Olivia
Online
Jake Miller
@theBumbleSec
Web Security Researcher | h2c smuggling, JSON Interop vulns,
RMIScout, GadgetProbe, Server-side Spreadsheet Injection | AppSec @BrexHQ; formerly @BishopFox
Joined October 2012
399 Following
2.3K Followers
437 Posts
Amazing work @albinowax! I’m just blown away with your creativity in finding new desync variants. I’m looking forward to trying it out in the labs.
Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling by @albinowax
https://t.co/Xa1GwNaIVd
The results are in! We're proud to announce the Top 10 Web Hacking Techniques of 2021!
https://t.co/t3pMqnLt2T
It seems that there is a lot confusion about the log4j JNDI injection vulnerability (CVE 2021-44228). In our latest blog post we provide additional background fundamentals about JNDI and JNDI exploitation (and a lot of links): https://t.co/0UytHFBkga
@projectzerodays Sure! I found a few of these over the course of that year on services that accepted XLS uploads. They were all instrumenting MS Excel on a backend server for document processing: https://t.co/rJb9nzRusY and https://t.co/9AFTdCE7uc
Who to follow
Nicolas Grégoire
@Agarri_FR
Web hacker and Burp Suite Pro trainer
Refer to https://t.co/D5tRH7U2hg for trainings
Follow @MasteringBurp for free tips and tricks
ProjectDiscovery 
@pdiscoveryio
Real, exploitable vulnerabilities. No noise. Nuclei scans fast. Neo closes the loop. @pdnuclei × @neo_ai_engineer
Gareth Heyes \u2028
@garethheyes
Web security researcher at PortSwigger. Author of JS for Hackers and Hackvertor.
https://t.co/e0aNEbFb9D
Check out our blog post on Context Aware Content Discovery https://t.co/ma7hdgPPfI - we drop a tool (Kiterunner - https://t.co/u9mb9DUlkg) and some datasets. Hope you can find more endpoints through our work!
Found another jndi bypass like 🟠's groovy bypass using org.yaml.snakeyaml.Yaml. Heres a controller for rouge-jdni to add it to your arsenal https://t.co/VtSNSDgyRO.
Great research by @artsploit! Also, be sure to check out the labs and updates to content at https://t.co/ZbjjHtcbyL
My colleague @seanyeoh wrote up his security research on H2C smuggling and the various cloud providers he successfully exploited (Cloudflare, Azure). He also released a tool called h2csmuggler! Check it out at https://t.co/C4QTDcI7JH
Excited to share that I have just started a new position on the AppSec team @BrexHQ! Looking forward to being a part of their awesome team :)
I used Radamsa to fuzz and find an inconsistency between 2 NodeJS URL parsers and bypass host whitelisting in Kibana webhooks. The impact was low here but the parser issue can probably cause some trouble in other Node code bases. Read more details 👇 https://t.co/WF4OANSpym
More great lessons on fuzzing from @Nosoynadiemas! I am always excited when I see a new post in this series. Thank you for sharing!
Learn how to take aim at HTTP attack surfaces in @Nosoynadiemas series on fuzzing the Apache Web Server https://t.co/z8MNrbsCwA
Istio vulnerability with an 8.2 CVSS. They're calling it a 0day. Also a lesson in JWT validation mistakes.
> If a JWT token is presented with an issuer that does not match the issuer field specified in JwtProvider, then the request is mistakenly accepted
https://t.co/Hrd06hgyMD
@h3xstream @nst021 Thank you for letting me know! Love the depth of this piece. It also provides coverage for languages that I skipped like Swift, Perl, Obj-C, and Lua. Added a link and shout out in the Takeaways section :)
@nlohmann The trials included: 1) attempting to induce duplicate keys through truncation 2) fuzzing Unicode codepoints/raw/transforms 3) using unofficial JSON grammar 4) edge-case numbers 5) adding small quirks/errors: stray quotes or backslashes, odd whitespace. Hope that helps! (2/2)
@nlohmann Hey Niels! Nice to meet you :) During my tests, nlohmann/json had behavior consistent with JSON parsing "norms" and the spec. Notably, it made excellent use of exceptions! I'd be happy to provide more context on the test cases. (1/2)
@pry0cc Haha I was biting my tongue earlier this week, as my new research was just about to be published, but now I can share it. JSON Interoperability Vulnerabilities: https://t.co/A3MQkLpAXe
JSON Interoperability vulnerabilities sound like they have some serious bug-bounty potential. Nice work once again by @theBumbleSec/@bishopfox
https://t.co/uHCGJAmt4f
Accompanying labs and cheat sheet: https://t.co/4RZeYjebNZ
Just when you thought JSON was the one thing you could trust. My latest research on JSON interoperability vulnerabilities highlights the risks of inconsistent parser behavior (40+ parsers) and attacks to bypass business logic in microservice architectures. https://t.co/A3MQkLpAXe
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.4M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.7M followers
Cristiano Ronaldo
@cristiano
110.1M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.5M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.8M followers
KATY PERRY
@katyperry
87.4M followers
Taylor Swift
@taylorswift13
81.2M followers
Lady Gaga
@ladygaga
72.8M followers
Kim Kardashian
@kimkardashian
69.7M followers
Virat Kohli
@imvkohli
69.5M followers
YouTube
@youtube
68.7M followers
Bill Gates
@billgates
63.7M followers
The Ellen Show
@theellenshow
62.5M followers
Neymar Jr
@neymarjr
62.2M followers
CNN
@cnn
61.9M followers
X
@x
60.8M followers
Selena Gomez
@selenagomez
60.5M followers