今日已更新 166 条资讯 | 累计 20138 条内容
关于我们

标签:#SEC

找到 669 篇相关文章

AI 资讯

The Session ID That Wouldn't Stop Changing

I was implementing a feature where the session container would track a lastActivity timestamp, updated on every authenticated request. Standard stuff. I wrote it, tested it locally with curl, and noticed something odd: I kept getting a new Set-Cookie header value on every response. Not occasionally. On every single one. A week later I was sending a pull request to mezzio/mezzio-session-cache . The Setup: Two Backends, One Session Our system had a constraint: two backend applications, written in different languages, sharing a single user session. One was the main PHP/Mezzio app. The other was a service in a different stack that needed to read from, and update the lastActivity timestamp on, the same session container. There are a few ways to make polyglot session sharing work. We landed on a shared cache backend (Redis) with a well-defined session structure. Both apps could read and write through their own libraries, as long as they agreed on the storage format and the cookie name. The session ID was the contract. That contract is the part that quietly broke. A Missing Escape Hatch My first instinct was the usual list of suspects. Was something calling regenerateId() in a middleware I didn't know about? Was there a logout being triggered somehow? Was a misconfigured cache layer evicting and recreating sessions? After a bit of digging through the call stack, I ended up in the library itself. And there it was: CacheSessionPersistence was regenerating the session ID whenever the session data changed . Not on login. Not on privilege escalation. On every write . That's when the real question hit me: why on earth would a library do that by default? Reading Code Before Changing It When you find behavior that surprises you in someone else's code, the wrong move is to immediately label it broken. The right move is to assume the maintainers had a reason, and find out what it was. The reason, in this case, is session fixation . Session fixation is a class of attack where an atta

2026-07-07 原文 →
AI 资讯

OWASP Top 10 #1: Understanding Broken Access Control (Beginner's Guide)

Disclaimer: I'm currently learning web security through OWASP and PortSwigger Web Security Academy. These are my beginner-friendly notes rewritten as a blog to help reinforce my understanding. If you're just starting out, I hope this makes the topic easier to understand. What you'll learn: In this article you'll learn: ✔ What Broken Access Control is ✔ Vertical Privilege Escalation ✔ Security by Obscurity ✔ Parameter-Based Access Control ✔ Platform Misconfiguration ✔ Horizontal → Vertical Escalation ✔ IDOR ✔ Lessons learned from PortSwigger labs Concept Map: What is Broken Access Control? Broken Access Control happens when a user is able to access data, pages, or perform actions that they are not supposed to . Why should you care? Broken Access Control has ranked #1 in the OWASP Top 10 (2021) because it can expose sensitive data, allow privilege escalation, and let attackers perform actions they should never be able to perform. Think of a website with two types of users: Normal User Admin A normal user should only be able to view their own profile and perform basic actions. An admin, however, can manage users, delete accounts, change settings, etc. If a normal user somehow gains access to those admin features, that's Broken Access Control . In interview terms: Broken Access Control is the failure to properly enforce authorization, allowing users to perform actions beyond their intended permissions. 1. Vertical Privilege Escalation Vertical Privilege Escalation means moving up the permission hierarchy. Example: Normal User ↓ Admin A normal user should never be able to become an administrator. 1.1 Unprotected Functionality One of the simplest forms of Broken Access Control is Unprotected Functionality . Imagine a website has an admin page: /admin The developer removes the Admin button from the normal user's dashboard. Problem solved? No. If a user manually visits: /admin and the server doesn't verify whether they're actually an admin, the page opens. The mistake here

2026-07-07 原文 →
AI 资讯

AI Governance Without Compute: Why Policy Fails When Infrastructure Isn’t Part of the Conversation

