...

0

1

0

0

0

Arminius @rawsec

over 7 years ago

My write-up for Hackover CTF "cyberware" challenge. Using dir trav and manually obtaining packfiles from git meta dir. Was a nice little peek into git internals. https://t.co/BmlmB4trge

0

7

5

0

0

Arminius @rawsec

over 7 years ago

Where's Bobby Tables when you need him

StackExchange Status @StackStatus

over 7 years ago

We're investigating a database overload and working to resolve it ASAP.

54

157

47

0

0

0

1

0

0

0

Arminius @rawsec

over 7 years ago

@StackStatus "He Joel, our Microsoft Access trial is expiring in October" - "Make it a P4 ticket then, still plenty of time"

0

0

0

0

0

Arminius @rawsec

over 7 years ago

@itaibn_ I'll give it about a week. I can DM you the intended solution afterwards if you're interested

0

1

0

0

0

Arminius @rawsec

over 7 years ago

Mini XSS challenge 3. Can you solve it? 🤔 <?php $n = bin2hex(random_bytes(8)); header("Content-Security-Policy: script-src 'nonce-$n'"); printf('<script nonce=%s>"%s"</script>%s', $n, str_replace('"', '', $_GET['a']), $_GET['b']); ?> #minixss #ctf

3

25

13

1

0

Last Seen Users on Sotwe

Trends for you

Most Popular Users