Sam Curry 's Avatar

Sam Curry

@zlz.bsky.social

1,827 Followers  |  22 Following  |  5 Posts  |  Joined: 05.05.2023
Posts Following

Posts by Sam Curry (@zlz.bsky.social)

Thank you -- hoping to get a few more blog posts out soon :)

10.06.2025 02:21 β€” πŸ‘ 4    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

userland ROP on day 1 πŸ’ͺ

05.06.2025 08:48 β€” πŸ‘ 2053    πŸ” 324    πŸ’¬ 101    πŸ“Œ 63
Preview
Hacking Subaru: Tracking and Controlling Cars via the STARLINK Admin Panel On November 20, 2024, Shubham Shah and I discovered a security vulnerability in Subaru’s STARLINK admin panel that gave us unrestricted access to all vehicles and customer accounts in the United State...

New blog post with @shubs.io:

We found a vulnerability in Subaru where an attacker, with just a license plate, could retrieve the full location history, unlock, and start vehicles remotely.

Full post here: samcurry.net/hacking-subaru

23.01.2025 17:44 β€” πŸ‘ 73    πŸ” 30    πŸ’¬ 5    πŸ“Œ 6

Documentary on Hackers Who Get Paid to Hack Companies. @CyberNews interviewed Bryce (@realytcracker), Ben (@NahamSec), Sam Curry (@zlz), Frederik (@stokfredrik), Neiko (@_specters_), Vanya (@BusesCanFly), Phoenix (LilRed), AndrΓ© (@0xacb).

16.12.2024 15:49 β€” πŸ‘ 4    πŸ” 2    πŸ’¬ 1    πŸ“Œ 0
Preview
Bypassing WAFs with the phantom $Version cookie HTTP cookies often control critical website features, but their long and convoluted history exposes them to parser discrepancy vulnerabilities. In this post, I'll explore some dangerous, lesser-known

Did you know you can use an ancient magic cookie to downgrade parsers and bypass WAFs?! Hope you enjoy this quality bit of RFC-diving from @d4d89704243.bsky.social!
portswigger.net/research/byp...

04.12.2024 15:17 β€” πŸ‘ 73    πŸ” 27    πŸ’¬ 1    πŸ“Œ 5
Post image

My latest blog post is live! nastystereo.com/security/cro...

Read how to send a cross-site POST without including a Content-Type header (without CORS). It even works with navigator.sendBeacon

27.11.2024 09:10 β€” πŸ‘ 79    πŸ” 29    πŸ’¬ 3    πŸ“Œ 4
Post image

This must be the result of the attempts

25.11.2024 18:21 β€” πŸ‘ 5    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0

I'm slowly making my way there... will see where it starts giving me a bad request error as I approach 253 πŸ˜„

25.11.2024 07:49 β€” πŸ‘ 3    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Yup, all parts <63. Wondering if Bluesky explicitly prevented huge usernames as a quality of life thing? πŸ‘€

25.11.2024 07:38 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Post image

Does anyone know the max size limit for Bluesky usernames? The DNS and everything resolves correctly for this (253 characters), but it seems to throw 400 bad request when I actually try to assign it.

25.11.2024 06:48 β€” πŸ‘ 27    πŸ” 1    πŸ’¬ 3    πŸ“Œ 0