@h3xstream profile picture
Philippe Arteau @h3xstream

Security Researcher, interested in web security, crypto, pentest, static analysis but most of all, samy is my hero.

Joined September 2011
  • Tweets 418
  • Following 215
  • Followers 2,531
36 Photos and videos
Philippe Arteau retweeted
James Kettle
@albinowax
17 Nov 2024
We’re finally live! You can now watch “Listen to the whispers: web timing attacks that actually work” on YouTube: youtube.com/watch?v=zOPjz-sP…

DEF CON 32 - Listen to the Whispers: Web Timing Attacks that Actually...

Websites are riddled with timing oracles eager to divulge their inn...

youtube.com
4
93
314
27,847
Philippe Arteau retweeted
LiveOverflow 🔴
@LiveOverflow
18 Aug 2023
Did you know that the CPU vuln "Zenbleed" 🩸 (CVE-2023-20593) was found through fuzzing? I was able to talk to @taviso and learned about his novel approach 🤯 it is so clever!!
19:43
10
131
690
82,608
Philippe Arteau retweeted
GoSecure
@GoSecure_Inc
21 Jun 2023
🎯 "After some research; [...] we had to conclude that this was unknown to the public and that it could potentially be an unintentional bug in MSSQL." Read our latest blog ⬇ bit.ly/3PoAnJM #cybersecurity #AWS #Amazon #EthicalHacking
1
13
26
8,454
Philippe Arteau retweeted
Tristan Gosselin-Hane@eltdude
22 May 2023
Achieved first blood jackpotting the ATM at @NorthSec_io #nsec2023 CTF this weekend! The most insane and thrilling hack I've pulled off at a CTF so far, it certainly caught the eyes of everyone in the room and the event organizers, describing it "straight out of a movie"!
0:21
10
37
236
23,521
Philippe Arteau retweeted
Nicolas Grégoire@Agarri_FR
23 May 2023
It's now to late to register (the training session started today) but here's a funny video @h3xstream made about my training... youtube.com/watch?v=2WRSPwzz… Fun fact: during my first @NorthSec_io training session years ago, both @h3xstream and @el_d33 were in the room! 😓
4
9
2,069
Philippe Arteau retweeted
Masato Kinugawa@kinugawamasato
24 Feb 2023
Today, I learned that Express returns a Refer*r*er header via `req.get('referer')` code: github.com/expressjs/express…
4
26
181
38,087
Here is my @ConfooCa presentation on developing your first #Chrome extension: h3xstream.github.io/confoo-f…

Developing Your First Chrome Extension

Learn how to build your first Chrome extension

h3xstream.github.io
5
714
Philippe Arteau retweeted
Michael Stepankin@artsploit
16 Feb 2023
Java doesn’t stop to amaze me. CVE-2022-45146 is one of the most bizarre bugs I’ve seen lately. github.com/bcgit/bc-java/wik…

Home

Bouncy Castle Java Distribution (Mirror). Contribute to bcgit/bc-java development by creating an account on GitHub.

github.com
8
40
7,033
Philippe Arteau retweeted
Alvaro Muñoz@pwntester
27 Jan 2023
Had some fun with OGNL sandboxes last year. Read how I bypassed Atlassian Confluence and Struts ones in my latest blog post github.blog/2023-01-27-bypas…

Bypassing OGNL sandboxes for fun and charities

Object Graph Notation Language (OGNL) is a popular, Java-based, expression language used in popular frameworks and applications, such as Apache Struts and Atlassian Confluence. Learn more about...

github.blog
1
90
199
40,259
Philippe Arteau retweeted
PortSwigger Research@PortSwiggerRes
12 Jan 2023
Chrome has removed the path property from events in version 109. We've updated our article about bypassing CSP with AngularJS to reflect this. The workaround is to use the composedPath() function. portswigger.net/research/ang…