Introduction AI governance is often framed around risk, ethics, safety, and international cooperation. These are essential, but they are not sufficient. Governance only becomes real when countries have the computing infrastructure required to run, monitor, and maintain modern AI systems. Without compute, governance is theory. With compute, governance becomes capability. This article explores the missing execution layer in global AI governance — and why bridging the AI divide requires far more than policy alignment. The Hidden Dependency: Governance Assumes Infrastructure Most governance frameworks implicitly assume that nations already have: access to high performance compute reliable data pipelines secure storage operational tooling energy capacity connectivity skilled operators But this assumption is false for the majority of the world. The global AI divide is not primarily about access to models. It is about access to the infrastructure required to run them. Governance frameworks that ignore this reality risk becoming aspirational rather than actionable. The Execution Layer: Where Policy Meets Reality The execution layer is the part of AI governance that turns policy into practice. It includes: compute infrastructure data ingestion and processing pipelines monitoring and evaluation tooling human in the loop operational workflows maintenance and lifecycle management energy and cooling requirements secure deployment environments This layer is rarely discussed in governance conversations, yet it is the foundation upon which all responsible AI depends. Without an execution layer, governance collapses into paperwork. The Real Global Divide Isn’t About Models — It’s About Compute There is a persistent misconception that the AI divide is about access to large models. In reality, the divide is driven by: insufficient compute unreliable infrastructure lack of operational capacity limited data availability absence of secure environments dependency on external providers A c

2026-07-07 原文 →
AI 资讯

AI Doesn't Recommend the Best Product. It Recommends the Best Explained Product.

A simple bubble tea experiment completely changed how I think about AI recommendations. Last week, I asked ChatGPT a question that seemed almost impossible to get wrong. "What are the best bubble tea brands in my city?" Surprisingly,some of the recommended brands were companies I had never heard of before. A few weren't even available in the cities I had lived in. After asking the same question to Claude, Gemini, and DeepSeek, I noticed something interesting that many of the same brands which I'm not familiar kept appearing. AI Isn't Judging Your Brand Humans recommend products because they have experiences. But AI does none of those things. It doesn't know whether one brand actually tastes better than another. Instead, it tries to generate the most statistically reliable answer based on the information it can understand. So, AI doesn't recommend the best brand. It recommends the brand it understands best. The Experiment That Changed My Perspective Once I realized this, I started paying closer attention. I didn't only test bubble tea but also the restaurants, beauty brands, consumer electronics, and ravel recommendations. Again and again, I noticed a pattern. Brands that consistently appeared in AI recommendations usually had several characteristics: Clear product descriptions Well-structured websites Consistent public information Plenty of third-party coverage Easy-to-understand positioning Meanwhile, some excellent brands barely appeared at all, because AI had much less reliable information to work with. That's when I stopped thinking about AI recommendations as opinions. They're much closer to information retrieval problems than human preferences. Consumers Are Already Changing Their Habits This matters because people are beginning to use AI differently from traditional search engines. Instead of searching "Best bubble tea near me", many people (especially the youth) now ask AI to recommend a healthy milk tea brand." The AI becomes the decision maker before the c

2026-07-07 原文 →
AI 资讯

Your AI Workloads Are the New Cloud Sprawl — And Nobody Is Watching

AI is coming for your cloud budget before it comes for your job. Everyone is talking about what AI will do to engineers. Nobody is talking about what AI services are doing to cloud bills right now. Every team is spinning up AI workloads. LLM endpoints; vector databases; GPU instances; embedding pipelines. All of them expensive. Most of them ungoverned. I have seen environments where AI service costs doubled in 30 days because nobody set a budget limit. No alerts. No guardrails. Just an invoice that surprised everyone at month end. This is the new cloud sprawl. But instead of forgotten EC2 instances it is uncontrolled AI API calls and model inference costs running 24/7. The same discipline that applies to cloud infrastructure applies here. Who is allowed to spin up AI services. What models are approved for use. How are API keys being managed. Are there rate limits in place. Is anyone reviewing the cost daily. AI governance in the cloud is not an AI problem. It is a cloud security and FinOps problem wearing an AI hat. The teams that win with AI are not the ones moving fastest. They are the ones who built guardrails before the bill arrived. Govern your AI workloads the same way you govern everything else in your cloud. Before the invoice does it for you.

2026-07-07 原文 →
AI 资讯

The ‘first’ AI-run ransomware attack still needed a human

An AI agent carried out the technical execution of a real-world ransomware attack for the first known time, but new details show a human still chose the victim, set up the infrastructure, and supplied stolen credentials — meaning it wasn't quite the fully autonomous cybercrime debut that last week's headlines suggested.

