@strawp@infosec.exchange @strawp - Twitter Profile

Pinned Tweet

over 3 years ago

If you miss Twitter back in pre-2010 days when it was just full of geeks sharing cool stuff, then get on Mastodon. https://t.co/CugRleATGd is where I'll be now 👋

0

1

0

@[email protected] @strawp

over 3 years ago

YES! You found one! I pretty much laughed all the way through that😂

0

104

@[email protected] @strawp

over 4 years ago

@sampilgrim this guy who rides a penny farthing says he wouldn't know how to pop a wheelie on it. https://t.co/By5AaCf83W I figured if anyone could manual one, you could. Make it happen! 😁

1

0

@[email protected] @strawp

over 3 years ago

@Burp_Suite Didn't appear to but I got around the issue using sessions in the end. Odd though, figured it was a caching issue or something

0

22

Who to follow

Ben Turner 🇬🇧

@benpturner

Creator of Things #PoshC2 / https://t.co/boSPPKtIVx | Advisory Services’ Lead & Red Teamer @Nettitude_labs (CCSAS & CCSAM)

@[email protected] @strawp

over 3 years ago

@Burp_Suite I'm sure the Intruder payload type "Runtime file" used to read the file for each request so you could use it to store an access token to refer to, but it seems like now it keeps the same value for the whole attack?

1

0

93

@[email protected] @strawp

over 3 years ago

@Burp_Suite Yes, but in the past I've used it to take the value from the file per request and have another process writing to that file, e.g. the current datetime and it would be correct at the time of the request. Talking probably v1.5 or so though 😂

1

0

55

@[email protected] @strawp

over 3 years ago

@_RastaMouse @benpturner @m0rv4i I don't deserve any credit, I think I probably just created that repo for the actual talent 😂

0

3

0

442

@[email protected] @strawp

over 3 years ago

@IGC_Ray https://t.co/kCVgmbtasB

1

0

16

@[email protected] @strawp

over 3 years ago

I did a thing

LRQA Cyber Labs

@LRQA_Cyber_Labs

over 3 years ago

Popular document storage solution, ONLYOFFICE, affected by multiple vulnerabilities. Our latest post by @strawp shows how to exploit this for unauthenticated remote code execution. https://t.co/qlbJLlIC4X

0

17

10

4

0

3

7

0

@[email protected] @strawp

over 3 years ago

@IGC_Ray Sorry, only just saw this. JS injection you can do through the UI. The other stuff, the version number is a firm indicator

1

0

22

@[email protected] @strawp

over 3 years ago

@0xCrashX Now :) https://t.co/kCVgmbtasB

0

141

@[email protected] @strawp

over 3 years ago

@nationaltrust @wbiggs I've had this working in Google Play/Wallet for years but it's only in the last year that staff have refused to scan it because "security" despite the fact that the physical cards have no security features 🤷‍♂️

0

2

0

793

@[email protected] @strawp

over 3 years ago

@IGC_Ray I'll release the tool in the new year

1

0

27

strawp retweeted

LRQA Cyber Labs

@LRQA_Cyber_Labs

over 3 years ago

Popular document storage solution, ONLYOFFICE, affected by multiple vulnerabilities. Our latest post by @strawp shows how to exploit this for unauthenticated remote code execution. https://t.co/qlbJLlIC4X

0

17

10

4

0

@[email protected] @strawp

over 3 years ago

@robmanuel @jbaert @fesshole Stephen Fry has been on there a week and he's already got 46k followers https://t.co/K1vC1Pm04p

0

@[email protected] @strawp

over 3 years ago

@scriptmonkey_ "... upon which, cracking the Kerberos ticket was a mere bagatelle"

0

1

0

@[email protected] @strawp

over 3 years ago

@joefizz420 Must remember to never write another function and just cut and paste my code multiple times

1

0

@[email protected] @strawp

over 3 years ago

Oh Jesus 🤦‍♂️

Senior PowerPoint Engineer

@ryxcommar

over 3 years ago

congrats to every Twitter employee who commits their entire venv/ for avoiding the layoffs. Elon needs allstars like you who can push 200k lines of code in a single merge.