**Query Confusion: How HTTP Parameter Pollution Made the App Spill Secrets **
Hey there!😁
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/query-confusion-how-http-parameter-pollution-made … ⌘ Read more
Securing Apache2 + PHP: Practical guide for safer web hosting
A practical security checklist to harden your Apache2 + PHP stack and protect your web applications from common vulnerabilities.
[Continue reading on InfoSec Write-ups »](https:// … ⌘ Read more
$2,900 Bounty: Public S3 Bucket Exposure in Shopify
How a Simple S3 Misconfiguration Exposed Private Images Across Shopify Stores and Earned a $2,900 Bounty
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/2-900-bounty-public-s … ⌘ Read more
現代 JavaScript 異步寫法:不依賴 await,構建高性能異步系統
在 ES6 + 時代,JavaScript 異步編程經歷了重大變革。雖然async/await語法顯著提升了代碼可讀性,但在某些場景下直接操作 Promise 和利用新特性能帶來更精細的控制。1. Promise 鏈式操作fetch(’https://api.example.com/data’) .then(response = { if (!response.ok) throw ne ⌘ Read more
🧮 USERS:1 FEEDS:2 TWTS:1333 ARCHIVED:86968 CACHE:2847 FOLLOWERS:22 FOLLOWING:14
Mission Center 1.0.0 released
Version\
1.0.0 of Mission Center, a system monitoring application, has been
released. Notable changes in this release include the addition of
SMART data for SATA and NVMe devices, display of per-process\
network usage, as well as a redesigned Apps Page that provides
more information about applications and processes. Mission Center’s
backend ap … ⌘ Read more
↳
In-reply-to
»
https://alex.party/posts/2025-05-05-the-future-of-web-development-is-ai-get-on-or-get-left-behind/
⤋ Read More
And on a similar note, cross-post from Mastodon:
What I love about HTML and HTTP is that it can degrade rather gracefully on old browsers.
My website isn’t spectacular but I don’t think it looks horrible, either. And it’s still usable just fine all the way down to WfW 3.11:
It’s not perfect, but it’s usable. And that makes me happy. Almost 30 years of compatibilty.
The biggest sacrifice is probably that I don’t enforce TLS and that HTTP 1.0 has no Host: header, so no vhosts (or rather, everything must come from the default vhost). (Yes, some old browsers send Host:, even though they predate HTTP 1.1. Netscape does, but not IBM WebExplorer, for example.)
(On the other hand, it might completely suck on modern mobile devices. Dunno, I barely use those. 🤪)
100 Milfs vs 1 Man ⌘ Read more
Beyond Alert Boxes: Exploiting DOM XSS for Full Account Takeover
Hello Hunters, as you all know, XSS is one of the most common web vulnerabilities, often underestimated but capable of causing severe…
[Continue reading on … ⌘ Read more
Hack Any Mobile Phone Remotely
Ethically — but note — this used to work great with phone under android 10
Containers vs Virtual Machines: Key Differences, Benefits, and Use Cases Explained
Discover the difference between containers and virtual machines, their benefits, and use cases to make smarter inf … ⌘ Read more
Threat Profiling 101: How to Create a Threat Profile
Learn how to create effective threat profiles to identify and prioritize relevant cyber threats for your organization.
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/th … ⌘ Read more
The Ultimate Guide to Cyber Threat Actors: Exploring Hackers, Hacktivists, and Their Tactics
How can we understand the impact of hackers and hacktivists on global cyberse … ⌘ Read more
$1000 Bounty: Account Takeover via Host Header Injection in Password Reset Flow
Free Article Link: Click for free!
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/1000-boun … ⌘ Read more
[47°09′14″S, 126°43′17″W] Reading: 1.12 Sv
uv:統一的 Python 包管理
花下貓語:uv 項目自發布起就大受歡迎,目前 Github star 52.6 K,遠超過它的同類競品們。前不久,它的創始人在 X 上披露了一組驚人的數據:uv 曾佔據了 PyPI 超過 20% 的流量,用戶每天通過它發起約 4-5 億次下載請求!我在去年翻譯過 uv 首發時的新聞文章 [1],根據博客後臺不完整的統計,從 Google 搜索進入的訪問量已經超過 3000,妥妥成爲了我博客的搜索訪 ⌘ Read more
Buffett Says Tim Cook Made Berkshire More Money Than He Ever Did
Berkshire Hathaway CEO Warren Buffett offered rare public praise for Apple CEO Tim Cook at the holding company’s annual shareholder meeting on Saturday, during which Buffett confirmed he was stepping down.
