Alfred Berg's Avatar

Alfred Berg

@berg.hf.ax

security enthusiast | space | F1 | bikes

940
Followers 280
Following 14
Posts 14.10.2023
Joined
Posts Following

Latest posts by Alfred Berg @berg.hf.ax

Just saw the EFF has a lot of interesting things in their webshop. Easy way to get some nice things and support a good cause

03.03.2026 22:07 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

Wild world where the pope seems to have better takes on AI and the internet than most people in tech
www.vaticannews.va/en/pope/news...

21.02.2026 19:41 πŸ‘ 0 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
PIMINTO Demo 01
PIMINTO Demo 01 YouTube video by John Wiseman

If you want to try your own queries in PIMINTO, my geospatial AI search tool, now you can: piminto.obliscence.com. There are some pretty neat features that I didn't include in the demo video, including a third way to query besides text and images. www.youtube.com/watch?v=EjH0...

29.10.2025 16:28 πŸ‘ 25 πŸ” 6 πŸ’¬ 2 πŸ“Œ 2
Video thumbnail

i'm building a web browser for reverse engineers!

* identify calls to common fingerprinting APIs
* decode/decrypt known data collector payloads
* Hook things without leaving a trace
* detect obfuscated scripts & deobfuscate
+ more

I wrote about it!

nullpt.rs/reverse-engineering-browser

06.10.2025 16:00 πŸ‘ 58 πŸ” 14 πŸ’¬ 6 πŸ“Œ 1
Post image

The Oracle zero-day... kek

labs.watchtowr.com/well-well-we...

07.10.2025 12:42 πŸ‘ 19 πŸ” 7 πŸ’¬ 2 πŸ“Œ 0
Preview
Intigriti May XSS Challenge (0525) | Jorian Woltjer A challenge by @joaxcar with a small but complex XSS chain, hitting DOM Clobbering with a race condition and abusing a cool URL parsing quirk in JavaScript.

The legendary @joaxcar.bsky.social made a really interesting XSS challenge this month for Intigriti. My solution involved winning a race condition with 100 <iframe>s to utilize a DOM Clobbering gadget after bypassing a RegEx.
Check out the writeup below:
jorianwoltjer.com/blog/p/hacki...

17.05.2025 09:03 πŸ‘ 12 πŸ” 7 πŸ’¬ 2 πŸ“Œ 0
Diagram describing the tj-actions supply chain attack. The attacker jumped through 5 repositories to finally target coinbase

Diagram describing the tj-actions supply chain attack. The attacker jumped through 5 repositories to finally target coinbase

The tj-actions supply chain attack is kind of wild. The target seems to mainly been coinbase
unit42.paloaltonetworks.com/github-actio...

03.04.2025 18:54 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Wallbleed: A Memory Disclosure Vulnerability in the Great Firewall of China

BABE! stop what ya doin', they've found a sexy af buffer over-run in DNS used by the GReAt waLL of ChINA!!!

Today's a phenomenal day for research papers. Leaking memory contents using DNS requests???

Xie Xie, yes please gfw.report/publications...

26.02.2025 09:56 πŸ‘ 19 πŸ” 8 πŸ’¬ 1 πŸ“Œ 0
Getting the main process pid of a docker container with "docker inspect httpd | jq .[0].State.Pid" and then navigating to the processes root file system with "/proc/[pid]/root"

Getting the main process pid of a docker container with "docker inspect httpd | jq .[0].State.Pid" and then navigating to the processes root file system with "/proc/[pid]/root"

Here is a docker trick I use a lot:

It is easy to access the file system of the docker containers through /proc/[pid]/root/, this makes it easy to run tools not available in the container, copy and edit files etc.

This is especially useful for hardened containers

26.01.2025 18:43 πŸ‘ 19 πŸ” 4 πŸ’¬ 1 πŸ“Œ 0
Getting the main process pid of a docker container with "docker inspect httpd | jq .[0].State.Pid" and then navigating to the processes root file system with "/proc/[pid]/root"

Getting the main process pid of a docker container with "docker inspect httpd | jq .[0].State.Pid" and then navigating to the processes root file system with "/proc/[pid]/root"

Here is a docker trick I use a lot:

It is easy to access the file system of the docker containers through /proc/[pid]/root/, this makes it easy to run tools not available in the container, copy and edit files etc.

