Louis Nyffenegger
@snyff
Followers
19,119
Following
601
Media
948
Statuses
11,724
Founder/CEO/Trainer/Researcher/CVE archeologist @PentesterLab . Security engineer. Bugs are my own, not of my employer...
☁
Joined December 2011
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Nasrallah
• 1232565 Tweets
Palmer
• 444539 Tweets
الفتح
• 387730 Tweets
Chelsea
• 263430 Tweets
Sanchez
• 140582 Tweets
سوريا
• 120781 Tweets
Brighton
• 101575 Tweets
Wolves
• 86106 Tweets
Sara
• 84687 Tweets
Saka
• 81087 Tweets
Sancho
• 77246 Tweets
Leicester
• 76732 Tweets
Osimhen
• 72343 Tweets
Kasımpaşa
• 50271 Tweets
#GSvKAS
• 47513 Tweets
Okan
• 46432 Tweets
Nelson
• 45130 Tweets
#الهلال_الخلود
• 28957 Tweets
Nwaneri
• 28371 Tweets
Rosie Duffield
• 22096 Tweets
Leverkusen
• 21250 Tweets
Pampita
• 19980 Tweets
Icardi
• 16941 Tweets
Kentucky
• 16446 Tweets
#WOLLIV
• 15758 Tweets
Konate
• 12470 Tweets
Ole Miss
• 11882 Tweets
Baylor
• 10012 Tweets
Pinned Tweet
Do you want to get into code review or improve your code review skills?
Make sure you check out my upcoming live trainings: "Web Security Code Review Training"!
0
6
24
By age 30, You Should Have a Drawer with a Raspberry PI you don't use and a dozen USB cables.
537
1K
16K
I saw a guy reporting a vulnerability today.
No logo.
No website.
No drama.
He just emailed a write-up.
Providing all the details needed to reproduce and fix the issue.
Like a psychopath.
62
931
6K
Get the latest Windows security enhancements on Linux with this one simple trick:
# chmod 755 /etc/shadow
24
263
1K
Certifications.
What’s the biggest scam in tech that has become widely accepted?
1K
187
2K
23
128
1K
A lot of people working in infosec often forget how lucky they were that their passion became a job in high demand...
35
91
839
I know sex is great but have you ever shell'd a company after they insisted the pentest was a waste of time...
27
56
798
You need a degree, 5 years experience and 2 certifications to become a cybercriminal.
47
71
723
Just popped a shell?
Run this command to increase the impact of your finding:
export PS1="# "
#bugbountytips
8
90
660
"Yes, the 3 types of hackers: blackhat, whitehat and asshat..."
17
82
609
This is a weird screensaver and not at all the one I downloaded...
22
53
599
A wise hacker once said: "you don't call yourself a hacker, other people do".
18
96
548
Everybody wants to be a hacker until it’s time to read/write code for few hours...
29
125
517
Cyber security students be like:
"If I win the lottery, I’m not telling anyone. But there will be signs."
11
51
484
The world needs an old-school CTF...
So far the challenges are:
- Read this 5.25" floppy
- Read this 3.5" floppy
- Burn a CD
- Crimp your own ethernet cable
- Deploy a Peg DHCP server ()
- Connect to this token ring network
Anything else?
223
77
472
Unpopular opinion:
No one will be work as a "pentester" in a few years.
People will perform pentest as part of their job as a security engineer, appsec engineer or redteamer.
It has already started.
60
54
438
Infosec: "People sucks at threat modelling"
Also infosec: "An attacker spends millions for a Super Bowl ad to get me to scan a QR code"
16
42
368
Too many people fall into the traps of gamification or certification, focusing on the wrong objectives.
Your goal should be to learn, not to be at the top of the leaderboard or merely to pass an exam.
[1/2]
9
80
353
Blackhat swag as seen by people outside of infosec:
"This person is definitely a badass hacker".
Blackhat swag as seen by people in infosec:
"This person is most likely not doing any hacking".
16
30
341
TIL: How to exploit directory traversal in file upload with
#curl
using curl -F "file=
@PentesterLab
.jsp;filename=../../../../../../../../hacker.jsp"
2
116
346
Hackers: 25 years later.
Zero Cool manages a team of pre-sales engineers solving APT.
Acid Burn and Lord Nikon are both CISO.
Cereal Killer works for the government.
Joey Pardella is trying to cover up a security breach.
They are all
#infosec
thought leaders on twitter.
9
90
346
If you're looking for a job, try to blog regularly about CVEs (one you didn't find):
📚 You will learn so much
✍️ You will have something to show for it
🆓 It is completely free (unlike certifications🤔)
🎲 It removes the randomness out of your study/content (finding the bug)
7
37
301
Junior pentesters when a bunch of internal pentests gets allocated to the team
7
44
298
Security recommendation: Use bcrypt for passwords
Implementation:
17
38
282
“Hacking cannot be taught. Hacking can only be learned.”
(based on a quote from Mikhail Botvinnik about Chess)
8
53
271
Metasploit: $0
Exploiting known unpatched vulnerabilities: $0
Leveraging public security research: $0
Deploying 0-dayz to compromise random phones using public USB power charging stations: $3000000
Someone who is good at the economy help me budget this my APT group is dying.
