djnn

@djnn1337@infosec.exchange
1 Followers
37 Following
12 Posts

https://evil.djnn.sh

malware, osint, and other stuff

Show threaddjnnJun 27

@malwaretech what if you ask it about another malware that has similarly been stopped by a domain-name killswitch ? Would it also give you credit ?

it seems to me like it associates you not by your name directly, but because there is "Malware" in your name

djnnJun 27
Marcus Hutchins Jun 26

Had a very surprising ChatGPT experience: asked it to generate a quick summary of the WannaCry ransomware, and instead of referencing the person who stopped it by name, it simply put "(you)". When I asked it how it was able to identify that it was me, it citied its own message as something I'd said.

After pointing out I didn't say that, it did, ChatGPT replied that it was able to infer it by my account username and what it'd learned from my skillset across various chats. Not 100% sure if that's how it actually did it. Either way, pretty cool, but also a little bit scary.

It's pretty widely known that many tech companies, especially advertising ones build comprehensive profiles on their users, but it's rare that you get to talk to said profile and figure out what it knows about you.

Show threaddjnnJun 22

also, this is kinda old but might be more useful to you lol

https://evil.djnn.sh/yellow/file/README.md.html

djnnJun 22

release some stuff. there isnt too many use for these projects but who knows. maybe you'll find it useful at some point lol

https://github.com/djnnvx/etc/tree/main/pentest/recon

etc/pentest/recon at main · djnnvx/etc

tools and things. Contribute to djnnvx/etc development by creating an account on GitHub.

GitHub
djnnJun 17
google dorks are always fun
djnnJun 11
intro to browser security research: https://docs.google.com/presentation/d/1rEPiqV0KBHAI0lVym283OHzYRXNCCuGudmDby1Z1qyc/mobilepresent?pli=1#slide=id.g35bbe1b1b99_0_108
Intro to Browser Security Research

How to Find Vulnerabilities in Web Browsers (An Introduction to Web Browser Security Research) Ivan Fratrić, Google Project Zero 2025

Google Docs
djnnMay 12
daniel:// stenberg://May 12

We have a CI job to spot unwanted utf8 letters in #curl PRs as we have noticed that GitHub will gladly show the for example (identical) Cyrillic version of a letter next to the Latin version in a diff and it is yes, entirely impossible for a human to spot the diff. I mean the diff is shown, but the significance of it is not.

Changing just a single letter like that in a URL hostname opens up for a world of grief.

djnnMay 7
we're locking in again
×
daniel:// stenberg://May 12

We have a CI job to spot unwanted utf8 letters in #curl PRs as we have noticed that GitHub will gladly show the for example (identical) Cyrillic version of a letter next to the Latin version in a diff and it is yes, entirely impossible for a human to spot the diff. I mean the diff is shown, but the significance of it is not.

Changing just a single letter like that in a URL hostname opens up for a world of grief.

Show threadint*domi;*domi=0May 12
@bagder rare case where having limited fonts may actually help someone with readability
Show threadFOSS UnleashedMay 12
@bagder I feel like there needs to be tools that make safer handling of Unicode easier. Anyone know of the full list of Unicode ranges? I know there are some sites that give partial ones. But I'd like the information needed to detect "this sentence contains Unicode characters consistent with language X" vs "this sentence contains Unicode characters for 45 different languages"
Show threaddaniel:// stenberg://May 12
@fossunleashed agreed!
Show threadPeter KreftingMay 12

@fossunleashed @bagder All the #Unicode metadata is available at http://unicode.org/Public/

Have a look at https://unicode.org/Public/UNIDATA/Scripts.txt

Index of /Public

Show threadPeter KreftingMay 12

@fossunleashed @bagder These documents are also relevant in this case:

UTR#36: https://www.unicode.org/reports/tr36/
UTR#39: https://www.unicode.org/reports/tr39/

Stabilized Technical Report

Show threadKlaus SteinMay 13

@nafmo @fossunleashed @bagder

Some Regex engines also provide this.
So one could e.g. check for
/\p{Arabic}/ && /\p{Armenian}/ && /\p{Cyrillic}/ && … and give a warning if too many of these match.

Show threadJan AntošMay 12
@fossunleashed @bagder Unicode confusables might point you the direction. https://www.unicode.org/Public/security/8.0.0/confusables.txt
Show threadPeter BrettMay 12

@fossunleashed The Unicode standard specifies algorithms for safely and correctly handling Unicode source code, not they are not widely implemented. See UTS #55 ‘Unicode Source Code Handling’.

@bagder

Show threadWolf480plMay 12
@bagder was this malicious?
Show threaddaniel:// stenberg://May 12
@wolf480pl no, this commit is done by me on purpose in order to test the CI and allow me to do this screenshot!
Show threadash does nyot hav cat earsMay 12
@bagder @wolf480pl I like that it was hidden behind a force push on a PR touching the same file :P

github.com/curl/curl/pull/17321
github.com/curl/curl/commit/e43770dd62ec5c0cc0ab949df382e9ac6ac4fd95
mk-ca-bundle: switch URLs to GitHub versions by bagder · Pull Request #17321 · curl/curl

The offical Firefox source code has moved to GitHub: https://github.com/mozilla-firefox/firefox This change adjusts to the new URLs. The old branches nss and central are not provided so they are re...