This is especially useful for hardened containers

26.01.2025 18:43 πŸ‘ 19 πŸ” 4 πŸ’¬ 1 πŸ“Œ 0
Preview
CVSS is dead to us CVSS is short for Common Vulnerability Scoring System and is according to Wikipedia a technical standard for assessing the severity of vulnerabilities in computing systems. Typically you use an online...

CVSS is dead to us daniel.haxx.se/blog/2025/01... #curl

23.01.2025 10:50 πŸ‘ 108 πŸ” 28 πŸ’¬ 8 πŸ“Œ 3
Preview
eBPF Research Papers When I started reading on BPF there weren’t many academic papers to describe how it worked, how it didn’t, or how it is used. There are many blog posts and informal articles out there, but it’s harder...

I've made an interactive list of #eBPF research papers. Only papers from the top academic conferences, including lots of papers on eBPF verification, kernel offloads, security analysis, etc.
pchaigno.github.io/bpf/2025/01/...
I plan to keep the list up-to-date.

07.01.2025 16:30 πŸ‘ 18 πŸ” 13 πŸ’¬ 1 πŸ“Œ 1

You are in bsky.app/profile/dmnk... which is how I at least found you. One can also check clearsky.app (but that list is not updated there yet)

24.12.2024 06:22 πŸ‘ 2 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0
Preview
GitHub - hengyoush/kyanos: Kyanos is a networking analysis tool based on eBPF. It can visualize the time packets spend in the kernel, capture requests/responses in command line, calculates various agg... Kyanos is a networking analysis tool based on eBPF. It can visualize the time packets spend in the kernel, capture requests/responses in command line, calculates various aggregated metrics, makes t...

Another similar thing I recently learned is eBPF can be used to get all traffic going though openssl on a system. No CA cert needed. E.g. kyanos makes use of this github.com/hengyoush/ky...

21.12.2024 13:47 πŸ‘ 10 πŸ” 1 πŸ’¬ 2 πŸ“Œ 0
Post image

Last month, our Security Research team discovered and disclosed a critical pre-authentication RCE in CraftCMS (CVE-2024-56145). You can read our blog post on the issue here: assetnote.io/resources/re...

#attacksurfacemanagement

19.12.2024 02:12 πŸ‘ 9 πŸ” 5 πŸ’¬ 0 πŸ“Œ 0
Preview
Compromising OpenWrt Supply Chain via Truncated SHA-256 Collision and Command Injection Introduction Hello, I’m RyotaK (@ryotkak ), a security engineer at Flatt Security Inc. A few days ago, I was upgrading my home lab network, and I decided to upgrade the OpenWrt on my router.1 After ac...

If you're interested in the technical details, I wrote the blog post here: flatt.tech/research/pos...

For the further details, please check out the announcement from the OpenWrt team: lists.openwrt.org/pipermail/op... (2/2)

07.12.2024 09:47 πŸ‘ 17 πŸ” 8 πŸ’¬ 0 πŸ“Œ 1
A Beginner's Guide to eBPF Programming with Go β€’ Liz Rice β€’ GOTO 2021
A Beginner's Guide to eBPF Programming with Go β€’ Liz Rice β€’ GOTO 2021 YouTube video by GOTO Conferences

Resources I have found useful for starting to develop eBPF programs:
@lizrice.com has a lot of good videos e.g. www.youtube.com/watch?v=uBqR... (the go part is a bit different if using ebpf-go)
isovalent.com/labs/ebpf-ge...
ebpf-go.dev/guides/getti...
docs.ebpf.io
www.kungfudev.com/series

30.11.2024 19:21 πŸ‘ 2 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

eBPF could be a great tool to identify data reaching sinks when doing gray-box security assessments

e.g. find if the input is passed to some bash command, sql-query, what files does the applications try to open, get the plain text of all https requests going through openssl on the system etc.

30.11.2024 19:19 πŸ‘ 1 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0

I recently discovered eBPF and been playing around a bit with it

Essentially it is small hot-swappable programs that run in the linux kernel, making it possible to e.g. log arguments to syscall and userland functions. It is also possible to change the behaviour of syscalls (some limits apply)

30.11.2024 19:18 πŸ‘ 2 πŸ” 0 πŸ’¬ 1 πŸ“Œ 0

It is really good! It is also so easy to use that my dad uses it to connect to the home automation system

29.11.2024 12:31 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Preview
Post: Mutation XSS: Explained, CVE and Challenge | Jorian Woltjer Learn how to bypass HTML sanitizers by abusing the intricate parsing rules and mutations. Including my CVE-2024-52595 (lxml_html_clean bypass) and the solution to a hard challenge I shared online

To summarize what I have learned about Mutation XSS, my CVE, and the solution to my challenge, I wrote a post going through it all.
If you like regular XSS, this is a whole new world of crazy techniques and many sanitizer bypasses. You too can learn this!
jorianwoltjer.com/blog/p/hacki...