“I’m somewhat embarrassed to say that Tim Cook has made Berkshire a lot more money than I’ve ever made,” Buffett told the audience, alluding … ⌘ Read more
🧮 USERS:1 FEEDS:2 TWTS:1332 ARCHIVED:86951 CACHE:2881 FOLLOWERS:22 FOLLOWING:14
(Updated) ESP32-C5-DevKitC-1 with 240MHz RISC-V Processor, Zigbee, and Thread Connectivity
The ESP32-C5-DevKitC-1 is another upcoming entry-level development board designed for IoT applications, featuring the ESP32-C5-WROOM-1 module. This board supports key wireless protocols, including Wi-Fi 6 (2.4 GHz and 5 GHz), Bluetooth LE 5, Zigbee, and Thread. The ESP32-C5-WROOM-1 module is equipped with a 32-bit RISC-V single-core processor running at 240 MHz along … ⌘ Read more
Building Trust with OpenID Federation Trust Chain on Keycloak
OpenID Federation 1.0 provides a framework to build trust between a Relying Party and an OpenID Provider that have no direct relationship so that the Relying Party can send OIDC/OAuth requests to the OpenID Provider without being previously… ⌘ Read more
Two stable kernels released—with build fixes only
The 6.12.27 and 6.1.137 stable kernels have been released to
fix build problems in their predecessors. Only those who are having
build troubles with 6.12.26 or 6.1.136 need to upgrade. ⌘ Read more
Security updates for Monday
Security updates have been issued by Debian (ansible, containerd, and vips), Fedora (chromium, java-17-openjdk, nodejs-bash-language-server, nodejs-pnpm, ntpd-rs, redis, rust-hickory-proto, thunderbird, and valkey), Mageia (apache-mod_auth_openidc, fcgi, graphicsmagick, kernel-linus, pam, poppler, and tomcat), Red Hat (firefox, libsoup, nodejs:20, redis:6, rsync, webkit2gtk3, xmlrpc-c, and yelp), and SUSE (audiofile, ffmpeg, firefox, libsoup-2_4-1, libsoup-3_0-0, libva, libxml2, and … ⌘ Read more
In english: lynx gopher://gopher.rbfh.de/1/Bible
** Bypassing Regex Validations to Achieve RCE: A Wild Bug Story**
✨Free Article Link
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/bypassing-regex-validations-to-achieve-rce-a-wild-bug-story-4c523f69b9f8?sourc … ⌘ Read more
$750 Bounty: Sensitive Data Exposure
When Deep Links Go Deeply Wrong: The Zomato Insecure WebView Story
** I Slashed My Spring Boot Startup Time to 1.8**
When people complain about Spring Boot being slow, it’s not entirely wrong — but it’s often misunderstood. Out of the box, Spring Boot is…
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/i-sl … ⌘ Read more
Stored XSS Led to OAuth App Credential Theft and Info Disclosure
Hello folks,
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/stored-xss-led-to-oauth-app-credential-theft-and-info-disclosure-85545fca3948?sou … ⌘ Read more
Bug Hunting for Real: Tools, Tactics, and Truths No One Talks About
Let’s Skip the “Sign Up on HackerOne” Talk
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/bug-hunting-for-real-tools-tactics-and-truths-no … ⌘ Read more
Equifax Breach: How a $700M Mistake Happened
When Trust Crumbled: The Human Toll of a Single Unpatched Server
Secure your Python applications: Best practices for developers
Practical security tips every Python developer should know — from dependency safety to protecting against injection attacks and securing…
[Continue reading on InfoSec Write … ⌘ Read more
Kuo: iPhone 17e Still on Apple’s 2026 Roadmap
Apple will launch an iPhone 17e in the first half of next year, according to respected industry analyst Ming-Chi Kuo.