3
46
275
For people being surprised to see so many security tools in the twitch leak...
This is what a modern security team looks like.
Less buying off-the-shelf tools, more building tools based on your actual needs.
🛠🧰💰
12
31
272
Do you want to find new vulnerabilities?
1. Look at the patch for a recent CVE (for example: CVE-2021-43350)
2. Write a
@semgrep
rule for them (tune your rule using the CVE you picked)
3. Scan a lot of code repository with this rule.
4. Manually confirm the matches.
4
65
265
Troll bug bounty hunters with this one mad trick:
str.gsub!('${7*7}', '49')
9
39
254
“We take security seriously...”
A
B
s
o
l
u
t
e
l
y
n
o
t
・
。 ・゚
。°*.
。*・。
3
45
238
Do not get into hacking.
I cannot emphasize this hard enough.
Do not ever start hacking.
39
18
232
When people subscribe to
@PentesterLab
, they give me two things... Their $ and their time, I can't refund the latter and that's why I try to provide a lot of value...
8
11
232
No need to sign your JWT, we are all friends here on the Internet!
5
14
214
Pentesters: “Bug bounties involve too much grinding for unpredictable outcomes.”
Also pentesters: “I want to become a vulnerability researcher.”
8
21
213
You shout "Hack the planet"
but your behaviour screams
"Run a vulnerability scanner against Earth".
4
32
208
Unpopular opinion:
A lot of people stick to CTF instead of Bug Bounty or Vulnerability Research because it is a lot more comfortable.
Not easier, more comfortable, you know there is something to be found.
25
33
207
Give a man an open redirect, and you feed him for a day. Teach a man to chain open redirects with other bugs, and you feed him for a lifetime.
7
26
205
One day I will understand why most of infosec picked Python...
36
8
193
I remember trying to learn Linux by printing pages and pages of Mandrake/RedHat manuals and trying to read them...
THAT DID NOT WORK.
What worked?
Using Linux as my daily driver for months. It was hard, it was annoying, it was frustrating but this was the way.
17
13
186
Not that it matters but since I saw another tweet on this:
I have 0 CVE, 0 certification.
People judging others on CVE or certs are at best lazy, at worst downright stupid...
14
23
188
You are offered 20k.
But you can never use Burp Suite again.
Do you accept?
91
6
187
It's important to remember that some infosec influencers are not achieving much and that a few infosec people with < 100 followers are killing it.
11
19
185
See mum! It is a real job!
9
2
179
If you have trouble keeping up with security research, security news, new technical content, make sure you check out: by
@elttam
2
54
181
This one seems very relevant to security/hacking:
"It doesn’t matter if you’re a beginner or an expert as long as you’re on the path.
If a beginner is on the path, all they need is time.
If an expert is off the path, they won’t be an expert for long."
–
@JamesClear
3
35
172
I'm lucky to be working on some of the hardest Computer Science problems of our time...
Like aligning text in CSS...
9
15
170
One of the cheapest and most efficient way to improve your infosec skills is to read code.
Literally, linux+vim+git on a raspberry pi with a 12” display is enough...
Read the code of opensource projects, tools you use, diff from advisories.
You don’t even need a browser!
5
25
168
"Do you need to learn to write code to get a job in infosec?"
Absolutely not! You need to learn to write code because that is one of the coolest things you can do with a computer.
8
21
163
This is very cool!
(it's for a ridiculously simple patch in the Linux kernel)
7
6
159
Let's all agree:
Hacker skills == Number of followers.
👹👹👹👹
19
7
157
I make a living teaching how to hack JWT, I will even run a workshop at Defcon on hacking JWT.
If you are a developer and your application uses JWT spend 5 minutes and watch this video!
Level up your
#AppSec
skills with our new video on JSON Web Tokens (JWT)!
Join us as we share six practical tips to enhance your security practices. Arm yourself with these insights today! Watch, learn, apply! 🔒🎥💡
2
27
114
0
30
156
I cooked a beef bourguignon today. After a few hours cooking, the meat is falling appart like a pentest boutique that just got acquired.
12
14
155
You can find the slides for my 2 workshops at DEFCON here:
SAML_DEFCON_2023.pdf and JWT_DEFCON_2023
1
56
148
Your script kiddie name is your first name followed by your last name.
10
12
145
My kids think I have the best job:
My job is to send stickers to people all around the world.
16
5
147
Slides from my talk at
@Ruxmon
on the insecurity of JSON Web Tokens
Jwt == insecurity?
Jwt == insecurity? - Download as a PDF or view online for free
www.slideshare.net
1
82
144
If people were spending as much time learning to code as they are spending debating whether or not you need to code to work in infosec, they will be pretty decent programmer...
7
18
142
Infosec literally only want one thing and it's fucking disgusting...
@PentesterLab
Black Friday Deal.
😜😜😜
16
3
143
Indian Postal Service == UDP
You send packets but you're never sure they will arrive.
15
7
139
Don’t forget to check my soundcloud if you want help finding&exploiting bugs
0
8
136
Creating content is hard...
So if you have nothing nice to say don't say anything at all.
(Especially if it's free content)
4
13
131