2026-07-07 原文 →
AI 资讯

Hardening my own Nmap web UI: the security holes I shipped, and what actually saved me

I built a web front end for an Nmap-based port scanner: a FastAPI backend, a React dashboard, background scan jobs, a plugin system. It worked. Then I sat down and audited it like an attacker would — and found a stack of real weaknesses, plus a lesson in why you verify an exploit before you call it one. This is the honest version: the holes I found, the unauthenticated-RCE chain I thought I had, why it didn't actually fire, and the hardening I shipped anyway. Repo: https://github.com/DipesThapa/PortScanner This is my own project, audited and fixed by me. No third-party systems were touched. Scanners are dual-use — only ever point one at hosts you own or are authorised to test. Hole 1: no authentication, anywhere The foundation: every API route and the /ws/status WebSocket were open. No API key, no session. The Dockerfile bound 0.0.0.0:8000 and ran as root. Anyone who could reach the port could drive scans, hit the upload endpoint, and read every job's logs. api_router = APIRouter () # no dependencies — fully open This is the real, unambiguous problem. Everything below is only interesting because it sat behind no auth. Hole 2: an upload endpoint that allowlisted its own files Deep-dive follow-up commands ran against an allowlist — good instinct. But an upload endpoint wrote a file, chmod +x 'd it, and then added it to that same allowlist: for item in scripts_dir . glob ( " * " ): if item . is_file (): allowed . add ( str ( item . absolute ())) # upload authorises itself An allowlist any input can extend isn't an allowlist. This is a genuine design footgun. Hole 3: the RCE I thought I had — and why it didn't fire Here's the chain I got excited about: the scan target flows toward Nmap's argv, and it's subprocess.run(..., shell=False) . No shell injection — but you don't need a shell to abuse Nmap. If a target became --script=/uploaded.nse , Nmap would load and run that NSE (Lua) script, and NSE can call os.execute . Upload a malicious .nse (Hole 2), get Nmap to load it

2026-07-07 原文 →
AI 资讯

Beyond the Playbook: Architecting Defenses Against Autonomous AI Threats

Beyond the Playbook: Architecting Defenses Against Autonomous AI Threats We used to build security systems assuming the attacker was human. That assumption just died. Recent research demonstrations involving autonomous AI agents, such as "JadePuffer", have shown how quickly this shift is happening: an autonomous system independently compromised an unsecured Langflow instance, corrected failed authentication attempts, escalated privileges, exfiltrated credentials, and deployed ransomware — all without human intervention. This is not a one-off curiosity. It marks the beginning of a fundamental change in the threat landscape. Recent research demonstrations involving autonomous AI agents, such as "JadePuffer", have shown how quickly this shift is happening: an autonomous system independently compromised an unsecured Langflow instance, corrected failed authentication attempts, escalated privileges, exfiltrated credentials, and deployed ransomware. All without human intervention. This is not a one-off curiosity. It marks the beginning of a fundamental change in the threat landscape. From Static Playbooks to Autonomous Attackers Traditional ransomware follows predictable patterns. A script runs through a fixed playbook: scan, encrypt, demand ransom. If one step fails, the attack often stalls. Autonomous AI agents operate differently. They analyze their environment in real time, adapt when initial attempts fail, make contextual decisions about targets and techniques, and chain multiple exploits together without predefined sequences. This introduces machine-speed lateral movement. Something human defenders and traditional security tools are not built to handle. The Defensive Automation Gap The core problem is asymmetry. Attackers are rapidly automating both reconnaissance and execution. Defenders, on the other hand, still rely heavily on manual processes, static rules, and human-driven response. This "Defensive Automation Gap" creates dangerous imbalances in speed, scale, an

2026-07-07 原文 →
AI 资讯

Introducing Synapse: a deterministic-first, open-source SCA and evidence platform

We just open-sourced Synapse , a governed control plane for software composition analysis, recon, evidence, and reporting. It is built for people who have to scan a dependency tree, prove what they found, and hand over a report that holds up. Site: https://synapse.kkloudtarus.net/ Code: https://github.com/KKloudTarus/synapse-ce (Apache-2.0) Why we built it The usual workflow is fragmented. One tool for the SBOM, another for vulnerabilities, a spreadsheet for licenses, a folder of screenshots for evidence, and a report you assemble by hand. Nothing is reproducible, and when a client asks "how do you know this is real," the answer lives in someone's memory. Adding an LLM that writes your findings only makes that worse. We wanted the opposite: fast, but provable. What it is Synapse runs the assessment lifecycle behind one control plane, in Go, clean architecture. A few ideas hold it together: Deterministic-first. Scanning, matching, license classification, and reporting are pure, reproducible Go. There is no model in the report path. Scope-gated execution. Every engagement carries a scope and an authorization window, enforced server-side before any tool runs. Tools run via argument arrays, never a shell string. Tamper-evident evidence. Every artifact is hash-chained and append-only. A broken chain blocks the report. Bounded automation. The optional AI layer only ever proposes. A distinct verifier or a human confirms. The agent can never confirm its own claim. What it does today: SBOM across 15+ ecosystems, multi-source vulnerability detection with risk-based prioritization (KEV, then EPSS, then CVSS), license compliance, reachability, and deterministic reports in CycloneDX, SPDX, SARIF, and OpenVEX. Try it git clone https://github.com/KKloudTarus/synapse-ce.git cd synapse-ce docker compose -f deploy/docker-compose.full.yml up --build # open http://localhost:5173 Or gate CI on real risk: ./bin/synapse-cli scan . --fail-on high . We are looking for contributors Synapse i