Corroborating a recent report that Apple will switch to a split iPhone launch strategy, Kuo on Monday offered his own interpretation of Apple’s roadmap for the next two years:
- 2H25: iPhone 17 Pr … ⌘ Read more
🧮 USERS:1 FEEDS:2 TWTS:1331 ARCHIVED:86912 CACHE:2874 FOLLOWERS:22 FOLLOWING:14
Happy Birthday Winston. Guess who’s 1 today? ⌘ Read more
morning yarnverse (it’s 1:30pm here i slept in). i’m already bored
The Ultimate Guide to Email Input Field Vulnerability Testing
Real-world methods and payloads for testing email field security
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/the-ultimate-guide-to-email- … ⌘ Read more
$800 Bounty: Account Takeover in Shopify
A Simple Trick to Steal Creator Accounts? $800 Bounty for Account Takeover
“Low on Space in Kali Linux? Here’s How I Fixed It and Freed Up GBs”
“I was in the middle of a pentesting session when Kali refused to cooperate.”
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/lo … ⌘ Read more
This Simple Domain Hack Is Fooling Millions: Don’t Be Next!
Cybercriminals are using lookalike URLs powered by Punycode to mimic trusted sites and steal your data.
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/t … ⌘ Read more
** DevSecOps Phase 1: Planning & Security Requirements Engineering** ⌘ Read more
$3750 Bounty: Account Creation with Invalid Email Addresses
How a Simple Email Validation Flaw Earned a $3,750 Bounty
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/3750-bounty-account-creation-with-invalid-em … ⌘ Read more
How To Set Up Your Ultimate OOB Bug-Hunting Server
Having your own hacking server is one of the most important investments you can make in your bug bounty journey.
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/how-to-set-up-your-ultimate … ⌘ Read more
🧮 USERS:1 FEEDS:2 TWTS:1330 ARCHIVED:86883 CACHE:2892 FOLLOWERS:22 FOLLOWING:14
How We Fell Out of Love with Next.js and Back in Love with Ruby on Rails & Inertia.js - Hardcover Blog
Comments ⌘ Read more
** How I Found Internal Dashboards Using Google Dorks + OSINT**
Free Article Link
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/how-i-found-internal-dashboards-using-google-dorks-osint-5f2c9515fcd6?source=rss—-7b7 … ⌘ Read more
Using C++ type aliasing to avoid the ODR problem with conditional compilation, part 1
Comments ⌘ Read more
Beyond the Click: Writing Introductions That Keep Readers Glued to the Page
Got the click? Now keep them reading! Discover the powerful introduction writing secrets top Medium writers use to hook read … ⌘ Read more
Exploiting File Inclusion: From Dot-Dot-Slash to RCE using PHP Sessions, Log Poisoning, and…
Advanced File Inclusion Exploits: Sessions, Log Poisoning & Wrapper Chaining.
… ⌘ Read more
**IDOR Attacks Made Simple: How Hackers Access Unauthorized Data **
IDOR Attacks Made Simple: How Hackers Access Unauthorized Data 🔐
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/idor-attacks-made-simple-h … ⌘ Read more
Why You Can’t Stop Online Scams (Fast Flux Secrets Revealed)
Learn How Fast Flux Helps Cybercriminals Avoid Detection and Keep Their Scams Online
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/why-you-cant-stop-onlin … ⌘ Read more
** Payloads in Plain Sight: How Open Redirect + JavaScript Led to Full Account Takeover **
Hey there!😁
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/payloads-in-plai … ⌘ Read more
Active Storage’s Big Mistake: A $4,323 Lesson in Session Security
How to Install and Deploy Applications on Apache Tomcat Complete Guide
Learn how to install Apache Tomcat on CentOS, explore its directory structure, deploy Java web apps, and optimize your production setup…
[Cont … ⌘ Read more
Mastering Apache Web Server on CentOS: Installation, Configuration, and Virtual Hosts
Learn to install, configure, and manage the Apache web server on CentOS, including virtual hosts and bes … ⌘ Read more
🧮 USERS:1 FEEDS:2 TWTS:1329 ARCHIVED:86868 CACHE:2902 FOLLOWERS:22 FOLLOWING:14
Security updates for Friday
Security updates have been issued by Debian (chromium, nodejs, openjdk-17, and thunderbird), Fedora (firefox, golang-github-nvidia-container-toolkit, and thunderbird), Mageia (kernel), Oracle (ghostscript, glibc, kernel, libxslt, php:8.1, and thunderbird), SUSE (cmctl, firefox-esr, govulncheck-vulndb, java-21-openjdk, libxml2, poppler, python-h11, and redis), and Ubuntu (docker.io, ghostscript, linux-xilinx-zynqmp, and micropython). ⌘ Read more
I’ve just released version 1.0 of twtxt.el (the Emacs client), the stable and final version with the current extensions. I’ll let the community maintain it, if there are interested in using it. I will also be open to fix small bugs.