AngularJS CSP bypass in 56 characters

Often when you are testing websites you might encounter a length restriction on the input you are testing, that's why it's important to reduce the length of your vector as much as possible and of cour

portswigger.net
21
65
17,305
Philippe Arteau retweeted
PortSwigger Research@PortSwiggerRes
4 Jan 2023
Nominations are now open for the Top 10 web hacking techniques of 2022! You can view the current nomination list and submit your favourite new techniques here: portswigger.net/research/top…

Top 10 web hacking techniques of 2022 - nominations open

Update: Voting is now closed, and the panel vote is in progress.  Nominations are now open for the top 10 new web hacking techniques of 2022! Every year, security researchers share their latest f

portswigger.net
80
187
29,666
Philippe Arteau retweeted
Felix Wilhelm
@_fel1x
30 Dec 2022
Another SAML bug to wrap up the year: bugs.chromium.org/p/project-….

2
45
162
40,941
Philippe Arteau retweeted
sudi@sudhanshur705
29 Dec 2022
I just published Exploring the World of ESI Injection Feedbacks are appreciated , let me know if you liked it or not :) Special thanks to @nytr0gen_ link.medium.com/0WFFFk7n9vb

Exploring the World of ESI Injection

Heyyy Everyoneee,

link.medium.com
23
177
515
99,169
Philippe Arteau retweeted
GoSecure
@GoSecure_Inc
29 Jun 2022
Are you using the browser’s autofill feature to log in? See how it can be used to steal your credentials with an XSS in this blog post by @mo_bergeron: gosecure.net/blog/2022/06/29… #GoSecureTitanLabs #browser #xss #cybersecurity

1
9
11
Philippe Arteau retweeted
mc_0wn@mc_0wn
25 May 2022
Over a month ago Apache Struts submitted fixes for CVE-2021-31805. Not sure everyone noticed, but there were multiple RCEs fixed in this. Here was another: mc0wn.blogspot.com/2022/05/2…

1
58
152
Philippe Arteau retweeted
Synacktiv
@Synacktiv
20 May 2022
If you see two guys wearing Synacktiv t-shirts with big antennas, you should turn around with your @Tesla! 0-click RCE demonstration on a real vehicle, with CAN messages sent to switch on headlights, wipers and trunk 😎 #Pwn2Own
0:30
6
122
418
Philippe Arteau retweeted
James Kettle
@albinowax
9 May 2022
"Abusing HTTP hop-by-hop request headers" by @nj_dav was nominated as a top web hacking technique back in 2019, and has just blossomed into an F5 BIG-IP unauth RCE! nathandavison.com/blog/abusi… portswigger.net/research/top… github.com/horizon3ai/CVE-20…
2
167
534
Philippe Arteau retweeted
Synacktiv
@Synacktiv
14 Mar 2022
Finding #Java gadgets chains has never been so easy with the help of #CodeQL. Checkout our latest article, in which @hugow_vincent demonstrates a new technique to leverage the power of CodeQL to find new gadgets: synacktiv.com/en/publication… QLinspector: github.com/synacktiv/QLinspe…
3
65
160
I wrote an article about small privacy leaks prevalent in web applications. These are not the most critical vulnerability patterns, but it was still a lot of fun to document.
GoSecure
@GoSecure_Inc
17 Mar 2022
Are you aware of these common pitfalls that can compromise #applicationsecurity and leak private user information? Our latest blog illustrates 6 hard to find but important #privacy risks for developers to consider. gosecure.net/blog/2022/03/17… #appsec
4
Philippe Arteau retweeted
Nicolas Grégoire@Agarri_FR
9 Feb 2022
Top 10 web hacking techniques of 2021: 🥇 @alxbrsn 🥈 @albinowax 🥉 @orange_8361 portswigger.net/research/top…

Top 10 web hacking techniques of 2021

Welcome to the Top 10 (new) Web Hacking Techniques of 2021, the latest iteration of our annual community-powered effort to identify the most significant web security research released in the last year

portswigger.net
71
211
Load more