2026-07-07 原文 →
AI 资讯

Operation DragonReturn: DcRAT Deployment via Fake ITR Utilities

Originally published on satyamrastogi.com Seqrite Labs identifies multi-stage DcRAT campaign impersonating India's Income Tax Department. Attackers exploit tax professional workflows to deliver remote access trojans capable of data exfiltration and lateral movement. Operation DragonReturn: DcRAT Deployment via Fake ITR Utilities Executive Summary A China-nexus threat cluster is actively exploiting the predictable workflows of Indian tax professionals, corporate finance teams, and individual taxpayers through phishing campaigns distributing DcRAT (Dark Crystal Remote Access Trojan). Operation DragonReturn, as tracked by Seqrite Labs, demonstrates sophisticated understanding of Indian taxation cycles and organizational structures - critical operational intelligence required for high-success-rate social engineering. From an attacker's perspective, this campaign is methodologically sound: it targets a specific, predictable event (tax filing deadlines), uses trusted entity impersonation (Income Tax Department), and deploys a mature RAT with established evasion capabilities. The selection of DcRAT indicates access to commodity malware-as-a-service (MaaS) infrastructure, likely from Chinese underground forums where such tools are actively monetized and continuously updated. Attack Vector Analysis This operation chains multiple MITRE ATT&CK techniques into a cohesive infection chain: Initial Compromise: Spear-Phishing with Pretexting Attackers execute T1566.002 (Phishing - Spearphishing Attachment) by crafting emails impersonating legitimate Indian Income Tax Department communications. The social engineering layer leverages T1598.003 (Phishing - Spearphishing Link) with URLs pointing to malicious tax filing utilities. Pretexting is enhanced through T1589.001 (Gather Victim Identity Information - Credentials) , as attackers likely harvested tax professional contact lists from public records, LinkedIn OSINT, or previous data breaches. The timing of campaigns around Indian fis

2026-07-07 原文 →
AI 资讯

Cómo hablar con tu base de datos usando IA y construir un extractor SQL seguro con Streamlit

Abstract Cada vez más equipos quieren consultar datos sin escribir SQL a mano. El problema es que un sistema Text-to-SQL no solo debe “traducir preguntas”, sino también entender el esquema, restringir permisos, validar consultas y explicar por qué una consulta es rápida o lenta. Ese enfoque coincide con la ruta propuesta por el tutorial oficial de LangChain para agentes SQL: listar tablas, inspeccionar esquemas, generar la consulta, revisarla, ejecutarla y corregir errores hasta obtener una respuesta; y el propio tutorial advierte que ejecutar SQL generado por modelos tiene riesgos y exige permisos mínimos. En paralelo, la documentación oficial de Python recomienda usar placeholders en sqlite3 para enlazar parámetros y evitar inyección SQL, mientras que la documentación de SQLite explica que EXPLAIN QUERY PLAN permite inspeccionar si una consulta hace SCAN, SEARCH y si usa índices. manueldongo23 / sql_ai_sales_assistant_demo SQL AI Sales Assistant A safe Text-to-SQL demo that converts natural language business questions into SQL queries, executes them on a local SQLite retail database, and shows the generated SQL plus EXPLAIN QUERY PLAN . This project was created as evidence for an article about SQL AI Database Solutions . Topic Talk to your database with AI: build a safe SQL query extractor with Streamlit and SQLite. Features Natural language prompts such as sales by month , top customers , sales in Lima . Rule-assisted NL→SQL generation, designed to be transparent and auditable. SQLite demo database with customers, products, orders and order items. Read-only SQL validator that blocks destructive commands. Parameterized queries for user-provided filters. Streamlit interface. CLI demo for quick testing. Query plan inspection with EXPLAIN QUERY PLAN . Architecture User question ↓ NL → SQL interpreter ↓ Read-only SQL validator ↓ SQLite execution ↓ Results + EXPLAIN QUERY … View on GitHub Cuerpo del artículo La promesa de SQL + IA suena sencilla: le haces una pregunta