I don’t know if this twt is a goodbye or a see you later. Maybe I will never come back, or maybe I will post a new twt this afternoon. But it’s always important to be grateful. Thanks to @prologic@twtxt.net @movq@www.uninformativ.de @eapl.me@eapl.me @bender@twtxt.net @aelaraji@aelaraji.com @arne@uplegger.eu @david@collantes.us @lyse@lyse.isobeef.org @doesnm@doesnm.p.psf.lt @xuu@txt.sour.is @sorenpeter@darch.dk for everything you have taught me. I’ve learned a lot about #twtxt, HTTP and working in community. It has been a fantastic adventure!
What will become of me? I have created a twtxt fork called Texudus (https://texudus.readthedocs.io/). I want to continue learning on my own without the legacy limitations or technologies that implement twtxt. It’s not a replacement for any technology, it’s just my own little lab. I have also made a fork of my own client and will be focusing on it for a while. I don’t expect anyone to use it, but feedback is always welcome.
Best regards to everyone.
#twtxt #emacs #twtxt-el #texudus
Mastering Git Remote Repositories, Push, Pull, Clone, and Merge Conflicts: The Complete Beginner’s…
Learn everything about Git remote repositories, pushing, pullin … ⌘ Read more
Let’s Encrypt: Why You should (and Shouldn’t) use free SSL certificates
Free, fast, and secure — but is Let’s Encrypt the right SSL solution for your website?
[Continue reading on InfoSec Write-ups »](https://infosecwriteup … ⌘ Read more
A pile of stable kernel updates
The
6.14.5,
6.12.26,
6.6.89,
6.1.136,
5.15.181,
5.10.237, and
5.4.293
stable kernel updates have all been released; each contains another set of
important fixes. ⌘ Read more
Crack Windows Password [Ethical Hacking Article]
This Article describes you to reset your windows password by using manipulation technique.
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/crack-windows-password-ethical-hacking-artic … ⌘ Read more
$1000+ Passive Recon Strategy You’re Not Using (Yet)
Still using subfinder & sublist3r tools for finding assets while recon??
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/1000-passive-recon-strategy-youre-not-using-yet-164f5b1e … ⌘ Read more
The Ultimate Guide to a Successful Career in Cybersecurity
As a newcomer to cybersecurity, you’re going to encounter a lot of difficulties, and at times, you’ll feel overwhelmed and frustrated.
[Continue reading on InfoSec Write-ups »](https … ⌘ Read more
Raspberry Pi Reduces Prices on 4GB and 8GB Compute Module 4
This month, Raspberry Pi announced a price reduction for two of its most widely used Compute Module 4 variants. As of May 1, 2025, the 4GB RAM version is now $5 cheaper, while the 8GB RAM version has been reduced by $10. These discounts apply to standard temperature models purchased through Raspberry Pi Approved Resellers. […] ⌘ Read more
Prompt Injection in ChatGPT and LLMs: What Developers Must Know
Understanding the hidden dangers behind prompt injection can help you build safer AI applications.
[Continue reading on InfoSec Write-ups »](https://infosecwri … ⌘ Read more
🧮 USERS:1 FEEDS:2 TWTS:1328 ARCHIVED:86845 CACHE:2901 FOLLOWERS:22 FOLLOWING:14
CNCF and Synadia Align on Securing the Future of the NATS.io Project
SAN FRANCISCO and San Mateo, CA – May 1, 2025 – The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, and leading edge innovator Synadia today announced that the widely-adopted NATS… ⌘ Read more
Protecting NATS and the integrity of open source: CNCF’s commitment to the community
Updated May 1, 2025: CNCF and Synadia have come to an agreement to ensure that NATS continues to thrive as a healthy open source project within CNCF, with Synadia’s continued support and involvement. Please see our… ⌘ Read more
** From JS File to Jackpot: How I Found API Keys and Secrets Hidden in Production Code**
Hey there!😁
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/from-js-file-to- … ⌘ Read more
Lab: Finding and exploiting an unused API endpoint
Art of exploiting using an unused API endpoint
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/lab-finding-and-exploiting-an-unused-api-endpoint-79fa6744f21e?source=rss—-7b72 … ⌘ Read more
Exposing Money Mule Networks on Telegram
How I Mapped 100+ Scam Websites and Channels Using StealthMole
$500 Bounty: Hijacking HackerOne via window.opener
Zero Payload, Full Impact: $500 Bounty for a Tab Hijack
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/500-bounty-hijacking-hackerone-via-window-opener-e16700108e12?source=rss- … ⌘ Read more
** How I bypassed an IP block… without changing my IP?**
Good protection doesn’t just block — it anticipates. But what if you learn to play by its rules… and win anyway?
