Antoine Roly's Avatar

Antoine Roly

@aroly.bsky.social

Hacker, Bug Bounty Hunter, Pentester,... From Namur, BE.

234 Followers  |  840 Following  |  102 Posts  |  Joined: 23.11.2023  |  1.6595

Latest posts by aroly.bsky.social on Bluesky

Preview
ICE and CBP Agents Are Scanning Peoples’ Faces on the Street To Verify Citizenship Videos on social media show officers from ICE and CBP using facial recognition technology on people in the field. One expert described the practice as “pure dystopian creep.”

“We should have banned government use of face recognition when we had the chance because it is dangerous, invasive, and an inherent threat to civil liberties,” EFF’s @MGuariglia.bsky.social told @404Media.co. www.404media.co/ice-and-cbp...

29.10.2025 20:03 — 👍 307    🔁 124    💬 7    📌 8
Video thumbnail

« On est en train de discuter des livres que va lire Nicolas Sarkozy en prison ? Alors qu'il a été condamné pour "association de malfaiteurs". »

@fabricearfi.bsky.social Journaliste d’investigation

La suite :
⏰ 22h50 sur france·tv
➡️https://bit.ly/SarkozyEnPrisonHonneurDeshonneur
🎧en podcast

21.10.2025 18:52 — 👍 2478    🔁 1170    💬 82    📌 110

🤣🤣🤣

21.10.2025 13:49 — 👍 0    🔁 0    💬 0    📌 0
Post image

I’m excited to announce that I’ll be presenting The Fragile Lock: Novel Bypasses for SAML Authentication at Black Hat Europe! In this talk, I’ll show how I was able to continuously bypass security patches to achieve complete auth bypass for major libraries. #BHEU @blackhatevents.bsky.social

07.10.2025 14:55 — 👍 25    🔁 6    💬 0    📌 0

Je lance une bouteille à la mer ...

Les @restosducoeur 💞cherchent beaucoup d’ordinateurs portables et tiny (Linux friendly 🐧). Si votre entreprise a du stock dormant ou autre, ça nous aiderait beaucoup !

Repost apprécié :)🫶🏻

06.10.2025 07:57 — 👍 160    🔁 376    💬 16    📌 3
Penetration Testing Request a penetration test for your AWS cloud infrastructure here.

In case you missed it, AWS updated its policy about pentesting, and "Amazon API Gateway" (used by the extension "IP Rotate") isn't allowed anymore

aws.amazon.com/fr/security/...

01.10.2025 09:21 — 👍 2    🔁 2    💬 1    📌 0
Post image

Nice one ! #lichess #chess @lichess.org

26.09.2025 16:03 — 👍 1    🔁 0    💬 0    📌 0
Video thumbnail

🚨NEW: "The Late Show with Stephen Colbert" just dropped its first response to ABC, FCC chair, and Disney firing Jimmy Kimmel.

Trump ain't sleeping tonight. 🤣

This is a must-watch. 🔥

19.09.2025 03:02 — 👍 5814    🔁 2775    💬 154    📌 338
Preview
Cookie Chaos: How to bypass __Host and __Secure cookie prefixes Browsers added cookie prefixes to protect your sessions and stop attackers from setting harmful cookies. In this post, you’ll see how to bypass cookie defenses using discrepancies in browser and serve

We've just published a novel technique to bypass the __Host and __Secure cookie flags, to achieve maximum impact for your cookie injection findings: portswigger.net/research/coo...

03.09.2025 14:54 — 👍 13    🔁 14    💬 1    📌 0
Preview
a man in a cowboy hat says you can do it in front of a crowd of people ALT: a man in a cowboy hat says you can do it in front of a crowd of people
21.08.2025 12:40 — 👍 1    🔁 0    💬 0    📌 0

1st time I start Burp to do bug bounty since the begining of June. Let's see if I still enjoy it or if I need more time to get back at it...