2026-07-06 原文 →
AI 资讯

The part of a PaaS you use most should have the least power — so I built Mooring

I have a folder on my laptop called side-projects . Most of them are Dockerized. Most of them will never see more than a handful of users. And for years, every one of them hit the same wall: getting the thing onto a cheap VPS without losing a weekend — and copy-pasting my own past mistakes forward every single time. Here's the opinion that eventually turned into a project: the part of a PaaS you touch most often should hold the least power over your server. Think of a deploy tool as two planes. There's a read plane — dashboards, logs, container health, the stuff you stare at — where you spend most of your time and which is your most exposed surface. And there's a write plane — deploy, restart, the actions that actually change the system — which is rare and should be gated. My frustration was that the thing I looked at all day and the thing that could rewrite my box tended to sit on the same pile of privilege. So I built Mooring to keep those two planes apart. It's an early, solo project, and this post is me showing it and asking for eyes on it. The mental model The whole thing, end to end: Install it as an unprivileged systemd service (not root). Connect a git repo. Write one mooring.yaml . Click Deploy. That's the loop. Everything below is what's underneath it. What it is Mooring is a small, security-first, self-hosted control plane for Docker — a tiny PaaS. You point it at a git repo, describe your app once, and it deploys and runs your containers on your own server. Same territory as Coolify, Dokku, CapRover, and Kamal — all genuinely good work. The difference I care about is the posture underneath. It ships as one static, CGO-free Go binary . It runs as an unprivileged systemd service — not root. State lives in SQLite (the pure-Go modernc driver). Every asset is embedded with go:embed , so there's no node_modules , no asset pipeline, nothing to build on the box. To be honest about the neighborhood: setting up a self-hosted PaaS, these tools tend to want broad ac

2026-07-06 原文 →
AI 资讯

How to Set Up Claude Code for a Project with Skills, Agents, Hooks, and a Secure GitHub Repository

How to Set Up Claude Code for a Project with Skills, Agents, Hooks, and a Secure GitHub Repository AI coding tools work best when they understand the project around the code. A fresh Claude Code session can answer questions and edit files, but it does not automatically know your architecture decisions, coding standards, security expectations, testing rules, pull request format, or operational constraints. That context needs to live somewhere predictable. This guide walks through a full Claude Code project setup using a reusable repository owned by desertfox33 : Reference repository: https://github.com/desertfox33/claude-code-project-template The goal is not just to create folders. The goal is to make Claude Code behave consistently across real project work: reviewing code, writing tests, preparing pull requests, checking security concerns, and following project-specific rules. Before using this setup in a production environment, verify current Claude Code behavior against the latest official documentation. Tooling, configuration names, and feature behavior can change. What We Are Building The repository uses this structure: claude-code-project-template/ ├── CLAUDE.md ├── CLAUDE.local.md.example ├── AGENTS.md ├── .mcp.example.json ├── .gitignore ├── SECURITY.md ├── CONTRIBUTING.md ├── .github/ │ ├── CODEOWNERS │ ├── dependabot.yml │ └── pull_request_template.md ├── .claude/ │ ├── settings.json │ ├── settings.local.json.example │ ├── rules/ │ │ ├── code-style.md │ │ ├── api-conventions.md │ │ ├── testing-standard.md │ │ └── pr.md │ ├── commands/ │ │ ├── review.md │ │ ├── deploy.md │ │ ├── scaffold.md │ │ ├── test.md │ │ └── pr.md │ ├── skills/ │ │ ├── code-review/ │ │ │ ├── SKILL.md │ │ │ └── review-checklist.md │ │ ├── testing-patterns/ │ │ │ ├── SKILL.md │ │ │ └── test-strategy.md │ │ ├── pr-description/ │ │ │ ├── SKILL.md │ │ │ └── template.md │ │ └── security-review/ │ │ └── SKILL.md │ ├── agents/ │ │ ├── security-reviewer.md │ │ ├── test-writer.md │ │ └── researc

