| Computer Network Operations | Exploit dev | Malware Reversing | I do other stuff too: reading, *nix stuff, traveling the globe, cooking | Be kind to everyone. |
Languages: English, русский
| Blog | https://vx128.ru/blog |
| Onion site | http://vz35c7werosf4orb.onion |
| Keybase | https://keybase.io/synfinner |
| Location | Washington, D.C. |
My package from UPS has successfully been out for deliver since Thursday.
Why. Why are you like this.
Being paid to break into stuff isn't always as glorious as people make it out to be.
I've been up entirely too long, coffee mugs are littering my desk, and I'm tired.
nmap even yelled at me.
Remember, it isn't always about how fast you break into a system.
Sometimes patience is truly key 🙏
Additionally, their vendor risk acceptance must be almost 0.
Some of these third-party connections their systems make are simply horrific.
At no point are they enforcing HSTS, one of their API keys for object storage is sitting right there in the source.
Their chat system is misconfigured and gives up its internal ip and the fact that backend comms are done plaintext.
Outdated JS libraries everywhere, not a single cookie is specified with HTTPOnly nor 'secure', no frame options headers/content security policy, urls of staging servers are disclosed.
So, I got bored and decided to open Burpsuite while going to my bank's site.
I didn't do anything active. Everything found was simply passive.
Max "Buzzworthy" Eddy