| Company | https://beyondbinary.io |
| Github | https://github.com/oj |
| Blog | https://buffered.io |
| Discord | TheColonial#8843 |
| Insta | https://instagram.com/oj.reeves |
| Trashfire | https://twitter.com/thecolonial |
- 7 Followers
- 56 Following
- 190 Posts
Aging infosec pleb. Dabbled in dev. Likes to climb rocks.
It's 2022. Data breaches are in the news everywhere. "CYBERSECURITY" is a hot topic, especially in Australia after the Optus and Medicare shitstorms. Despite this, we have companies like AGL outsourcing certain jobs to companies that are training people to click on bitly links sent via SMS. AGL have not indicated that they're using this vendor, nor is there any correspondence from AGL directly that they would be doing any kind of work. So out of the blue, messages like this stink of spam.
"We care about your security".
Chaehyun is an absolute beast! #rockclimbing https://gripped.com/news/historic-5-14b-onsight-for-chaehyun-seo/
I didn't have my mic plugged in properly during the stream, so it sounded like complete shit đ¤â
â
I am at good at computers. đ¤â
I'm thinking I might do another Kilterboard session and live stream it for the #climbing #rockclimbing fans out there. I have a climbing-specific Twitch account at https://twitch.tv/rocksploitation ... so if you're keen to join in, head on over there and wait for things to kick off. My guess is that it'll be just over 5 hours from now at 12:30 AEST. I'll start off on the V3s and V4s... and slowly build up to V7s and maybe a V8 or two if I have the beans for them. My local board is stuck at 45° at the moment, so I can't change the angle. But at least it's a good fight still.
Trail of BitsWe're hosting our second fuzzing workshop livestream today at 12p ET. Come join to learn about fuzzing arithmetics -- we'll be live on Twitch (twitch.tv/trailofbits) and YouTube! (youtube.com/trailofbits)
joernchen 
Special points for ^$ vs \A\z with Ruby.
Ruby has a special handling of regular expressions, the regexps are
matching by default in multi-line mode. This is not the case for instance
in Perl or other programming languages.
To demonstrate this behavior compare the two command lines below:
$ perl -e â$a=âfoo\nbarâ; $a =~ /^foo$/ ? print âmatchâ : \
print âno matchââ
no match
$ ruby -e âa=âfoo\nbarâ; if a =~ /^foo$/; puts âmatchâ; \
else puts âno matchâ; endâ
match
The string âfoo\nbarâ does not match the regular expression /^foo$/ in the
Perl code snippet, it is matching in the Ruby code snippet.
The main problem with this regular expression handling is that quite a lot
of developers are not aware of this subtle difference. This results in
improper checks and validations. As an example the controller below comes
close to what can be observed in real world code (the regex is somewhat
simplified here):
class PingController < ApplicationController
def ping
if params[:ip] =~ /^\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}$/
render :text => ping -c 4 #{params[:ip]}
else
render :text => âInvalid IPâ
end
end
end
The developerâs expectation is to match only numbers and dots within the
above IP address validation. But due to the default multi line mode of
Rubyâs regular expression parser the above check can be circumvented by a
string like â1.2.3.4.\nsomethingâ. The $ in the above regex would stop at
\n therefore the above code is command injectable with a simple request
like this:
$ curl localhost:3000/ping/ping -H âContent-Type: application/jsonâ \
âdata â{âipâ : â127.0.0.999\n idâ}â
Instead of using ^ and $ \A and \z should be used to match the beginning
and end of the string, rather than the beginning or end of the line.
Another common usecase of this RegEx behavior is the verification of user
given links. So for instance the RegEx /^https?:\/\// is bypassable by
supplying a link like:
âjavascript:alert(âlolâ)/\nhttp:///â (note the newline)
When this input is rendered into a href attribute of an anchor tag, weâve
gotten a straight froward Cross-Site Scripting.
This breakdown is really good https://www.youtube.com/watch?v=20BEJouWBgY
The FTX Disaster is Deeper Than you Think
Which day should we take a break from ICs ?
Today
Tomorrow
Days ending in "y"
Fuck my life
Poll ended at .
I think we should all agree to have a day where nobody uses anything with an integrated circuit in it.