Hacker News: alp1n3_eth

New comment by alp1n3_eth in "Show HN: OWASP Scanner for Vibe Coded Apps"

alp1n3_eth — Sun, 27 Apr 2025 02:20:03 +0000

What are you using on the backend to actually scan it? Is it just ZAP / Burp Scanner? Or are you scanning the code itself, and just using a Semgrep / Snyk approach?

The landing page being free-tier Framer is a little sketch, the main contact should also probably be a form or an email address instead of a non-US phone number.

Is AI used throughout the entire process or just mainly focused on providing remedation recommendations based on the output of other tooling (scanners, JS analysis, secret scanning, etc.)?

Interesting project! Looking forward to see how it works and evolves.

New comment by alp1n3_eth in "Supabase raises $200M Series D at $2B valuation"

alp1n3_eth — Wed, 23 Apr 2025 13:44:09 +0000

A lot of people don't self-host it, even though it is open core. This is due to their docs being garbage and tons of differences between the offerings, so you can't even rely on the main docs if you're self-hosting.

It's easier to just become familiar with a DB UI tool like Beekeeper or DataGrip and spin up your own things. I'm also not a huge fan of being "locked-in" to so many things (including their auth). I think most projects would be better off keeping these parts separated, even if they are using third-party services to handle them, as it would be way less overhead to migrate out.

New comment by alp1n3_eth in "Notion's Lies Sunsetting Skiff Mail"

alp1n3_eth — Thu, 17 Apr 2025 13:59:58 +0000

Yep! I was sad to see Skiff shutting down, as I loved their UI and there isn't a lot of tough competition that can match ProtonMail.

I had already left Notion as the app kept getting slower / bogged down and they added tons of useless clutter, and refused to support any form of E2E/local encryption.

Mitre support for the CVE program is due to expire tomorrow

alp1n3_eth — Tue, 15 Apr 2025 18:47:04 +0000

Article URL: https://twitter.com/0xTib3rius/status/1912195160416338031

Comments URL: https://news.ycombinator.com/item?id=43696899

Points: 8

# Comments: 0

New comment by alp1n3_eth in "Ask HN: Slopsquat CVE?"

alp1n3_eth — Mon, 14 Apr 2025 22:59:40 +0000

I'd say it doesn't exactly meet the minimum standard for a CVE, as it's more of a technique vs. an actual vulnerability in an application/library. If there was a repo that had a vulnerable component that was currently infected through the manner described, that specific instance would probably qualify as a CVE.

Since this is a technique / overarching issue, it leans more towards being a CWE. Maybe something like:

- CWE-506: Embedded Malicious Code or - CWE-829: Inclusion of Functionality from Untrusted Control Sphere or - CWE-1395: Dependency on Vulnerable Third-Party Component

From Snyk's docs they also explain it: https://github.com/snyk/user-docs/blob/main/docs/manage-risk...

"In almost all cases, malicious packages are not assigned a CVE ID."

New comment by alp1n3_eth in ""Slow Pay, Low Pay or No Pay": Blue Cross Approved Surgeries Then Refused to Pay"

alp1n3_eth — Sat, 12 Apr 2025 19:08:03 +0000

"Have fun suffering and hopefully you don't die as we go through 8 medications that will most likely fail, but there's a slim chance they'll work!"

New comment by alp1n3_eth in "The Story Behind “100 Go Mistakes and How to Avoid Them”"

alp1n3_eth — Fri, 11 Apr 2025 18:12:01 +0000

Is there a good example repository to see how it's done?

New comment by alp1n3_eth in "Ask HN: Looking to Break into Cybersecurity – Where Do I Start?"

alp1n3_eth — Mon, 07 Apr 2025 13:57:23 +0000

You're a frontend web developer, so I'm assuming you're going to want to work in the areas of either:

1) application security engineering 2) application penetration testing 3) devsecops 4) vulnerability management

It really is a big difference from each person on how they "break into" it. You've got great foundational qualifications, and probably just need to layer on extra "security" ones, if you don't already have them. If you're looking to start a company / start freelancing -- I've got no clue about that though.

If you're just dipping your toes further into the web app security side, OWASP has great labs, resources, etc. They have the WSTG (more for pentesters) and ASVS (more for devs), and of course their cheat sheets as well.

PortSwigger has great resources to read through on vulnerabilities and labs that will cover a ton of different vulnerabilities. HackTheBox also offers certification pathways: CBBH and CWEE, CBBH is more beginner/intermediate and involves a blackbox approach, where CWEE is more whitebox (from what it looks like).

Just because systems have gaps, doesn't mean the orgs actually want help with those gaps, esp. unsolicited. You could always take a look at bug bounty as well (through HackerOne or BugCrowd), but it can be pretty brutal for a beginner as it can involve a ton of recon or "going deep" to reach untouched areas of an app.

