Published:
PortSwigger “Concealing payloads in URL credentials” talks about concealing XSS payloads in URL credentials. The nice thing is that this makes the payload invisible to WAFs and other server-side XSS filters. You can actually conceal the payloads in other places
Published:
My experience from the Codingame Spring Challenge 2025.
Where we learn that the sky is actually a giant blueberry smoothie 🫐
Published:
Testing ASCII smuggling using Unicode Tags on LLMs/chatbots. Nothing new here. Just a short summary.
Published:
Keycloak UMA's implementation seems tricky to me.
Published:
How to quickly use llama.cpp for LLM inference (no GPU needed).
Published:
How to quickly use vLLM for LLM inference using CPU.
Published:
In a previous post, I described a pass-the-permission-ticket vulnerability in UMA 2.0 in which a malicious UMA resource server could kindly ask a UMA client to give it access tokens actually intended for another UMA resource server. In this post, I am describing a similar attack when the authorization server is malicious.
Published:
In the User-Managed Access (UMA) 2.0 protocol, a malicious resource server (or a malicious server acting as a resource server) can obtain a requesting party (access) token (RPT) intended for another UMA resource server from a UMA client by passing a permission ticket obtained from the target resource server to the UMA client. This can compromise the privacy (confidentiality) and integrity of UMA protected resources.
Published:
Overview of neural network distillation as done in “Distilling the Knowledge in a Neural Network” (Hinton et al, 2014).
Published:
Some more tips for interacting with the namespaces of Podman containers.
Page 1 of 11 | Previous page | Next page | JSON Feed | Atom Feed