π This week's UL is live!
Featuring:
π Launching 2025
π US soldier data leak
π€ AI agents begin to emerge
π¨π³ Chinaβs global spy network revealed
π Robotaxis now safer than human drivers
newsletter.danielmiessler.com/p/ul-463
TIL: Array.fromAsync([1],alert)
Beautiful use of an irregular comment.
Wow this rocks
If y'all wanna catch the 100th episode, you can find it here:
www.youtube.com/watch?v=ANYt...
Shoutout to Sentinel Studio's Richard and Christian for great quality and consistency on production.
Shoutout to gr3pme and Yujilik for killing it with the HackerNotes and HackerTLDR.
Shoutout to HackerContent for helping us manage our socials.
We released our 100th episode of
@ctbbpodcast.bsky.social yesterday - really proud of the whole CTBB team! We're sad to be losing @teknogeek.io, but very hopeful for future of the pod!
We're going to lean more into the discord community and keep producing HQ technical content in 2025.
Chills
Shift is currently in closed beta. If you'd like to get on the waiting list, sign up here: shiftwaitlist.com
Recorded a demo for y'all to check out, you can find it here.
The longer version is on the website below.
www.loom.com/share/1ed8f9...
Yo, new big thing: Shift.
AI seamlessly integrated into your HTTP proxy.
Use cases:
"Take this JS and build the JSON request body"
"Fill in these IDs from my notes - UserA"
"Create a match and replace rule to turn on this feature flag"
"Generate a wordlist with all HTTP Verbs"
We spend a lot of time talking to the hackers, but today, we're dropping a goodie for the program managers!
Here are our top tips for running a kickass bug bounty program.
See the matrix at the end for high impact to hackers, low effort changes.
blog.criticalthinkingpodcast.io/p/program-ma...
Bash tip: hit ctrl+x then ctrl+e to edit your current command in $EDITOR, write and quit to run it
If you are interested in client-side hacking and browser quirks I strongly recommend going through this writeup by @maitai.bsky.social!
It was also cool to collab w/ him on the second chall π€πΏπ€π»
blig.one/2024/11/29/f...
Wait, how does this work? Do you mean href=//yourdomain? Or is there some way to make that reach out to your domain?
Pro-tip: gron is awesome for diffing JSON π₯°
github.com/tomnomnom/gron
This is the content I came to Blue sky for
Very nice one!
This week we've got a rare episode that is also a bit more beginner friendly!
0xLupin (of Lupin and Holmes) and @rhynorater.bsky.social breakdown some of the hacker mentality that really caused some breakthrough in their hacker growth.
Check it out!
youtu.be/yxc2jVKE-jo
Character length
I talk about this on the pod all the time, but CSRF is dead simple. You just need to know the conditions.
I'm not gonna recite them again here, but today a new condition came up:
No Content-Type header -> no CSRF restrictions
Same-site: None
POST
= CSRF
The research:
3. It provides introspection
The reason why many hackers prefer to do everything manually because they don't trust the tools to do as good of a job as they would. Bebiks was able to solve this issue by providing very clean introspection into what the plugin is doing.
2. AI assisted customization
The difficult thing about implementing your own methodology is it takes time and effort. Bebiks was able to greatly reduce the friction of this by allowing for natural language prompting to integrate custom 403 bypass techniques into the app.
1. Implement your own methodology
This plug-in allows you to take your own 403 bypassing methodology and automate it easily. Elite hackers love this because they can take what makes them special as hackers and automated easily.
Plus it has sensible defaults.
Alright, new platform so I'm going to start sharing some things that I'm excited about to keep the momentum flowing!
Rn, I think the 403 Bypasser Caido plugin from Bebiks is freaking amazing.
This is a tool to automate the bypassing of walled-off endpoints.
This plugin does 3 things right:
Great times with these gents
Take your time, brother! You got this!