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/how-i-bypass … ⌘ Read more
[$] LWN.net Weekly Edition for May 1, 2025
Inside this week’s LWN.net Weekly Edition:
Front: Mailman 2 vulnerabilities; AI in Debian; __nonstring__; Cache-aware scheduling; Freezing filesystems; Socket-level storage; Debugging information; LWN in 2025.
Briefs: Debian election; Kali Linux key; OpenBSD 7.7; Firefox 138.0; GCC 15.1; Meson 1.8.0; Valgrind 3.25.0; FSF review; OSI retrospective; Mastodon; Quotes; …
[Announcements](https://lwn.net/Arti … ⌘ Read more
🧮 USERS:1 FEEDS:2 TWTS:1327 ARCHIVED:86834 CACHE:2905 FOLLOWERS:22 FOLLOWING:14
E não é que os finórios do Airbnb conseguiram encaixar um artigo no Público como “opinião”?
All wet and needy pt.1 (chinoaii) ⌘ Read more
RVPC Adds BASIC Interpreter to €1 Open Source RISC-V Computer
The RVPC, a fully open source hardware and software retro-style computer project built around the CH32V003 microcontroller, now supports a BASIC interpreter. This update further expands the capabilities of the €1 RISC-V-based system, which already features VGA output and PS/2 keyboard input, despite its extremely limited resources. Originally conceived as a DIY challenge, the RVPC […] ⌘ Read more
[$] The mystery of the Mailman 2 CVEs
Many eyebrows were raised recently when three vulnerabilities were announced
that allegedly impact GNU Mailman 2.1,
since many folks assumed that it was no longer being supported. That’s
not quite the case. Even though version 3 of
the GNU Mailman mailing-list manager has been available
since 2015, and version 2 was declared (mostly) end of life
(EOL) in 2020, there are still plenty of users and projects still
usi … ⌘ Read more
↳
In-reply-to
»
If we must stick to hashes for threading, can we maybe make it mandatory to always include a reference to the original twt URL when writing replies?
⤋ Read More
@movq@www.uninformativ.de If we’re focusing on solving the “missing roots” problems. I would start to think about “client recommendations”. The first recommendation would be:
- Replying to a Twt that has no initial Subject must itself have a Subject of the form (hash; url).
This way it’s a hint to fetching clients that follow B, but not A (in the case of no mentions) that the Subject/Root might (very likely) is in the feed url.
How to Build a Cyber Threat Intelligence Collection Plan
Learn how to build a cyber threat intelligence collection plan to track your intelligence requirements and make them actionable!
[Continue reading on InfoSec Write-ups »](https: … ⌘ Read more
$500 Bug Bounty:Open Redirection via OAuth on Shopify
Exploiting OAuth Errors: A Real-World Open Redirect Bug on Shopify
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/500-bug-bounty-open-redirection-via-oauth-on-shopif … ⌘ Read more
**What Recruiters Look for in a Cybersecurity Resume in 2025 **
Free Article Link
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/what-recruiters-look-for-in-a-cybersecurity-resume-in-2025-dcc81fa3154e?source=rss- … ⌘ Read more
** CISA Sounds the Alarm: Broadcom and Commvault Flaws Under Active Exploitation! ️**
Buckle up, cybersecurity enthusiasts! The U.S. Cybersecurity and Infrastructure Security Agency (CISA) j … ⌘ Read more
** Not Just a Ping: How SSRF Opened the Gateway to Internal Secrets **
Hey there!😁
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/not-just-a-ping-how-ssrf-opened-the-gateway-to-internal-secrets-d18eeccd … ⌘ Read more
Apple Music Gets New Co-Heads in Latest Leadership Shuffle
Apple is making another round of leadership changes across two key divisions ahead of its earnings report on Thursday, according to Bloomberg’s Mark Gurman.
The company’s Apple Music division will now be co-managed by … ⌘ Read more