Soroush Dalili
@irsdl
Followers
17,939
Following
870
Media
742
Statuses
12,073
Hacker (ethical), web appsec specialist, trainer, tools builder & apps breaker, @SecProjectLtd founder 🕸️🥷 🍏A dad-joke maker🍐
Worcestershire, England
Joined August 2009
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
#LaCasaDeLosFamososMx
• 168300 Tweets
#MHA430
• 160153 Tweets
無課金おじさん
• 120688 Tweets
トルコのおじさん
• 118610 Tweets
ROCKSTAR SPECIAL STAGE
• 101301 Tweets
Yuji
• 92280 Tweets
Corinthians
• 71983 Tweets
Ricardo
• 70033 Tweets
Karime
• 66134 Tweets
Gala
• 63647 Tweets
Happy New Month
• 61361 Tweets
Deku
• 48499 Tweets
Amad
• 36831 Tweets
#ピッコマでマンガ読んでポイ活
• 28068 Tweets
Arath
• 21641 Tweets
संसद भवन
• 20981 Tweets
リーリヤ
• 16826 Tweets
#総額3億円分
• 15619 Tweets
Καλο
• 13295 Tweets
Pinned Tweet
Burp Suite Ninja
@BurpSuiteNinja
is getting shaped! Follow it on X, and subscribe at and more will follow soon. Stay tuned 🔥
2
26
106
Self promotion time - if you are testing a payment system or a shop, check the whitepaper that I had written and updated last year: 💰💰💰
#bugbountytip
#pentest
#Financial
23
694
2K
Here are my WAF bypass talk slides at
@appseceu
2018: Next to the slides here is the Burp Suite HTTP Smuggler extension:
#appseceu
@NCCGroupInfosec
15
412
691
Having a breakout exercise and direct drive access is forbidden? Perhaps try these too:
\\localhost\d$
\\127.0.0.1\d$
file:\\127.0.0.1\d$
\\--1.ipv6-literal.net\d$
\\\d$
\\--0-1.ipv6-literal.net\d$
file://--0-1.ipv6-literal.net\d$
4
212
484
After spending so much time, finally here it is:
"𝗨𝗽𝗹𝗼𝗮𝗱𝗶𝗻𝗴 𝘄𝗲𝗯.𝗰𝗼𝗻𝗳𝗶𝗴 𝗳𝗼𝗿 𝗙𝘂𝗻 𝗮𝗻𝗱 𝗣𝗿𝗼𝗳𝗶𝘁 𝟮"
#appsec
#FileUpload
#pentest
#bugbountytip
3
203
441
Cookieless DuoDrop: IIS Auth Bypass & App Pool Privesc in ASP .NET Framework (CVE-2023-36899)
#Appsec
#bugbountytips
6
181
433
.
@NahamSec
Here is the list of all links in Web Application Hacking Techniques since 2006 - These are really good to revive old techniques and to learn how different people think:
1
160
420
Finding and Exploiting .NET Remoting over HTTP using Deserialisation:
- comes with an open source app for training purposes + v2.0 (with its limits)
#Appsec
#Pentest
#BugBounty
@NCCGroupInfosec
2
172
336
This is how XSS used to work 5000 years ago...
an XSS payload, Cuneiform-alphabet based
𒀀='',𒉺=!𒀀+𒀀,𒀃=!𒉺+𒀀,𒇺=𒀀+{},𒌐=𒉺[𒀀++],
𒀟=𒉺[𒈫=𒀀],𒀆=++𒈫+𒀀,𒁹=𒇺[𒈫+𒀆],𒉺[𒁹+=𒇺[𒀀]
+(𒉺.𒀃+𒇺)[𒀀]+𒀃[𒀆]+𒌐+𒀟+𒉺[𒈫]+𒁹+𒌐+𒇺[𒀀]
+𒀟][𒁹](𒀃[𒀀]+𒀃[𒈫]+𒉺[𒀆]+𒀟+𒌐+"(𒀀)")()
#bugbounty
#bugbountytips
#cybersecurity
57
905
3K
6
37
313
A new
@NCCGroupInfosec
blog post: RCE using ASPNET resource files and deserialization + Attacking insecure file uploaders on IIS using .RESX or .RESOURCES files:
#Deserialization
#AppSec
#BugHunting
#BugBounty
#ASPNET
5
197
313
#SelfPromotion
URI schemas and their format can be what you need to bypass certain restrictions in Apps like Outlook or in exploiting vulns like SSRF or XXE - I had included more than 800 of known schemas + useful references here in `Schemes-List.xlsx`:
2
124
312
With the release of my ViewState plugin for , here is my blog post on Exploiting Deserialisation in ASPNET via ViewState:
#ViewState
#Deserialisation
#RCE
@NCCGroupInfosec
@pwntester
7
156
306
CrowdStrike is advertising a job after the blue screen incident yesterday!
