Facebook campus is a special group that needs an .edu styled email to gain access.It is possible to list members of a campus because the child groups list members. Timeline Jul 14, 2021 – Report sentJul 23, 2021 – Fixed by Facebook

You can find this blog post on Assetnote's blog.

You can find this blog post on Assetnote's blog.

You can find this blog post on Assetnote's blog.

You can find this blog post on Assetnote's blog.

You can find this blog post on Assetnote's blog.

1) Intro & Motivations

At the start of of this year, I set myself a personal goal of finding 365 bugs in 365 days.

This was entirely motivated by wanting to challenge myself to find more security issues as I felt I'd been slacking off.

I thought back to…

When gaining shell access to a machine on a network, a promising attack vector is to check the internal network for web applications and services that may be accessible from the machine that has been compromised.

Often, internal web applications are found…

As of late, a fair few companies and startups have been using dedicated URL shortner services to use for tracking and social media purposes. An example link from such URL shortners look like this invent.ge/1j1QxGo or invent.ge/DNATool. Note that both custom…

As of late, I have been pentesting more and more applications that use some sort of mechanism to prevent unauthorized access to directories based on client IP addresses. In many cases, this has proven to be a weak method of protection if implemented incorrectly.…

Security for young people is something I care about. We need to make an investment whether it be time, money or support or university outreach, to get younger people (preferrably students) to see security as a viable, exciting and worthwhile career. The real…

Exploiting Markdown Syntax

Markdown is wonderful. In fact, this blog post itself is written in Markdown. I don't need to use lengthy uneccessary HTML for simple things like links, tables, code blocks and lists. Nor do I need to go out of my way to do simple…

The reward for each time a submitted module is found in customers’ assets will be doubled for critical, high, and medium severity modules.

It's time for another round Citrix Patch Diffing! Earlier this month Citrix released a security bulletin which mentioned "unauthenticated buffer-related vulnerabilities" and two CVEs. These issues affected Citrix NetScaler ADC and NetScaler Gateway.

Over the last year or so, we've seen the mass exploitation of managed file transfer software. From GoAnywhere MFT, MOVEIt, and our own work on Citrix Sharefile. The threats towards enterprises through managed file transfer software has really hit home after…

When it comes to software engineering, you may often hear the phrase “Trust the process,” but when it comes to security, it’s more…

Have you heard of what a subdomain takeover is? Do you know the impact it has? Well, if you haven’t, I will shortly summarize it for you.

There are tons of cloud providers that offer different types of servers with a lot of different options. I will talk about the ones I…

This is a post about how I found a simple yet really critical vulnerability in a bug bounty program. It was the most critical bug I have…

There are lots of guides on how to start into Bug Bounty Hunting but I will share my personal experience of getting into bug bounty…