React Router and the Remix'ed path: CVE-2025-31137

alp1n3_eth — Thu, 03 Apr 2025 00:44:27 +0000

Article URL: https://zhero-web-sec.github.io/research-and-things/react-router-and-the-remixed-path

Comments URL: https://news.ycombinator.com/item?id=43563488

Points: 3

# Comments: 0

New comment by alp1n3_eth in "Ask HN: What do you use to monitor website security (vulns, uptime, etc.)?"

alp1n3_eth — Wed, 02 Apr 2025 23:40:41 +0000

Externally / Blackbox options would be Nessus, Nuclei, OWASP ZAP (as you mentioned), and Burp Suite. The two latter only work well when used in combination with manual methods though, as they won't pick up business logic, auth bypass, MFLAC/IDOR, etc. on their own.

A lot of scanning templates / rulesets won't be 100% accurate or up-to-date, and will easily miss a lot of big things, so having it pentested by an actual person is always important.

From the source code side of things, Semgrep / CodeQL, Veracode / Snyk, Burp Enterprise (CI/CD), etc. are good options. But again, most places shouldn't get just scans, there should be a manual component involving a security professional who knows what they're doing.

XBOW is making some pretty cool strides in the meantime from a blackbox perspective though.

New comment by alp1n3_eth in "Ask HN: Do you still self-host a blog? What's your publishing stack?"

alp1n3_eth — Wed, 02 Apr 2025 23:29:34 +0000

A lot of aggregators will also not allow your blog to be posted if it's on a newsletter site like Substack, Patreon, etc.

I use GitHub Pages for hosting, Porkbun for the domain, and Astro for the blog itself. EZPZ to manage and very straightforward, plus Astro's docs are great.

New comment by alp1n3_eth in "Waltz's team set up at least 20 Signal group chats for crises across the world"

alp1n3_eth — Wed, 02 Apr 2025 20:39:10 +0000

You'd be surprised how much the government would potentially hurt itself in its own confusion. Not all parts of it are aligned to the same beliefs / mission, and there are certainly parts that believe in the saying "Why are you worried if you have nothing to hide".

Don't Overthink the Easy Choices

alp1n3_eth — Wed, 02 Apr 2025 15:17:54 +0000

Article URL: https://alp1n3.dev/blog/0005-dont-overthink-easy-choices/

Comments URL: https://news.ycombinator.com/item?id=43557652

Points: 1

# Comments: 0

New comment by alp1n3_eth in "Caido – A lightweight web security auditing toolkit"

alp1n3_eth — Sun, 30 Mar 2025 16:50:24 +0000

I appreciate Caido because of the ability to save projects in the free tier, which I use for (personal use) different projects and tinkering. Burp Pro is my daily driver at work, and I think Caido could certainly use some improvement to their UI/UX, as it's about as bad as Burp's (which isn't great).

The speed is an awesome gain though, as it's truly lightweight and runs a million times better than Burp. Even without Extensions, some days my Burp Pro is just randomly crashing and gobbling up CPU/RAM for no obvious reason and requires a program or system restart. I've never run into the same issue with Caido.

New comment by alp1n3_eth in "Apple needs a Snow Sequoia"

alp1n3_eth — Fri, 28 Mar 2025 18:21:01 +0000

If you want a super bad audio-related journey, try fixing external speakers connected to a Linux box. It's abysmal, and 99% of it can only be done via the CLI. Nothing wrong with that... but for something so normal I expected more ease-of-use.

New comment by alp1n3_eth in "How I pwned a major New Zealand service provider"

alp1n3_eth — Fri, 28 Mar 2025 00:17:33 +0000

Weirdly enough... not always.

When it comes to random companies running their own VDP vs. hiring it out, it can be less than standard despite there being lots of resources on setting it up. I've seen ones that only include a phone number, the email address listed doesn't exist anymore, etc.

Others have had to even get to the point of contacting an executive via LinkedIn despite there being a VDP page / security.txt.

Do What I Mean (DWIM)

alp1n3_eth — Thu, 27 Mar 2025 11:42:10 +0000

Article URL: https://alp1n3.dev/blog/0020-do-what-i-mean/

Comments URL: https://news.ycombinator.com/item?id=43492566

Points: 1

# Comments: 0

Don't Pre-Optimize with Go

alp1n3_eth — Wed, 26 Mar 2025 14:48:10 +0000

Article URL: https://alp1n3.dev/blog/0023-dont-pre-optimize/

Comments URL: https://news.ycombinator.com/item?id=43482854

Points: 1

# Comments: 0

Next.js Middleware Exploit: Deep Dive into CVE-2025-29927 Authorization Bypass

alp1n3_eth — Sat, 22 Mar 2025 22:32:03 +0000

Article URL: https://zeropath.com/blog/nextjs-middleware-cve-2025-29927-auth-bypass

Comments URL: https://news.ycombinator.com/item?id=43449182

Points: 3

# Comments: 0

New comment by alp1n3_eth in "fd: A simple, fast and user-friendly alternative to 'find'"

alp1n3_eth — Wed, 19 Mar 2025 16:03:13 +0000

Surprisingly, Go is great for CLI tooling. It may not have the insane speed that carefully planned and written Rust does, but it's very easy to write and be performant without even needing to go to great lengths to optimize it.

I generally say that anything under 500ms is good for commands that aren't crunching data, and even Python CLI tools can come in under that number without too much effort.