13
36
290
#SelfPromotion
- HTTP encoding still works to bypass most WAFs 🧙♀️🧙🧙♂️
+ see: for .NET
+
Note: [] is not the same as HTTP Desync by
@albinowax
& I didn't see it coming 🙃
#pentest
#tip
As some people couldn't quite solve the CTF () using the AppSec EU slides, I have attached this slow video that shows how the sqli could be exploited - I used HTTP Smuggler but that could be done manually. It was hard to type while recording ;-)
3
38
102
5
116
263
Blog post on XOML deserialization has been updated with a working SharePoint RCE (using CVE-2018-8421):
@NCCGroupInfosec
@pwntester
3
179
255
1/ Last month, I dived into a bug bounty, taking on the challenge of bypassing a Web Application Firewall (WAF) for XML External Entity (XXE) injection. Buckle up, here's the story!
#Tip
#BugBounty
#AppSec
🧵
#BugBountyDiray
`BugCrowd` - `a private programme`
🌠It was the day 1 with the bug bounty hat on: I still have no proper automation in-place but I will sort it out when I have the energy probably in the next 6 months or when I realise I missing out a lot!
😱 My account got
10
12
210
6
46
254
has a new SharePoint plugin to generate payloads for CVE-2019-0604 and CVE-2018-8421
0
107
234
As the cat is out of the hat anyways, here are my views on Microsoft Exchange
#Proxylogon
so far:
The super SSRF (controlling almost the full http message including verb/path/most headers/body) is the most important piece IMHO.
1
58
224
On CVE-2020-1147 () and the great write up by
@steventseeley
(), you can exploit it w/o creating an ASPX page by `?mode=Suggestion`:
/_layouts/15/quicklinks.aspx?Mode=Suggestion
/_layouts/15/quicklinksdialogform.aspx?Mode=Suggestion
5
97
217
#BugBountyDiray
`BugCrowd` - `a private programme`
🌠It was the day 1 with the bug bounty hat on: I still have no proper automation in-place but I will sort it out when I have the energy probably in the next 6 months or when I realise I missing out a lot!
😱 My account got
10
12
210
If you are using the latest early edition of
#BurpSuite
, you can use the following
#bambda
code for highlighting:
It highlights the request with BurpCOLOR like "BurpRed"!
You won't need an extension for PwnFox Firefox extension either btw!
@Burp_Suite
8
57
205
Just updated the legacy IIS Short File Name scanner (to v2023.3) to address an issue that it could miss some rare vulnerable servers due to an intrusive RegEx responsible to clean dynamic contents.
Have a happy hunting!
#Appsec
#IIS
#BugBounty
4
37
195
I like the fact that this still works like a charm as PoC when I need it: This can make testers life a lot easier but so many don't know it even exists
#pentest
#bugbounty
2
62
186
CVE-2020-0618: Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability - if you use SSRS patch now not even tomorrow! It is a simple unauth rce!
7
60
183
Here is my new blog post:
MongoDB NoSQL Injection with Aggregation Pipelines
Hopefully this will be useful to someone.
#Appsec
#NoSQLi
#BugBounty
3
49
187
App blocks %0D%0A? we try %0A or %0D or %u2028 or %2029 (using correct encoding).
But also remember to try things like this especially if you are dealing with Java:
%C0%8D%C0%8A
%c4%8a
%EA%A8%8A
Find why & more using and
1
29
182
Bug hunters are not researchers
Fiddler is better than Burp
Red teaming is real pentest
Sec companies make vulnerabilities
People share to get attention
It pronounced ReJex not ReGx
Burp soot not burp sweet
Sequel not s q l
In 5 words or less, start a fight without politics
29K
752
8K
18
18
176
Story of my two (but actually three) RCEs in SharePoint in 2018: - it all began with a simple question in Jan. 2018: "have you worked with ysoserial .net?" what a year! Glad is in Top 10 Web Hacking Techniques of 2017
@pwntester
4
73
169
I've just updated , it supports infinite bridge gadget party now!
So this is now possible:
```
a payload to exploit Exchange CVE-2021-42321 using the ActivitySurrogateDisableTypeCheck gadget inside the ClaimsPrincipal gadget.
