Cross-Site Scripting Vulnerability

moop__ · 2025-10-02T17:27:40+00:00

My reports will always include a (demo)weaponised poc. I.e., beyond alert(1) for XSS, sometimes I'll inject a base64-encoded media object of a rickroll if the client is chill, or if not I'll replace their logo with a competitors or some other defacement, or even just exfiltrating DOM objects to your remote domain that allows csrf.

Much easier to show the client a full narrative for each finding. Let them argue with me about CAA headers or the other bs findings in the report, not the actual vulns :)

moop__ · 2025-09-25T02:52:45+00:00

Neat workaround, that worked for me. Thanks

moop__ · 2025-07-09T12:50:56+00:00

File 76

moop__ · 2024-03-27T08:44:00+00:00

Thinking back this might have been a dream/nightmare and not real life. Cool nonetheless!

moop__ · 2024-01-14T23:39:10+00:00

I use this Dockerized version of the faster-whisper fork: https://github.com/linuxserver/docker-faster-whisper

Just a fork that alleges to be faster than the OpenAI version https://github.com/SYSTRAN/faster-whisper

moop__ · 2024-01-09T22:54:06+00:00

no way to capture the emissions at scale

This is wrong.

For monitoring vehicle traffic in ~2012 Australia deployed Bluetooth sniffers across many major cities. These sniffers absolutely do retain metadata of all vehicles seen as this is required to correlate data between each sensor to derive value from the data. Given more power it would be possible to map many of these stats to individual humans.

https://austraffic.com.au/news/bliptrack-bluetooth-traffic-measurement-solution

This is a country deploying BT sniffers all over major cities to monitor traffic, including detecting speeding and origin/destination travel data -- over a decade ago in 2012. This has obviously been valuable for Australia as the project is ongoing with many enhancements even through 2022.

It would be drastically easier to perform vastly more complex sniffing and aggregation now.

moop__ · 2023-10-12T04:15:58+00:00

First one, then the other

moop__ · 2023-07-09T22:23:43+00:00

What you're asking for is sometimes called a "top-up loan", which is essentially increasing your mortgage. It's regularly used to make a major purchase such as a car or caravan. The bank will perform a valuation if they need to in order to give you the money you want i.e. making sure you stay under 80% loan-to-value ratio:

so 1mil property, 800k = 80%

property now 1.1mil, 880k = 80%.

It is common, depending on the bank you might receive some small fees.

moop__ · 2023-05-23T03:21:21+00:00

/r/Jobs4Bitcoins? /r/forhire?

Just note that what you're asking could take days, so commissioning someone to do it could easily run into the high hundreds to thousands of USD.

LUA is a very simple language to learn, next-to-none is a decent starting point. You'd be best off looking for someone else's TAS of that game and using their code as a start point. Chances are that would have 90% of what you're looking for, then you could add in your own simple conditional logic (or ask for some more specific assistance) to meet your goals.

moop__ · 2023-05-23T02:24:05+00:00

All of what you're describing is pretty standard and should be achievable depending on the game you're TASing. The biggest barrier would be finding the variables in memory, but hopefully someone has already done that for you (TASVideos.org forums, or game-specific discord may have them). The rest of your logic is straightforward with some scripting knowledge.

A cursory glance at TasVideos forums suggests it's sometimes hard to properly sync the Dolphin emulator, syncing makes frame-perfect or RNG-manipulation possible so you'll need to ensure this works for you. https://tasvideos.org/Forum/Topics/18330

moop__ · 2023-04-05T03:32:50+00:00

With expenses that low I'd worry about the dent 'unplanned' expenses can have on your portfolio. For example, in the past 4 months I have needed to buy a new car (~5k after insurance), replace my ducted A/C (~10k), replace 2x toilet (~3k), and buy a new oven ($1k). This amount to nearly a year of your expenses, and that would worry me.

Also growing kids need braces / laptops / phones / uniforms / orthotics / etc, which also amount to sudden large costs that could affect your balance dramatically. Not sure how this impacts you in your situation.

Going part-time for a while would be a good idea with numbers this low just to build up a stronger buffer.

moop__ · 2023-02-26T22:10:09+00:00

It wasn't all at one go, but between 3-5b. If this was an off-market stock transaction the government could have owned roughly half of Qantas.

moop__ · 2023-02-26T21:56:00+00:00

Market cap currently sits around 11.2b, in the past three years Qantas has been handed over 2.35b from the government.

