domenukMar 4
Hacker Memes
#directoryTraversalMemes
Mar 4 at 7:02pmWeb
Show threadJšŸŒµMar 4
@i0null This speaks to me. I need a career change.
Show threaddatenwolfMar 4

@i0null

Can someone please explain to me, why directory traversal still is an attack vector in this day and age?

It was among the first things in medias res infosec, some ā€“ oh my ā€“ 30 years ago.

We've developed so many tools and defenses against this BS that it really, really shouldn't be a problem anymore.

Show threadMichael TomasekMar 4

@datenwolf @i0null

- Having people following guides online from strangers without security first.
- Asking ChatGPT without prompting correctly for proper perms.
- Hobbyists figuring it out as they go.

Show threadpflegende4d ago

@datenwolf @i0null

lomg story short:

The Government-Director, reading payrol of IT-dep. Calling HR: What the hell!, DevOp salary near me? Fire him!

(Disclaimer:
thats only true in Government not in Industry et al)

Not surprising where open WAF to find.

šŸ˜‡

Show threadGustavoMar 4

@i0null last time I reported a path traversal two things happened:

  • they added a check for ../. They should have used realpath, but I could not find another way to get the vuln to work, even URL encoding, so that's fine for me.
  • they said they would interview me for a job offer, I'm still waiting this interview years later
    • Show threadPxl PhileMar 5

    @qgustavor @i0null regarding the 2. point:

    The company in question has probably more problems than you would like to work with so that's a bullet dodged.

    Show threadGustavoMar 5
    @ppxl @i0null I guess I dodged a bullet exiting from the last company I was in... 
    Show threadTilaiMar 4
    @i0null I do not understand a thing - But damn, its hot! šŸ˜
    Show threadpflegende4d ago

    @Tilai @i0null

    A WAF that only blocks `../` but doesn't decode URL encoding first is like a bouncer who won't let in anyone named "Knife" ā€” but waves `%4B%6E%69%66%65` right through. šŸø

    šŸ˜‰

    very shorted