```
@MDSecLabs
@pwntester
2
56
171
My new dirty and hacky extension for changing Burp Suite Repeater's tabs' style: 🔥 I hope this is useful for others too
#BurpSuite
#Extension
#appsec
#pentest
#bugbountytip
5
55
169
If you have more free time these days to learn more about appsec, perhaps have a look at very useful source for manual source code review as a checklist. Grab an open source app and practice these on and take notes of your discovery techniques!
2
46
159
Here is my new simple advisory: CVE-2020-0605 – Code Execution using XPS Files in .NET
3
64
161
Since having
@albinowax
research tools embedded in
#BurpSuite
, I keep finding race condition issues in the payment systems. I was doing this stuff before (since 2010 at least) but was not always successful. The single packet attack is 👌 - Turbo Intruder can also elevate it!
After attending my training course last week, an attendee was eager to start his next audit. And he found a race condition on the very first day, thanks to the methodology and the tools we covered 🔥
He's happy, his manager is happy, and I'm happy too 🥲
4
2
79
9
14
156
Exploit so easy 😱😰 this looks really really bad
This morning, PoC code to abuse CVE-2020-0688 (Microsoft Exchange Validation Key Remote Code Execution Vulnerability) was released. In case you haven't done so, it's time to patch, patch, patch!
Our sigma rule to detect this:
2
131
210
2
60
153
In the past I have found many deserialization issues in .NET by source code review. Here is my list to find interesting points to start with:
If you want to know what to do next when you are in control, read the references in ysoserial .net
2
38
150
I'm impressed w MS security monitoring team! As I was in the middle of confirming an RCE (15 min through) to c whether or not it worked in practice, they contacted me via burp collaborator HOST header! Workaround applied in less than an hour
#RecentGoodExprience
@msftsecresponse
7
46
150
"max-forwards" http header:
- limit the number of proxies a request can traverse.
- not hop-by-hop
- can't go in the Trailer header
Some usage example:
old:
old: counting servers (proxies) in the middle
new:
5
24
148
Burp Suite
#Sharpener
v3.0 is out in the GitHub repo:
Some bugs have been fixed and icons sizes are now bearable!
This is only compatible with Burp v2023.1 (early adaptor currently) as it is based on the new Montoya API v1.0.
6
23
143
A friendly reminder that most of these are still relevant but overlooked.
I need to rewrite the extension though!
#wafBypass
#bugbounty
Here are my WAF bypass talk slides at
@appseceu
2018: Next to the slides here is the Burp Suite HTTP Smuggler extension:
#appseceu
@NCCGroupInfosec
15
412
691
4
25
139
#BurpSuite
latest early version 2023.10.3 is giving us
#Bambda
in filtering among other things!
It is very very powerful in filtering and it runs pure Java code very well. As seen in the screenshot, I even managed to open calc with it😎
I hope to see it in Target Search soon!
It
1
24
136
Deserialization issue explained
6
27
133
WooHoo installing burp collab server was extremely easy with this highly recommended!
2
41
135
`NSA Meeting Proposal for ProxyShell` with some interesting side research in .NET
#Exchange
#Exploit
#NSA
#ProxyShell
2
58
133
x-up-devcap-post-charset Header in ASPNET to Bypass WAFs Again!
#ASPNET
#RequestEncoding
#WAF
#Bypass
2
57
130
I had missed this useful article: Linq Injection – From Attacking Filters to Code Execution
by Timo Schmid (no Twitter?)
1
45
130
The Burp Suite Sharpener extension is now available for everyone to use 🥳
Download it from here:
Please report any bugs or submit your FRs. This is just the beginning for this extension 🍿
@MDSecLabs
#BurpSuite
#Sharpener
#AppSec
#Pentest
#BugBounty
🥂
Time to find some eager people in
@MDSecLabs
to beta test :) this is just the beginning but I really needed it so I hope it works well
#BurpSuite
#Sharpener
4
1
34
4
42
129
The 1.07 version of
@MDSecLabs
#BurpSuite
#Sharpener
extension is out. In addition to some bug fixes, this version comes with the Halloween theme! Just what we need to harvest more bugz!!!
🎃🎃🎃
🎃🎃🎃
Thanks to
@CoreyD97
for a swift library update! 👻
4
42
128
Chrome XSS vector by using BASE tag <base href="javascript:\"> <a href="//%0aalert(/
@irsdl
/);//">works in Chrome</a>
http://t.co/Y5JQViooKB
6
74
125
For those of us who are fan of making their web testing life easier:
#SlefAdAlert
Keep the FRs coming - I will try to do them when I find time :)
1
30
127
Thanks to
@albinowax
for giving me this opportunity, my name has been added to due to the work I did in designing the NoSQLi labs and another topic that is going to be released soon 😇
8
7
123
Just uploaded the slides of
@Steel_Con
's talk:
This has more materials than my
#NahamCon
's talk as it was longer.
