Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Alex Birsan Profile picture
Alex Birsan
@alxbrsn
Opinions only represent the views of my employer and are absolutely not my own
Feb 11, 2021 6 tweets 1 min read
So you've decided to give dependency confusion a try against your favorite bug bounty target -- or you are desperately trying to filter out the noise for your own bug bounty program.

Here are a few quick rules to spot common false positives based on your callbacks 👇 This assumes you have access to the same data as I did: hostname, current path, home path.

These are mostly automated systems that intentionally install every single new package, and therefore seeing these callbacks does not indicate a vulnerability in your target.
Feb 9, 2021 6 tweets 2 min read
Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies

👇Check the thread after reading for a few bonus facts👇

medium.com/@alex.birsan/d… Scope:

Other than the mentioned .NET bug, only one other team said the finding was out of scope, using this as a reason to reduce the bounty from P1 to P2.

We've also purposely avoided reporting to at least one program that had "internal or development services" listed as OOS
Apr 3, 2018 11 tweets 2 min read
This would be so cool to read if I wasn't HALFWAY THROUGH DOING MY OWN WRITEUP ABOUT THE EXACT SAME THING.

gosecure.net/2018/04/03/bey… I am so salty right now