hi

Thanks good to be here

is there a /g/ discord? for non chink shit related things

That sucks

Who cares

I kinda wanna start a /g/ CTF team

https://boards.4chan.org/g/thread/55139998 lets see how this goes

i feel like im gonna get a whole bunch of elitists replying to this

yay for /g/

> Not using windows 10 for anything related to security

> Not having control flow guard

uh...

is that bot written in py?

that's.. probably not a great idea to give anyone access to the urllib/requests package

there's a HTTP response splitting bug

can in theory result in pwning of the bot

i mean idfk if it's vuln

well depends what ver of urllib it uses

!play google.cum

eh

can someone try requesting an invalid url

i'm good

can someone do !play google.cum

uhm.

i mean

someone could in theory exploit your box

via that bot

I don't have a non work box I can use to hit it with

so I can't test it

You got me.

I mean try injecting another header into the URL

then look at the response

Uh you can use it to hit internal resources/send requests to any site with any data you want

Yeah but someone here is hosting it

all I'm saying is it's worth checking so they don't get abuse complaints for someone using their shit in a bad way

What the fuck

All I did was suggest that your bot might be vuln to a public CVE

... I already said I don't have a box I can tail -f logs for

lol

I don't have a box that isn't work related

Make a request to my http server

Where I can see if it's actually working, it's HTTP header injection

It's an issue even if you just have private services running on your box

because smeone can use that to pivot to them

Like i'm only telling you because I like it here already. I'm not trying to make a big deal out of it

I mean it's a potential security bug

I really don't know what's the correct way to handle it now, I thought you'dw ant to at least be informed

I don't know what that means.

I'm just trying to help..

http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html

There's a POC

I thought you said /g/ chats in here

Have I upset people?

Wasn't my intention.

i appologize then @Deleted User i just noticed something and thought out loud.

@cathy I said, can be used to send requests filled with custom data, and pivot through your network

there is.

Mind if I pm you?

Okay I get it.

can we talk about csg tablets?

tablets are great

book reading, mangos reading, movie watching

^

phones are too small

awh

even 6" phones

are toos mall

for tablet related usage

why can't we get cheap programs from China 😦

The browser?!

Oh dear god.

If you're serious, ditch it. Get chromium for security

Early access? .-.

wat

Maxthon is public?

._.

Can I have a copy

Edge is making me want to kill myself

What's it based on?

What engine is it using?

oho. fun 😄

Secure

and terrible

Edge is like

Windows 10 + Edge

is borderline unhackable

Eh.

pwn2own already owned Edge

but they've added the patches and getting a reliable exploit now

is beyond annoying

not saying it's impossible, but borderline

@cathy load it into IDA

well dump the firmware first ofc

if it's hex you can convert that to a bin

I might be

SURE IS!

laame

did you set the processor flavour as arm/avr ?

Yeah but I mean did you set it to avr

because if you didn't IDA wont recognize it