GitHub
Show threadsystemd-jadedMay 12

@bagder what the heck, how is this yet another instance of forgejo doing GitHub's job better than them :V (it shows confusable characters as a warning by default)

that's a frustrating concern to have to have though; unfortunate people are sending changes like these

Show threadcurtmackMay 12

@leftpaddotpy @bagder although, in Forgejo's case, I wish the heuristics were a little smarter than "is a potential homoglyph used in any context?"

I have a script that gets the "easily confused characters" warning because it uses "M×N" in a comment, and I will die before I change it to an asterisk or - even worse - an "x."

Show threadWill OrrMay 12
@bagder Out of curiosity, why is it a cronjob instead of just on the pull_request event?
Show threaddaniel:// stenberg://May 12
@worr sorry, just me not bringing my brain. It is a CI job. Edited now.
Show threadMarcel MenzelMay 12

@bagder That's very interesting, as Forgejo displays a big warning on top if something like this is being detected, a button to escape them and is marking the line with a warning:

"This file contains Unicode characters that can be confused with other characters."

Really confused that this is missing in GitHub.

Show threaddaniel:// stenberg://May 12
@wrmsr indeed!
Show threadVenc DvorakMay 12
@bagder 🤣🤣🤣
Show threadnemoMay 12

@bagder GitHub recently added warning for Hidden Unicode characters.

Maybe they will get to homograph attacks next.

https://github.blog/changelog/2025-05-01-github-now-provides-a-warning-about-hidden-unicode-text/

GitHub now provides a warning about hidden Unicode text - GitHub Changelog

A warning is now displayed when a file’s contents include hidden Unicode text on github.com. Such text can be interpreted differently than it appears in a user interface. For example,…

The GitHub Blog
Show threadMelissa May 12
@bagder Do you have a link to the CI job source? I'm curious how this works
Show threadjoschiMay 12
@codecat @bagder https://github.com/curl/curl/pull/17247
spacecheck.pl: check for non-ASCII chars, fix fallouts by vszakats · Pull Request #17247 · curl/curl

Reported-by: James Fuller Assisted-by: Dan Fandrich

GitHub
Show threadMelissa May 12
@joschi Thank you!
Show threadEfi (nap pet) 🦊💤May 12
@bagder isn't this literally an attack vector if it was a malicious pr?
Show threaddaniel:// stenberg://May 12
@efi yes indeed
Show threadEfi (nap pet) 🦊💤May 12
@bagder wait, did I misunderstand and it is your job to find these issues?
Show threaddaniel:// stenberg://May 12
@efi it is my job to not let malicious content into repositories I maintain, yes
Show threadEfi (nap pet) 🦊💤May 12
@bagder best of luck getting this solved 🐾🍀
Show threadSteve HoldenMay 12
@bagder Python went through a few traumas with Unicode normalisation - https://peps.python.org/pep-0672/.
PEP 672 – Unicode-related Security Considerations for Python | peps.python.org

This document explains possible ways to misuse Unicode to write Python programs that appear to do something else than they actually do.

Python Enhancement Proposals (PEPs)
Show threaddusoftMay 12
@bagder They could still make it better - showing non-ASCII (UTF8) characters in URLs with different background for easy identification.
Show threadharmoneMay 12

@dusoft @bagder Also remember to make it possible for color blind people to also easily and quickly detect that a malicious character is being used.

Non-ASCII chars should be disallowed in all web browsers by default and then users who are willing to accept the risk can enable one or more character-sets in their settings. That should be the case for all software not just web browsers so that copy and pasting text in eg. a text editor can stop this kind of attack and clearly show the attempt.

Show threadslotosMay 12

@harmone And what about the vast majority of people that don’t write in a Latin script?

General solutions to specific problems tend to have side-effects, to put it mildly.

Show threadharmoneMay 12
@slotos They would benefit too because they too would have a lot less risk to get tricked in visiting malicious links etc. A little convenience is worth sacrificing, like this, for a lot of security IMHO. I too would lack some characters in my local language but would gladly have to enable them explicitly before being able to accept the risk of using them.
Show threadMustaque AhmedMay 12
@bagder would you mind sharing cron code? GitHub link or something!
Show threaddaniel:// stenberg://May 12
@amustaque97 the check was merged into into another script for generic checks, here: https://github.com/curl/curl/blob/master/.github/scripts/spacecheck.pl
curl/.github/scripts/spacecheck.pl at master · curl/curl

A command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP...

