Twitter | Search | |
Alyssa Herrera
I'm a webapp security consultant, and bug bounty hunter on . I'm a , crowdsource, and Ambassador. Furry hacker
1,327
Tweets
861
Following
6,144
Followers
Tweets
Alyssa Herrera retweeted
Roxana Nasoi Jun 5
Replying to @binodnirvan
From : Line 213 "issue" enables contract owner to mint/issue/print quadrillion amount of STORM tokens out of thin air. Line 233 "destroy" allows contract owner to delete/burn/delete anyone's coin, including but not limited to the ones on the exchange and wallets
Reply Retweet Like
Alyssa Herrera retweeted
Jon Bottarini 12h
I use 's match/replace rules to find hidden features and elevate my client-side user permissions - my latest blog post covers some common examples and other you can use in your own testing:
Reply Retweet Like
Alyssa Herrera retweeted
BugBountyHQ Jun 16
Am gonna sound like a dick here :( The amount of DMs I get, "Hey help me hack" etc is annoying. Why ? There is this awesome thing called Google. If u can't Google XSS, XXE, SSRF, RCE, Heap Corruption etc u should probably consider another career. SO MANY MANY ONLINE resources.
Reply Retweet Like
Alyssa Herrera retweeted
raptor Jun 16
Replying to @0xdea
For those interested to my (Debian-specific) exploit, you can find it here:
Reply Retweet Like
Alyssa Herrera Jun 15
Replying to @SecEvangelism
I usually omit those questions or just say I don't want to answer them. If you're wanting to know about my work or what ever sure but asking bs filler questions that you wouldn't ask guys is just stupid. Half the time I don't even know how would you answer them since it's bleh.
Reply Retweet Like
Alyssa Herrera retweeted
Chris Kubecka🇵🇷🇨🇿🇺🇲🇬🇧🇳🇱 Hacking Space Jun 15
Replying to @Alyssa_Herrera_
It's that age old they don't ask dudes how they balance work & a family. If you're a journalist & all you have to ask is BS gender questions, you're not a good journalist. I'm calling this crud out with the goal of embarrassing sexism. Frustration over, action required
Reply Retweet Like
Alyssa Herrera Jun 15
Replying to @SecEvangelism
It sort of reminds me being asked by various journalists the same questions about being a female in tech/infosec. It gets tiring and you can only ask the same question so many times before it drags on you
Reply Retweet Like
Alyssa Herrera retweeted
intigriti Jun 14
MUST-READ: learn how and his team earned a whopping €20K with one IDOR trick at an live hacking event!
Reply Retweet Like
Alyssa Herrera retweeted
Alvaro Muñoz Jun 13
Exploiting ViewState Deserialization using Blacklist3r and - by
Reply Retweet Like
Alyssa Herrera retweeted
DEFCON Furs Jun 12
Announcing The DEFCON Furs 2019 Diversity Scholarship - For students on a budget! Scholarships include: Badges for 2019, 2019, 2019, and 2019! Full Details: Applications will close on June 30th, 2019.
Reply Retweet Like
Alyssa Herrera Jun 12
Replying to @ghostnil
I use windows mainly, with a nix VPS and a nix virtual machine as well
Reply Retweet Like
Alyssa Herrera retweeted
RIPS Technologies Jun 11
Attackers can take over boards with a malicious private message. Learn more about the security vulnerabilities in our technical analysis:
Reply Retweet Like
Alyssa Herrera Jun 11
Replying to @gwendallecoguic
I use it as a throw email for my engagements usually as well. It's excessively versatile tool.
Reply Retweet Like
Alyssa Herrera retweeted
김진욱 Jun 9
Diebold Nixdorf warns customers of RCE bug in older ATMs The potential exposure was a part of the Agilis XFS service using .Net remoting over an externally facing HTTP channel
Reply Retweet Like
Alyssa Herrera retweeted
Ivn Jun 10
Company: We use military grade encryption. CISO: We encrypt our users' data at rest. PM: We encrypt mobile apps' data. Developers:
Reply Retweet Like
Alyssa Herrera retweeted
Alex Chapman Jun 10
Have you ever needed to execute powershell, on a networked system, through a bastion host, accessed via a XP_CMDSHELL, over HTTP, from a remote Linux VPS??? No, me neither, but I wrote a tool to do it anyway.
Reply Retweet Like
Alyssa Herrera Jun 9
Replying to @TakSec
CVE-2017-15277 aka the image magick memory leak is rather interesting and the impact can widely vary depending on what server is processing the images. In one case I was able to leak out SQL queries being invoked and subsequent PII. Down side is it's a bit tedious to exploit
Reply Retweet Like
Alyssa Herrera retweeted
Yassine Aboukir Jun 7
Hardcoded consumer and secret key in an Android mobile application was fixed by AES/CBC encrypting it. However, the byte array generation function used to construct the decryption secret key was also hardcoded in the same java class 😂
Reply Retweet Like
Alyssa Herrera Jun 7
For most of the events, the companies will include new or untested assets into scope, sometimes special challenges or incentives are given for breaking certain assets as well.
Reply Retweet Like
Alyssa Herrera Jun 7
Replying to @TakSec
Ghost script exploits and image Magick memory leak exploit are also good ones to check for. I've found them more commonly than image tragick. Upload scanner plug in for burp suite is good way to fuzz out upload end points too.
Reply Retweet Like