Hacker News: MajesticHobo2

New comment by MajesticHobo2 in "Carrot Disclosure: Forgejo"

MajesticHobo2 — Wed, 29 Apr 2026 01:36:24 +0000

I'd say also add a test that shows the HTML injection (which spurred the PR) isn't possible. Given an attacker-controlled URL of:

    foo onclick

the following shouldn't render:

New comment by MajesticHobo2 in "Vulnerability research is cooked"

MajesticHobo2 — Mon, 30 Mar 2026 22:02:03 +0000

It was definitely partially about model quality. The frontier models are capable of producing valid findings with (reasonably) complex exploit chains on the first pass (or with limited nudging) and are much less prone to making up the kinds of nonsensical reports that were submitted to curl. Compared to now, the old models essentially didn't work for security.

If those script kiddies had been using today's models instead and _still_ didn't do any filtering, a lot more of those bugs would have been true positives.

New comment by MajesticHobo2 in "Vulnerability research is cooked"

MajesticHobo2 — Mon, 30 Mar 2026 20:54:52 +0000

> With decompilation I think there's a higher risk of it missing the intention of the code.

I'm not sure but suspect the lack of comments and documentation might be an advantage to LLMs for this use case. For security/reverse engineering work, the code's actual behavior matters a lot more than the developer's intention.

New comment by MajesticHobo2 in "Vulnerability research is cooked"

MajesticHobo2 — Mon, 30 Mar 2026 20:33:26 +0000

That was then, this is now. The new models are scarily good. If you're skeptical, just take an hour to replicate the strategy the article references. Point Claude at any open-source codebase you find interesting and instruct it to find exploitable vulnerabilities. Give it a well-defined endpoint if you want (e.g., "You must develop a Python script that triggers memory corruption via a crafted request") and see how well it does.

New comment by MajesticHobo2 in "We mourn our craft"

MajesticHobo2 — Sun, 08 Feb 2026 04:03:42 +0000

Third or fourth, maybe, not first.

New comment by MajesticHobo2 in "OpenSSL: Stack buffer overflow in CMS AuthEnvelopedData parsing"

MajesticHobo2 — Tue, 27 Jan 2026 19:54:12 +0000

Yes, but it would likely have to be chained with other bugs - at minimum, something that gives you an info leak.

New comment by MajesticHobo2 in "Fixing a Buffer Overflow in Unix v4 Like It's 1973"

MajesticHobo2 — Fri, 09 Jan 2026 01:07:20 +0000

Yeah, somebody came up with one here: https://news.ycombinator.com/item?id=46469897

New comment by MajesticHobo2 in "Humans May Be Able to Grow New Teeth Within Just 4 Years"

MajesticHobo2 — Wed, 31 Dec 2025 00:21:43 +0000

It’s a phase 1 clinical trial designed only to assess safety and determine the appropriate dosage. Future trials will focus on efficacy.

New comment by MajesticHobo2 in "We pwned X, Vercel, Cursor, and Discord through a supply-chain attack"

MajesticHobo2 — Thu, 18 Dec 2025 23:36:25 +0000

Wouldn't platforms see the supposed XSS payloads in their logs and publish analyses of them, or at the very least, announce that they happened?

New comment by MajesticHobo2 in "XKeyscore"

MajesticHobo2 — Sun, 07 Dec 2025 23:17:21 +0000

I'm sure they can store far more than 20 TB now, but it is true that the content pool is much larger. I would guess it's not a favorable ratio.

New comment by MajesticHobo2 in "Show HN: Cadence – A guitar theory app"

MajesticHobo2 — Wed, 22 Oct 2025 23:05:11 +0000

Thanks for making this! I've been looking for something like this for a while.

New comment by MajesticHobo2 in "iOS 18.6.1 0-click RCE POC"

MajesticHobo2 — Wed, 27 Aug 2025 15:51:33 +0000

  xxd IMGP0847.DNG | grep 03e400:
  0003e400: ffd8 ffc3 000e 0e10 800c 5002 0011 0001  ..........P.....

Look at the byte at offset 11 (0xb), it's there.

New comment by MajesticHobo2 in "iOS 18.6.1 0-click RCE POC"

MajesticHobo2 — Wed, 27 Aug 2025 02:50:55 +0000

Yes:

  dd status=none if=IMGP0847.DNG bs=1 skip=0x3e40b count=1 | xxd
  00000000: 02

New comment by MajesticHobo2 in "iOS 18.6.1 0-click RCE POC"

MajesticHobo2 — Wed, 27 Aug 2025 02:36:34 +0000

You need to click the link that says "RAW (33.0MB)". The filename should be "IMGP0847.DNG".

New comment by MajesticHobo2 in "iOS 18.6.1 0-click RCE POC"

MajesticHobo2 — Tue, 26 Aug 2025 17:26:03 +0000

I AirDropped the PoC to my vulnerable iPhone. It didn't cause a crash until I tried to edit it in the Photos app.

New comment by MajesticHobo2 in "Cross-Site Request Forgery"

MajesticHobo2 — Thu, 14 Aug 2025 18:56:25 +0000

That's exactly why I don't agree that GETs should be broadly exempted from CSRF protections. I'm not talking about CORS at all.

New comment by MajesticHobo2 in "Cross-Site Request Forgery"

MajesticHobo2 — Wed, 13 Aug 2025 19:18:34 +0000

The problem boils down to the lack of equivalence between a site and an origin. The article explains how https://app.example.com and https://marketing.example.com may sit at very different trust levels, but are considered the same site by the browser. You don't want https://marketing.example.com to be able to make requests to https://app.example.com with your authentication cookies, but SameSite wouldn't prevent that.

New comment by MajesticHobo2 in "Cross-Site Request Forgery"

MajesticHobo2 — Wed, 13 Aug 2025 19:12:02 +0000

Not sure I agree with this part:

> Allow all GET, HEAD, or OPTIONS requests.

> These are safe methods, and are assumed not to change state at various layers of the stack already.

Plenty of apps violate this assumption and do allow GET requests to alter state.

New comment by MajesticHobo2 in "What is X-Forwarded-For and when can you trust it? (2024)"

MajesticHobo2 — Sat, 26 Jul 2025 15:21:37 +0000

XFF handling is the bug that keeps on giving. I'd estimate I've seen incorrect parsing of it in at least half of the web applications I've audited professionally.

The funniest is when the app renders user IP addresses somewhere and you can get XSS through it.

New comment by MajesticHobo2 in "Local-first software (2019)"

MajesticHobo2 — Sun, 06 Jul 2025 00:35:08 +0000

You can use FTP and SVN.