GitHub
Show threadjoschiMay 12
@amustaque97 https://github.com/curl/curl/pull/17247
spacecheck.pl: check for non-ASCII chars, fix fallouts by vszakats · Pull Request #17247 · curl/curl

Reported-by: James Fuller Assisted-by: Dan Fandrich

GitHub
Show threadBrokarMay 12

@bagder That means that somebody actually sat down and browsed all the fonts to find the 2 characters which look exactly alike?

Just imagine these people would spend their time doing something productive for a change...

Show threaddaniel:// stenberg://May 12
@Brokar there are actually lots of tools that do exactly that. Here's one: https://util.unicode.org/UnicodeJsps/confusables.jsp
Unicode Utilities: Confusables

Show threadМя  ��May 12

@Brokar you don't need to browse all fonts when you have Cyrillic layout. They're literally on the same key, so you can even swap them by accident!

@bagder

Show threadGNÚorenard Sauvage (eris-ng) May 12
That means that somebody actually sat down and browsed all the fonts to find the 2 characters which look exactly alike?
Рrеttу surе thеrе аrе tооls fоr thаt, аlsо it usuаllу is еnоugh just tо knоw thе оthеr sсriрt, nо nееd tо sсоur fоnts ;)

CC: @bagder@mastodon.social
Show threadFlorian GilcherMay 12

@Brokar @bagder

Unicode themselves handles this problem: https://www.unicode.org/reports/tr39/#Confusable_Detection

Confusables become readily apparent for readiers of the non-English script when they learn English. Not much work involved finding them.

UTS #39: Unicode Security Mechanisms

Show threadKasTasMay 12

@Brokar @bagder well, it's not only about fonts itself, but different unicode entries being equivalent as well.

Rendering Latin H just the same as Greek H - yet, another question/problem in hand.

Show threadMr. Lance E Sloan (IRL) 👤May 12
@bagder
You're right, I can't spot the character by eye. Which character is it?
Show threaddaniel:// stenberg://May 12
@sloanlance the alt text says it: it is the 'g' in github that is changed into an Armenian g
Show threadElricMay 12
@bagder Is that CI job public? Sounds like a lot of projects could benefit from that.
Show threadRafaelMay 12

@elricofmelnibone @bagder

It's the spacecheck.pl script in the curl repo:

https://github.com/curl/curl/blob/master/.github/scripts/spacecheck.pl

curl/.github/scripts/spacecheck.pl at master · curl/curl

A command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP...

GitHub
Show threadGerard BraadMay 12

@bagder

Tried something like: https://gist.github.com/gbraad/551eabc8a79de04a1370e6ce1333284f for golang projects.

Seems our vendor folder with lots of k8s libs uses non-ASCII characters.

README.md

GitHub Gist: instantly share code, notes, and snippets.

Gist
Show threadGerard BraadMay 12

Seems this can be done with golint-ci https://golangci-lint.run/usage/linters/, such as

https://github.com/tdakkota/asciicheck
https://golangci-lint.run/usage/linters/#bidichk

Linters | golangci-lint

Fast Go linters runner golangci-lint.

golangci-lint
Show threadkaiserkiwi May 12
@bagder Can you share this job? I'm really interested in how it's built.
Show threaddaniel:// stenberg://May 12
@kaiserkiwi the job is not cleanly only doing this but is done as part of a bunch of other scanning duties by this script: https://github.com/curl/curl/blob/master/.github/scripts/spacecheck.pl
curl/.github/scripts/spacecheck.pl at master · curl/curl

A command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP...

GitHub
Show threadvszMay 12
@bagder forgejo / gitea showing it like this:
Show threaddaniel:// stenberg://May 12
@vsz neat!
Show threadGrimmauldMay 12
@bagder Hmm, now i am curious... might it make sense to pair this with a treesitter to specifically not scan comments?
Show threaddaniel:// stenberg://May 12
@grimmauld possibly, yes.
Show threadMx Autumn May 13
@bagder a few years ago when Confusable Homoglyphs where last a popular talking point I ported a Python package to PHP so I could do similar filtering https://github.com/photogabble/php-confusable-homoglyphs
GitHub - photogabble/php-confusable-homoglyphs: A PHP port of vhf/confusable_homoglyphs

A PHP port of vhf/confusable_homoglyphs. Contribute to photogabble/php-confusable-homoglyphs development by creating an account on GitHub.

GitHub
Show threadLudwig VielfrassMay 13
@carbontwelve @bagder I think at least in the case of host names there's something to be said for having a process to translate them back into Punycode so the homoglyph issue is more easily seen, e.g.
raw.githubusercontent.com
raw.xn--ithubusercontent-wxg.com
Show threadLinuxUserGD May 16
@bagder Gitea/Forgejo displays invalid Unicode characters by default
https://github.com/jirutka/setup-alpine/pull/13
Update README.adoc by LinuxUserGD · Pull Request #13 · jirutka/setup-alpine

Fixes invalid unicode characters reported by Gitea/Forgejo (see go-gitea/gitea#23682)

GitHub
Show threadWildRikkuMay 19
@bagder Had your post bookmarked and now pulled it out again since your blog post was featured in a popular German tech magazine. Thanks for the good work.