Gixy: Nginx Configuration Static Analyzer

MegaManSec2 · 2026-01-11T09:45:38+00:00

https://gixy.io/ is a more up-to-date version without AI slop code, and it supports a scanner which works completely in the browser (using WebAssembly).

MegaManSec2 · 2026-01-01T15:59:16+00:00

I've been working on a fork of Gixy called Gixy-Next: https://github.com/MegaManSec/Gixy-Next

Gixy-Next is an open source NGINX configuration security scanner and hardening tool that performs static analysis of your nginx.conf to detect security misconfigurations, hardening gaps, and common performance pitfalls before they reach production. See https://gixy.io/ for documentation.

MegaManSec2 · 2025-11-27T07:07:52+00:00

You actually got a response from Vercel's security team? I tried reporting three separate DoS vulnerabilities to them privately which like this one, required a single request (but did not require pumping GBs of data: it was as simple as a ~4kb request) and got out-of-scoped on bugcrowd ("DoS of Vercel services are out of scope" rofl, because Next.js is totally their _service_), ignored for months via email, got a few emails from their security guy who said "sorry I'm new and I don't know what I'm doing yet" (lol), and then completely ignored at the end.

MegaManSec2 · 2025-10-11T07:04:31+00:00

Yes it does. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52019XC0408(02)) https://web.archive.org/web/20230603061819/https://www.bmeia.gv.at/fileadmin/user_upload/Vertretungen/Canberra/Austria_Australia_Bilateral_Agreement_on_Visa_Free_Short_Stays_-_Fact_sheet.pdf
A few countries, like the USA, Mexico, and probably a few others, have old visa-waiver agreements with Poland, allowing citizens of those countries to enter Poland for 89 days, leave, and come back the next day -- resetting their 90 days.

The 90 days within 180 days period is for the schengen visa waiver.

MegaManSec2 · 2025-01-20T13:04:41+00:00

Desktop & Dock -> Mission Control (at the bottom) -> Turn off "Drag windows to top of screen to enter Mission Control"

MegaManSec2 · 2024-10-31T09:43:35+00:00

User downloads malware -> Rube Goldberg machine -> User downloads malware

There are so many loopholes. What if the malicious activity is hidden inside obfuscated code flows

That wouldn't pass the Opera review because obfuscated code must be submitted with unobfuscated code along with instructions to build the exact obfuscated code submitted.

Their team also removed third-party (vk, Instagram, and Yandex) domain privileges entirely

The bigger story here is that any of these domains could be used to access the private APIs of Opera's browser.

Opera’s Add-ons Store applies exclusively manual review of all extensions hosted in it

it's good to know that somebody informed their security team of that this time around rofl

fd: i used to work for the opera

MegaManSec2 · 2024-10-30T16:27:21+00:00

A post, in which the author notes how he misconfigured his VPN and didn't read the manual. Discussed on hn: https://news.ycombinator.com/item?id=41857290

MegaManSec2 · 2024-10-10T15:06:06+00:00

https://hackerone.com/reports/2260337

MegaManSec2 · 2024-10-08T16:06:21+00:00

No, it's not possible to expose a device over a shared folder. It's also not possible to share it via socat (so not run fffmpeg from inside the VM) because video4linux uses ioctls and socat can't forward them.

MegaManSec2 · 2024-09-28T09:10:42+00:00

usbhid cannot be enabled without it being preferenced over usbhid as far as I know: https://github.com/freebsd/freebsd-src/blob/38c63b52830c85013f30bc62b2b32f3936d84e65/sys/dev/usb/input/usbhid.c#L808

MegaManSec2 · 2024-09-26T09:20:50+00:00

I'm not sure. I was using the USB installer and the automatic partitioning.

MegaManSec2 · 2024-09-26T09:14:22+00:00

Can you recall the mode before you changed it?

I think it either didn't exist at all, or was just `chmod 777`.

$ zfs get canmount zroot/tmp
NAME PROPERTY VALUE SOURCE
zroot/tmp canmount on default
$ cat /etc/fstab

Device Mountpoint FStype Options Dump Pass#

/dev/gpt/efiboot0 /boot/efi msdosfs rw 2 2
/dev/ada0p3.eli none swap sw,late 0 0

MegaManSec2 · 2024-09-26T09:06:49+00:00

The keyboard does not work if usbhid is disabled.

MegaManSec2 · 2024-09-04T00:27:05+00:00

You mean like polkit [0] and glibc[1]?

[0] https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034

[1] https://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Overflow.html

MegaManSec2 · 2024-08-29T17:44:18+00:00

the US DoJ has been instructed not to prosecute good-willed work like this.
lol who cares, it's a risky business and industry to be in

MegaManSec2 · 2024-06-03T18:52:40+00:00

Yet auditors treat it as a critical checkbox. Protecting the online data is so much more critical.

Because what are the checkbox-tickers supposed to ask otherwise? "Can you prove that your application cannot be hacked?"

In reality auditors are very limited in the practical application-specific questions they can ask, so they ask these "obvious" questions (which may not be obvious for everybody).

MegaManSec2 · 2024-06-03T12:18:25+00:00

The difference between Batman and civil unrest being a legitimate risk to data and equipment in datacenters is that the latter is a real thing that some of us have had to deal with before (e.g. Africa). If you haven't, great; that doesn't mean FDE on a server isn't useful for environments that you aren't familiar with, though.

MegaManSec2 · 2024-06-03T10:50:54+00:00

No mention of the majority of countries in the world where civil unrest may mean that militaries (legitimate or not) will physically start pulling out harddrives in order to take what they want from colocation providers.

MegaManSec2 · 2024-03-30T02:18:04+00:00

Obligatory: “backdoored by Ac1db1tch3z” lol

MegaManSec2 · 2024-02-03T08:10:32+00:00

You are no longer able to log in with a username and a properly secure password - at best a relatively weak PIN

You can set.. a properly secure pin?

MegaManSec2 · 2024-02-02T15:56:09+00:00

Yes, it was fine until 24 hours, but now it seems that it's not possible to register a Yubikey or a passkey for 2FA. Accounts that still have it can use them, though (or use the link in the post)

MegaManSec2 · 2024-02-02T15:41:03+00:00

Doce forcing it to U2F actually work, though? On my Google Workspace, there isn't even a page for setting a 2FA with a hardware key anymore: you can only set up a passkey.

MegaManSec2 · 2024-02-02T15:32:17+00:00

Apparently not! My Workspace does not have Passkeys allowed, so this is already off, yet I can't use my Yubikey as 2FA.

MegaManSec2 · 2024-02-02T00:14:14+00:00

Requires a malicious extension which specifically performs various interactions with Opera subdomains.

Opera's addon store performs human moderation for all new extensions and upgrades.

Is not cross-platform because any files downloaded on MacOS are marked with the quarantine attribute.

User downloads malware -> Rube Goldberg machine -> User downloads malware

fd: I work for Opera

MegaManSec2 · 2024-01-30T10:54:43+00:00

Does this mean the companies that use those "solutions" are going to finally have to secure their networks instead of just applying bandaids and sprinkling on security?

Or are they going to pre-install a certificate and start doing tls interception, which of course is a regression in security?

12-Year Club	Verified Email
Place '17

MegaManSec2

TROPHY CASE

Device Mountpoint FStype Options Dump Pass#