2026-07-06 原文 →
AI 资讯

Self-Hosting Like a Pro, Part 1: Hardening a Fresh Ubuntu VPS

This is the first article in a four-part series where I document how I turned a 10€/month VPS into a production-grade platform hosting my portfolio, a university group webapplication and a SaaS product, all isolated from each other with Kubernetes. In this part, we take a fresh Ubuntu server and lock it down properly before installing anything else. Why bother with hardening? The moment your VPS gets a public IP address, it starts receiving attacks. Not "might receive", it starts . Within minutes, automated bots will probe port 22, try root:root , admin:admin123 and thousands of other credential combinations. If you skip this step and jump straight to deploying your apps, you are building on sand. The good news: an hour of work is enough to eliminate the vast majority of these threats. Here is what we will set up: A non-root user with sudo privileges SSH key authentication, with passwords and root login disabled UFW as a simple, effective firewall Fail2ban to ban brute-force attackers automatically Automatic security updates What you need A fresh VPS running Ubuntu 24.04 LTS or newer. I use a Hostinger KVM 2 (2 vCPU, 8 GB RAM, 100 GB NVMe), but any provider works: Hetzner, DigitalOcean, OVH, Contabo. The root password or SSH key your provider gave you. A terminal on your local machine (macOS, Linux, or WSL on Windows). Throughout this tutorial, replace YOUR_SERVER_IP with your server's IP address and deploy with the username you want to use. Step 1: First login and system update Connect as root for the first and last time: ssh root@YOUR_SERVER_IP Update everything before touching anything else: apt update && apt upgrade -y apt autoremove -y If a kernel update was installed, reboot now: reboot Wait a minute, then reconnect. Step 2: Create a non-root user Working as root is like driving without a seatbelt: fine until it isn't. One mistyped rm -rf and the party is over. Create a dedicated user: adduser deploy Choose a strong password (you will still need it for sudo ,

2026-07-06 原文 →
AI 资讯

BOLA: a falha de segurança que a autenticação não resolve (e como eu blindei meu SaaS multi-tenant)

Meses atrás eu estava fazendo uma varredura de segurança no sistema multi-tenant da minha empresa, procurando vulnerabilidades. Afinal, já é um sistema que conta com diversos usuários e que a cada mês vem crescendo mais. Cyber security não é a minha área, então pedi um relatório com todos os achados pro nosso querido amigo Fable 5. O primeiro item veio destacado em vermelho, caixa alta, com a categoria mais grave possível: BOLA (Broken Object Level Authorization). Eu nunca tinha visto esse termo, e ele estava registrado como uma falha grave que eu nem sabia que existia. O sistema nasceu antes do advento da IA escrever código do jeito como faz hoje. Começou comigo codando na mão; meu foco era fazer funcionar para melhorar depois. Com a chegada da IA, parei de escrever código e passei a revisar e garantir qualidade. Só que, naquele relatório, eu não entendia metade dos erros listados. Não conhecia os nomes e muito menos sabia por que eram tão graves. E aí me caiu a ficha: eu sou um legítimo impostor. (Pelo menos era o que eu pensava e sentia.) Escrever código era onde eu sentia o esforço, a prova concreta de estar construindo algo com a minha criatividade. Como o Brooks escreve em O Mítico Homem-Mês: "a programação é divertida, porque satisfaz anseios criativos acalentados profundamente dentro de nós". Minha prioridade era resolver o problema, mas, pra resolver, eu tinha que entender onde estava pisando. O que é esse tal BOLA, e por que é tão grave? Este artigo é o que eu descobri. O que é BOLA A OWASP, que mantém a lista das falhas de segurança de API mais críticas, coloca o BOLA em primeiro lugar no ranking de 2023: a mais comum e a mais fácil de explorar. Ou seja, está em todo lugar e não exige um gênio pra abusar. A ideia central é simples. Toda vez que uma API recebe o ID de um objeto e faz alguma coisa com ele, seja POST, GET, DELETE ou o que for, ela precisa checar uma pergunta antes de responder: o usuário logado tem permissão pra acessar este objeto específic

2026-07-06 原文 →
开发者

Reverse Engineering is so cool

I want to share some thoughts about Reverse Engineering. I love JavaScript and TypeScript, but sometimes I don't want to create something, but the opposite, to understand how others programs work. Working with IDA and x64dbg is the best thing in the world. Btw, at the beginning I used Ghidra, but after I tried IDA, I liked it more. What do you think, what tool is better, IDA or Ghidra? 🤗

2026-07-06 原文 →