Also added a link to
@bitquark
's new tool - - from the old tool
🔥🌶️🛎️
#BugBounty
#AppSec
0
37
123
I want to start bug bounty as a serious task very soon and I hope it is worth it, any great suggestions or pointers for an experienced web tester?
Also if you are a vendor and like my work, please invite me to your prv programme!
I am accepting all invites now 🥹
19
11
122
Glad to be in the MS top vulnerability hunters list of 2020 🥂
@soaj1664ashar
@olekmirosh
@hosselot
@mwulftange
@R00tkitSMM
@steventseeley
@Qab
@_dirkjan
...
9
8
120
I've approved a new version of . Thanks to all contributors especially
@chudyPB
for so many new gadgets!
📃See
@chudyPB
🤯"130 page" research:
📽️Video here: at
@hexacon_fr
#AppSec
#DotNet
#Deserialization
3
31
120
If you want to identify vulns in SWF files in your next pentest or bug bounty, read this!
1
68
115
@vxunderground
@ReneFreingruber
This can be done by a non state sponsored actor too as it doesn't seem to be complex if orchestrated and planned properly when time doesn't matter. I can see how some other groups like ransomware guys might be interested in doing such things too.
9
2
116
This was the latest research on this topic:
Fun fact 😎 I found an IIS vuln when researching to create the slides:
The video here:
#IIS
#ShortName
#AppSec
@infosec_au
@bitquark
@xnl_h4ck3r
I've only just discovered the joys of IIS hacking and shortname scanning today after watching great talks by
@infosec_au
and
@irsdl
and using the great shortscan tool from
@bitquark
🤘
2
4
89
3
23
117
Burp Suite has come a long way and is still in our hearts 🫀although is in Java!😅
From when proxy had no close friends -> scanner was not born -> extender was not a thing -> ... -> Dashboard, profiles, etc. etc. - still going strong
@Burp_Suite
🪄
#nostalgia
#appsec
#burpsuite
6
11
107
I am excited to do this training with Marcus remotely (really an honour for me):
"A LOOK BEYOND THE WEB APPLICATION HACKER'S HANDBOOK"
7
19
109
- Do you also want to know how you can proxy Exchange frontend and backend easily?
- How to debug Exchange using dnSpy?
- How to send plain/text to submit your form to an ASPX page?
- How to bypass some WAFs? What's still unpatched there?
We have you covered
@MDSecLabs
🧙♂️
In our latest post,
@irsdl
explores the benefits of merging two Exchange exploits, “NSA Meeting Proposal for ProxyShell”
1
50
133
4
29
108
now has another gadget which is capable of loading code rather than running command to avoid easy detection: `DataSetOldBehaviourFromFile`
Thanks to
@steventseeley
&
@mwulftange
for the 🦈
This release also has 1 new derived gadget just for fun!
2
37
111
This is how I got the second $15k from MS SharePoint bug bounty!
@NCCGroupInfosec
Technical Advisory: Another XOML Workflows Protection Mechanisms Bypass using Deserialisation of Untrusted Data - Potential Code Execution on SharePoint Written by:
@irsdl
#Deserialisation
#SharePoint
#TechAdvisory
3
54
80
4
33
108
#ASPNET
web form tip when bypassing certain WAF rules using
#COOKIELESS
:
✔️WAF blocks `/admin/main.aspx`
✔️WAF uses canonicalization & not case sensitive
Possible bypasses:
🍪/admin/(S(X))/main.aspx
🍪/admin/Foobar/(S(X))/../(S(X))/main.aspx
🍪/(S(X))/admin/(S(X))/main.aspx
5
28
109
Thanks to
@MDSecLabs
research, new stuff are being released for soon - as for the features, payload minimization, raw cmd command, and auto command encoding within JSON/XML messages are being released after the PR review by
@pwntester
1
33
108
Besides joking, these days you literally need to find one XSS using zap or free burp to pay for the pro! Also you don’t need burp pro for many bug categories. Perhaps stick to zap if you need automation and have no money and no coding skill :)
Don’t install the malware 😈👻
8
6
108
Today was my last day working at
@MDSecLabs
! Thanks to all my colleagues and clients, I have learned loads 🪄
From tomorrow a new work chapter for me begins, and I hope it works out well 😊
See you around 🤩
13
1
107
Only to make the firewalls better, I am going to leave this here to show how much requests can change and hopefully a blog post soon will come to show how we combined the ProxyShell and NSA Meeting exploits :)
2
28
104
Sharpener v1.09 is out. It is a must have extension for serious Burp users IMHO before its major UI revamp anyway.