27.11.2024 16:01 πŸ‘ 23 πŸ” 9 πŸ’¬ 0 πŸ“Œ 2
Remote Code Execution with Spring Properties Recently a past student came to me with a very interesting unauthenticated vulnerability in a Spring application that they were having a hard time exploiting...

I just wrote a new blog post! This is how I (ab)used a jailed file write bug in Tomcat/Spring. Enjoy!

Remote Code Execution with Spring Properties :: srcincite.io/blog/2024/11...

26.11.2024 23:57 πŸ‘ 76 πŸ” 36 πŸ’¬ 1 πŸ“Œ 2
Preview
GreyNoise Labs - Null problem! Or: the dangers of an invisible byte A quick and silly post about a weird exploit situation

I posted a quick/fun little blog about the dangers of invisible bytes, particularly when everybody copies/pastes exploits without understanding them:

#vulnerability #exploit #greynoise #null #byte

25.11.2024 17:53 πŸ‘ 13 πŸ” 4 πŸ’¬ 0 πŸ“Œ 0
Post image

Earlier this year, Assetnote's Security Research team discovered a vulnerability in Sitecore XP (CVE-2024-46938) that can lead to pre-authentication RCE.
Order of operations bugs are one of my favorite types of bugs :) Write up and exploit script here: assetnote.io/resources/re...

22.11.2024 05:50 πŸ‘ 51 πŸ” 24 πŸ’¬ 1 πŸ“Œ 0
Preview
The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access In early February 2022, notably just ahead of the Russian invasion of Ukraine, Volexity made a discovery that led to one of the most fascinating and complex incident investigations Volexity had ever w...

@volexity.com’s latest blog post describes in detail how a Russian APT used a new attack technique, the β€œNearest Neighbor Attack”, to leverage Wi-Fi networks in close proximity to the intended target while the attacker was halfway around the world.Β 
Β 
Read more here: www.volexity.com/blog/2024/11...

22.11.2024 14:58 πŸ‘ 81 πŸ” 41 πŸ’¬ 2 πŸ“Œ 13

Any bug bounty people around? I'm creating a starter pack of people to follow but it's pretty brief currently! Let me know if you'd like to be added: go.bsky.app/GD7hKPX

21.11.2024 15:23 πŸ‘ 95 πŸ” 30 πŸ’¬ 45 πŸ“Œ 2

I have started doing some bug bounty again, e.g.
support.apple.com/en-us/102774
unite.un.org/content/un-i... (technically not bug bounty, but a pretty fun one, found various DB creds and similar secrets)

21.11.2024 16:55 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0
Sketchy Cheat Sheet - Story of a Cloud Architecture Diagramming Tool gone wrong Table of Contents

Nice writeup by Jakub Domeracki of multiple vulnerabilities in a Google architecture tool, resulting in the tool being decommissioned
jdomeracki.github.io/2024/11/09/s...

20.11.2024 13:36 πŸ‘ 1 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0
Preview
Reverse Engineering iOS 18 Inactivity Reboot Wireless and firmware hacking, PhD life, Technology

How does the new iOS inactivity reboot work? What does it protect from?

I reverse engineered the kernel extension and the secure enclave processor, where this feature is implemented.

naehrdine.blogspot.com/2024/11/reve...

17.11.2024 21:42 πŸ‘ 279 πŸ” 107 πŸ’¬ 12 πŸ“Œ 11
The Dangers of Building a Recursive Internet Scanner by Joel Moore | BSides CHS 2024
The Dangers of Building a Recursive Internet Scanner by Joel Moore | BSides CHS 2024 YouTube video by BSidesCHS

As a pentester and security engineer, I found this talk to be very inspiring. I haven't been able to use the tool yet, but you can bet I will soon!

youtu.be/bCNnloBaw_U?...

18.11.2024 00:07 πŸ‘ 14 πŸ” 4 πŸ’¬ 0 πŸ“Œ 0