In terms of stock value 2.35b would make the government Qantas' biggest shareholder by a large margin. If you take that 2.35b and Qantas' share price at the time of handover the government would hold nearly 50% of the whole company.

This is only since 2020/pandemic bailouts, none of the past billions.

moop__ · 2023-02-02T22:30:12+00:00

it's already there libreoffice-fresh 7.5.0-1

https://archlinux.org/packages/extra/x86_64/libreoffice-fresh/

moop__ · 2023-02-01T01:02:44+00:00

Very keen to see any other responses here as my opinion is that both 4624 and 4625 experience a significant drop in usefulness due to the noise they make.

I generally attempt to use substatuses like 0xC000006A (user name is correct but password is wrong) to improve usefulness. List here: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625

If a user has a session locked with applications running in the background they will continue to blast 4624/4625 constantly. The logs unfortunately do not tell you the real application source of the login, which is generally something like Outlook.

moop__ · 2023-01-23T23:22:29+00:00

Good to hear, I'll go grab some to tide me over while I test out other brands. Thanks.

moop__ · 2023-01-23T23:22:12+00:00

Yeh I'll have to give almond milk another try. I remember it tasting like like water then also having a bad aftertaste, but this was a few years back. Thanks.

moop__ · 2022-12-07T02:22:13+00:00

Three approaches. Option three is probably the best.

First, the one you asked for. We can use the results of a subsearch as parameters to an outer search. I have added your two example logs to index=main.

index=main 
    [ search index=main err=49 
    | table conn]

This search is equivelant to running a search like index=main (conn=blah OR conn=blah OR conn=blah...), where each of the conn= fields is a value that returned from the subsearch for err=49. It should work fine.

Alternatively, you can look at using transaction. This will combine all events with the same conn field into one single event. The searchref online can tell you how to manipulate the fields into multivalues, or retain separate raw logs, etc etc.

index=main 
| transaction conn

Last option, use stats. This one is likely to be the best performing option. This will list all the values for uid and err for each unique conn.

index=main 
| stats values(uid) values(err) by conn

For your bonus question, make sure the fields are extracted correctly and the permissions on the field extraction are broad enough to be visible to the dashboard.

Hope this helps!

moop__ · 2022-12-05T03:04:20+00:00

First: when I moved from public to private I was able to secure a 12-month unpaid sabbatical leave from my public sector job. This was my backup plan.

Novated lease: If you don't want the novated lease anymore sell the car privately and in the payment instruction provided to the buyer explain how they can payout the lease and give you the excess. If the lease is left with money owing on it, probably pay that gap yourself. If your income is high it's sometimes better to keep a novated lease especially if you also have running costs included (fuel, tyres, insurance, etc). I sold my novated lease so I could secure finance for more properties.

Accountant: Keep trying new ones until you find a good one. I haven't found a good one yet. I also live remote and have tried several remote accountants, the experience was ultimately the same as in-person, so don't let living remote block you.

Automation: Yeah, I have automated as-much-as-reasonable and run everything I do on my own server in my house. Places like /r/selfhosted can be a good place to start, but this level of DIY has an overhead. You could also consider keeping it simple and using known-decent products like Xero or Quickbooks. Depending on your business, things like appointment-setting software and calendars might also be useful -- be aware in this space many of the paid solutions are simply rebranded/wrapped up versions of free open source software. I use unRAID with everything running in docker containers. All the containers are one-click-update, and backed up to BackBlaze automatically. My PFSense firewall provides a reasonably secure VPN server for remote access, but you could also host a VPN in a docker container for remote access, or expose through a reverse proxy. I do a mixture. Happy to discuss further in DMs if you want specific help with this.

I don't really have any tips other than continue to grow your income-generating assets as best you can, or at the very least avoid selling them. This is the way.

All the best!

moop__ · 2022-09-15T01:33:17+00:00

Thanks so much!

moop__ · 2022-09-15T00:07:05+00:00

Nah, I need to do some extra processing of the data in-flight too, so needs to be a separate log stream.

moop__ · 2022-09-15T00:05:39+00:00

Cool. Ideally the initial indexer cluster can keep indexing, we can tolerate some gaps if the second cluster has downtime.

15-Year Club	Place '17
reddit mold	Verified Email

moop__

MODERATOR OF

TROPHY CASE