Worty

Pour rappel les précommandes de merch ESN’HACK sont ouvertes jusqu’au 01/08/25, passé les précommandes il ne sera plus possible de les acheter ;) Tapis Ghidra, patchs ESN’HACK.. tout est dispo sur HelloAsso👉helloasso.com/associations/e…

I'm happy to release a script gadgets wiki inspired by the work of @slekies, @kkotowicz, and @sirdarckcat in their Black Hat USA 2017 talk! 🔥 The goal is to provide quick access to gadgets that help bypass HTML sanitizers and CSPs 👇 gmsgadget.com 1/4

Sometimes, SQL injection is still possible, even when prepared statements are being used. Our researcher @hash_kitten has written up a blog post about a novel technique for SQL Injection in PDO’s prepared statements: slcyber.io/assetnote-secu…

Imagine having the master key to a building: that’s what the APP_KEY is for Laravel app. With it, an attacker can craft a payload that Livewire doesn’t see as harmful. Join @_remsio_ & @_Worty at #NullconBerlin2025 Know More: nullcon.net/berlin-2025/sp… #Laravel #APP_KEY

Les précommandes de merch ESN’HACK sont ouvertes jusqu’au 01/08/25 ! Découvrez nos tapis de souris XL sur le thème Ghidra - ainsi que nos patchs velcro ESN'HACK👉helloasso.com/associations/e… Merci pour votre soutien, et à très bientôt.. 👀

Want to get more out of @CaidoIO for your #BugBounty workflow? There might be a surprise in the video... 🎁 In Part 2 of our #TalkiePwnii Caido series, @pwnwithlove explores advanced features and plugins like QuickSSRF, AuthMatrix, YesWeCaido & more 👇 youtu.be/4NITbv-_C9w

🔐 Data encryption in Laravel environments is based on one secret: the APP_KEY. Our ninja @_remsio_ studied the impact of its leakage on the internet during an entire year. synacktiv.com/en/publication…

The part about the 0day I used on the TrackDb web challenge for the FCSC2025 has just been disclosed in the writeup, you can read it here: worty.fr/post/writeups/… Please note that this vulnerability is not patched (see the end of the writeup for explanations).

📱 Want to pwn Android apps from the inside? Let’s talk about Drozer, one of the most powerful tools for Android app security. It allows you to explore and interact with internal app components (like Activities, Services, Broadcast Receivers, and ContentProviders) to uncover…

Today was my last day as a pentester at Bsecure, and it feels a bit surreal. After a three-year journey of hunting on the side, I’m finally ready to go all-in as a full-time bug bounty hunter. To celebrate this milestone, I've written an article sharing the full story. It’s a…

A pre-auth RCE combining 2 critical vulnerabilities on the Production Environment extension of the PHP low-code website generator ScriptCase has been found by @noraj_rawsec and cabir. No upstream fix yet, please apply the workaround. synacktiv.com/advisories/scr…

🚨 Still a few days to register for our Azure Intrusion for Red Teamers training at #BHUSA! Very hands-on, full kill chain from zero to Global Admin with stealth in mind. Secure your seat now! blackhat.com/us-25/training…

This weekend, for the @MidnightFlag final, I created a web challenge called JavaNote, which asked players to modify the ysoserial tool to do something other than execute a command, you can read the write-up here: worty.fr/post/writeups/… Congratulations again to all the players!

📊You can find below the global scoreboard of the competition and some pictures from the event! (📸 credit: Sylvie'cho) We hope that you had a great time and look forward to see you for the next edition!🚩

🫶Finally, a big thanks to all our sponsors without whom, this event could not have taken place: @AirbusCyber, @DGA, @Exoscale, DGSE - Direction Générale de la Sécurité Extérieure, @Synacktiv, @fdj_united, @rootme_org and @OSINTindustries❤️

👏Congratulations to all participants and thanks to everyone who traveled from far to attend. Once again thanks to all the challenge makers who made this edition possible ❤️ 🤝Thanks also to @Hexa_Gaming for handling the sound, lighting, and overall atmosphere during the CTF!

We're thrilled to announce the winners of the 5th edition: 🏆 Pro Division 🥇 SleepyHollow 🇫🇷 🥈 BunkyoWesterns 🇯🇵 🥉 MeowCorp 🇫🇷 🎓 Student Division 🥇 Hellsonic fan club 🇰🇷 🥈 CTFREI BLACK 🖤 🇫🇷 🥉 m01nm01n 🇯🇵

➡️ During 8 hours of intense competition, players from all around the world faced off at @EsnaBretagne during the final of the Midnight Flag CTF. From professionals to passionate student teams, everyone gave their best trying to reach the podium.

Happy to be part of the french team this year ! 🇫🇷

#ECSC2025 | 🐓 Découvrez la #TeamFrance 2025 ! 🇫🇷 Sélectionnés à l'issue du FCSC, les joueurs de la @ECSC_TeamFrance représenteront la drapeau tricolore à Varsovie, en Pologne, dans le cadre de l'European Cybersecurity Challenge. 🔔 RDV en octobre ! PS: #YouAreAllWinners