18.08.2025 16:41 — 👍 3    🔁 0    💬 0    📌 0

It's probably a cool research topic then 🙂

08.08.2025 17:59 — 👍 0    🔁 0    💬 1    📌 0

Some good collaborations on the way? 🙂

08.08.2025 08:34 — 👍 1    🔁 0    💬 1    📌 0
Post image

How to make $$$ from request smuggling

Step 1) Pick the right target:

11.07.2025 12:15 — 👍 29    🔁 2    💬 2    📌 0
Preview
Euro de basket : les Belgian Cats brillent face à l’Allemagne et filent en demi-finale (83-59) L’équipe nationale féminine belge de basket a poursuivi sur la lancée de son excellent début de tournoi ce mercredi. Une victoire qui leur permet de rejoindre l’Italie en demi-finale.

Euro de basket : les Belgian Cats brillent face à l’Allemagne et filent en demi-finale (83-59)
www.lesoir.be/684043/artic... #belgiancats

25.06.2025 19:55 — 👍 1    🔁 0    💬 0    📌 0
Video thumbnail

"Ce qu’on est en train de vivre aujourd’hui, c’est les trajectoires qu’on avait imaginées il y a 20 ans. La communauté des climatologues n’est pas du tout surprise par la vague de chaleur qui arrive. Elle est effrayée." @cassouman40.bsky.social ce matin sur @franceinfo.fr #VagueDeChaleur #DontLookUp

20.06.2025 10:34 — 👍 509    🔁 359    💬 8    📌 40

This is so cool! Congrats!

19.06.2025 11:03 — 👍 2    🔁 0    💬 0    📌 0

Looking forward to read the write up 😉

18.06.2025 17:11 — 👍 1    🔁 0    💬 0    📌 0
Post image

I'm thrilled to announce "HTTP/1 Must Die! The Desync Endgame" is coming to #DEFCON33! This talk will feature multiple new classes of desync attack, mass exploitation spanning multiple CDNs, and over $200k in bug bounties. See you there!

10.06.2025 14:20 — 👍 43    🔁 11    💬 0    📌 1

Mais putain 🤦

Enfin, au moins on sait pour qui ils roulent...

31.05.2025 06:39 — 👍 3    🔁 0    💬 0    📌 0

Bye bye full time bug bounty hunting. It's been a hell of a ride, but it's time to move on...

30.05.2025 16:33 — 👍 3    🔁 0    💬 1    📌 0
Preview
a close up of a statue of yoda with the words `` thank you wise one '' written below him . ALT: a close up of a statue of yoda with the words `` thank you wise one '' written below him .
30.05.2025 14:55 — 👍 0    🔁 0    💬 0    📌 0

And that would explain why the desync is so rare ? Or why it happens only in one way ?

I'm not sure to get your point here, sorry.

30.05.2025 12:09 — 👍 0    🔁 0    💬 1    📌 0
AppSec Ezine

AppSec Ezine - 589th edition #AppSec #Security

pathonproject.com/zb/?33afd768...

30.05.2025 09:43 — 👍 5    🔁 5    💬 0    📌 0

And the requests I need to send to trigger the desync are reaaaaaaaaally weird, I'm really wondering what happens in the backend :)

30.05.2025 09:57 — 👍 1    🔁 0    💬 0    📌 0

The single packet attack does not seem to work.

With Turbo Intruder and ffuf running (from another IP) I sometimes see one poisoned response received by ffuf, but it never happens in the other way around.

30.05.2025 09:48 — 👍 0    🔁 0    💬 2    📌 0

Weird, I'm able to poison the queue and send other people responses to my requests (although it requires a lot of requests to be sent. It does not happen often at all).

But so far I can't get other people responses.

30.05.2025 09:28 — 👍 0    🔁 0    💬 2    📌 0

Impressive, congrats ! :)

28.05.2025 20:39 — 👍 1    🔁 0    💬 0    📌 0
Post image

Active Scan++ just got sharper - we’ve added new checks for OS command injection, powered by our latest ASCII Control Characters research. Install via Extensions -> BApp Store

28.05.2025 14:56 — 👍 10    🔁 6    💬 1    📌 0
Post image

Thanks for the tip !

I'm slowly making progress. For now I can redirect users to arbitrary URLs by poisoning the queue like you showed in your paper.

Stealing other people's responses would be much cooler though :)

28.05.2025 12:47 — 👍 2    🔁 0    💬 1    📌 0

@aroly is following 20 prominent accounts