We’ve now seen at least four nginx RCEs that require non-default configs: nginx rift, nginx poolslip, and two of our own (including the one in the last tweet). The configs involved are unusual, which raises the obvious question: do these attacks actually work in real-world deployments? We asked Claude to download and analyze more than 4,000 nginx config files from GitHub. The result was embarrassing: none of them were vulnerable to nginx rift or our own attacks. We can’t say anything about nginx poolslip yet, since it hasn’t been published. So don't worry about your nginx yet. Moral of the story: AI can generate FUD, but also help fight FUD. Embrace it!

Opus 4.6 (1M) through Claude code solved autonomously 45/54 challenges of BSidesSF 2026 @BSidesSFCTF, placing temporarily into the 21st place, 25th as of now. This was done with 0 involvement, I didn't give any guidance or manually reviewed any challenges. I used BoxPwnr 🤖 with the CTFd platform to launch challenges in multiple instances, that's it. I will publish all the traces once the competition finishes, in the meantime you can see the challenges, number of turns and time it took to solve each here: 0ca.github.io/BoxPwnr-Traces… In the following days I will try to understand why it couldn't solve the 9 remaining challenges: difficulty? long exploration-context rotting? interactive interaction required? challs using video/image? We will see. Models have improved significantly in the last 6 months, see Cybench results Opus 4.1 vs 4.6 (42% to 93%) cybench.github.io/ It's crazy to see what LLM's can do with a minimum harness.

Interessante...

Thanks, @GeminiApp for the help.

Cool

💯

Happy holidays, please take this time to get off the internet and spend time with your families Mental health is very important 🎄

In a recent lawsuit settlement, Google agrees to delete the incognito browsing data they keep about you.

Ver os Mariners no #MLBnaESPN me lembra o King Felix Hernandez.

This seems to be a common misconception, so CTF players: Zellic hires REGARDLESS of web3 experience. The main criteria is researcher skill/talent. We've hired smart pwn / VR folks with ZERO blockchain background. Don't think, "I'll wait to get better then apply"... JUST apply.

"the human brain doesn't need tons of training data to do stuff"

Never underestimate the Burp Scanner. it just made my day.

We published a write-up about Python URL Parsing Confusion, by @NeptunianHacks. It's the solution to the challenge "msfrognymize2" on @cor_ctf fireshellsecurity.team/corct…

We published a write-up by @diofeher, for the @wiz_io Big IAM Challenge, with 6 levels of Cloud Security tasks with IAM. 🌩️ fireshellsecurity.team/wiz-b…

Encontrei um SSTI muito maneiro em um pentest de uma aplicação desktop. Obviamente não posso compartilhar os detalhes, mas foi muito irado.

Finalmente alguém encontrou meu perfil no LinkedIn e pensou "bem, esse louco deve saber de alguma coisa"... Resumindo, recebi uma proposta

Teaming with @gh0stbyt3, we built DiffRays for headless IDA (@HexRaysSA) decompilation. It stores decompiled code in a SQLite DB and provides a Web UI for diffing between the stored functions. Built for vuln research. github.com/pwnfuzz/diffrays #pwnfuzz

Meanwhile, me who got hired in security with basically just a CTF background and who haven't learned about any of the mentioned things 😂

Cool!

As promised Blogpost is here! I find that a lot of the times people ask “how can researchers find complex bugs” This is my small contribution to show how the journey looked for me. I presented this content at hitcon last week! bughunters.google.com/blog/5…