I don't know about you, but I cannot Burp properly without it!!!
#BurpSuite
#MDSec
#Extension
#AppSec
@MDSecLabs
2
32
105
have been updated, now it can: generate payloads for CVE-2020-1147 and CVE-2020-0932 (sharepoint RCEs) as well as XmlSerializer payload the
@steventseeley
way! See the closed PRs for other changes if you are interested 😎
@pwntester
1
20
103
As some people couldn't quite solve the CTF () using the AppSec EU slides, I have attached this slow video that shows how the sqli could be exploited - I used HTTP Smuggler but that could be done manually. It was hard to type while recording ;-)
Unfortunately the CTF did not have any winner :( hopefully no one secretly has shelled the test server as it was probably possible ;) I’m going to turn the server off probably tonight :)
#appseceu
#appseceu18
@AppSecEU
solution will be released tomorrow during my talk
1
1
6
3
38
102
Well this bug has given me $10k from
@msftsecresponse
🥳 I am happier a bit now 🤓 (only one of them got bounty as the same code change can stop them both)
And
@blowdart
knows it all! Follow him 🙂
I wanted to tweet more tips but something led to another & now I have reported two issues to MS one for abusing the IIS Application Pools and one for bypassing authentication on restricted folders in IIS 🔥 Hopefully they will patch it soon so it can be presented at
@Steel_Con
!
3
15
103
7
5
103
I wanted to tweet more tips but something led to another & now I have reported two issues to MS one for abusing the IIS Application Pools and one for bypassing authentication on restricted folders in IIS 🔥 Hopefully they will patch it soon so it can be presented at
@Steel_Con
!
#IIS
#Shortname
scanner tip:
If you are using Powershell and are going to use ADS to inside the restricted /bin/ folder, remember to escape the $ sign:
bin::`$INDEX_ALLOCATION
Going to submit a talk for
@Steel_Con
to include some useful tricks like this + some new things
1
14
80
3
15
103
If you haven't joined already, tune in at least for my talk to learn the correct pronunciation of "Enumeration" and other words!
I guess as soon as AI can start talking for me, I will be fine!
3
0
21
4
23
101
I have just updated the old tool of mine -IIS ShortName Scanner-() so it would work with the latest version of Java 😆
0
25
99
I did a few hours of bug bounty for a few nights last week to get a feel.
I chose a couple of different programmes in h1 and bugcrowd to also get a feel of these platforms differences.
Surprisingly both programmes were using Akamai WAF so direct automation was out, however,
4
4
93
For those who use Burp Suite Sharpener, you can now get the latest version from
The latest version now uses the latest version of Montoya API.
Please feel free to submit any issues.
3
27
88
My latest blog post is out:
Anchor Tag XSS Exploitation in Firefox with Target="_blank"
We could use Middle-Mouse-Click or SHIFT/CTRL/ALT+CLICK in Chrome, now a similar approach for Firefox to access `document.cookie`!
#AppSec
#bugbountytips
🛎️
4
11
87
And finally I managed to make the stand-alone recent SharePoint exploit that does not rely on ysoserial . net code. (it is very dirty but it works & won't be released)
@steventseeley
I really liked the exploit as well! He could probably hardcode the /web.config in the first request; but no, he creates a function that can be used over and over again which is cool :)
1
1
21
2
14
85
I am excited (and nervous) for this tonight :) 😀😱
4
6
85
#BurpSuite
#Sharpener
v1.03 is out! It supports number of new features such as searching in tab titles or scrollable tabs when there are too many tabs and the screen is too small:
@MDSecLabs
@Burp_Suite
@MasteringBurp
3
27
83
A decade ago, I developed Burp Suite JSBeautifier (). At that time, no browsers had JS beautifiers, and no extensions were capable of it. I later had it removed from BAppStore, as I couldn't invest the time to rectify a security flaw. Now, with the Montoya
0
16
83
Back in 2018, I found a RCE in SharePoint by finding an interesting bypass in the Workflow; here you can read the full story:
The PDF version of the vuln:
This story involves
@MSwannMSFT
😎
#BugBounty
#AppSec
1
22
82
Here are the slides for the "A Forgotten HTTP Invisibility Cloak" presentation:
#BSidesMCR2017
@BSidesMCR
#smuggling
2
43
77
#IIS
#Shortname
scanner tip:
If you are using Powershell and are going to use ADS to inside the restricted /bin/ folder, remember to escape the $ sign:
bin::`$INDEX_ALLOCATION
Going to submit a talk for
@Steel_Con
to include some useful tricks like this + some new things
1
14
80