はじめに 対象イベント 読み方、使い方 Remote Code Execution(RCE) 親ディレクトリ指定によるopen_basedirのバイパス PHP-FPMのTCPソケット接続によるopen_basedirとdisable_functionsのバイパス JavaのRuntime.execでシェルを実行 Cross-Site Scripting(XSS) nginx環境でHTTPステータスコードが操作できる場合にCSPヘッダーを無効化 GoogleのClosureLibraryサニタイザーのXSS脆弱性 WebのProxy機能を介したService Workerの登録 括弧を使わないXSS /記号を使用せずに遷移先URLを指定 SOME(Same Origin Method Execution)を利用してdocument.writeを順次実行 SQL Injection MySQ
Easily the biggest question we get asked is something like: How is Remix different from Next.js? It appears we have to answer this question! We'd like to address it directly and without drama. If you're a fan of Remix and want to start tweeting smug reactions to this article, we kindly ask that you drop the smugness before hitting the tweet button 🤗. A rising tide lifts all boats. We've been frie
1. 始めに こんにちは、morioka12 です。 本稿では、バグバウンティの入門として、主に Web アプリケーションを対象にした脆弱性の発見・報告・報酬金の取得について紹介します。 [更新 2026/02/02] お知らせ zenn.dev 1. 始めに [更新 2026/02/02] お知らせ 免責事項 想定読者 筆者のバックグラウンド Start Bug Bounty Bug Bounty JP Podcast [Blog] Intigriti Q1 2024 の成績 インタビュー記事 2. バグバウンティとは バグバウンティプラットフォーム Program Type Private Programs VDP (Vulnerability Disclosure Program) Asset Type 3. プログラムの選び方 Scope OoS (Out of Scope) 4.
REST API Design Best Practices Handbook – How to Build a REST API with JavaScript, Node.js, and Express.js
By Jean-Marc Möckel I've created and consumed many API's over the past few years. During that time, I've come across good and bad practices and have experienced nasty situations when consuming and building API's. But there also have been great moments. There are helpful articles online which present many best practices, but many of them lack some practicality in my opinion. Knowing the theory with
申告チームでテックリードをやらせてもらっている id:nanjakkun です。 freeeではfreee会計をはじめ多くのプロダクトがRuby on Rails(以下Rails)のアプリケーションとして実装されています。 日々の開発の中で、Rubyでも静的な型の解決ができればなあと思うことがあります。 ということで、Rubyの型チェッカーのSorbetをfreee申告に導入してみました。 Sorbet(ソルベ)とは sorbet.org 決済代行サービスのStripeを運営しているStripe社が公開している漸進的型チェッカーです。 ※余談ですがfreeeアプリストアではStripeを決済手段としたアプリの有料販売ができます。 developers.freee.co.jp 有料アプリ販売の準備をする | freee Developers Community 漸進的型付けとは 漸進的型付け
Security is important. Nobody wants to be the person advocating for less security. So nobody wants to say it. But somebody has to say it. So I guess I’ll say it. The way npm audit works is broken. Its rollout as a default after every npm install was rushed, inconsiderate, and inadequate for the front-end tooling. Have you heard the story about the boy who cried wolf? Spoiler alert: the wolf eats t
How modern browsers work
Note: For those eager to dive deep into how browsers work, an excellent resource is Browser Engineering by Pavel Panchekha and Chris Harrelson (available at browser.engineering). Please do check it out. This article is an overview of how browsers work. Web developers often treat the browser as a black box that magically transforms HTML, CSS, and JavaScript into interactive web applications. In tru
Actions
The app provides 180+ powerful extra actions for the Shortcuts app on macOS, iOS, and visionOS. These actions make it significantly easier to create shortcuts. IMPORTANT Restart your device if the actions do not show up in the Shortcuts app. Learn more › If you have any questions about how to use the different actions or for what, try asking the Actions GPT bot. And if you want to feed your own AI
はじめに こんにちは、morioka12 です。 本記事は、バグハンターの視点でソフトウェアサプライチェーン (Software Supply Chain)について解説する入門ブログです。 なお、本記事は昨年の LT 発表「バグハンター視点によるサプライチェーンの脆弱性」(「あなたの知らない ”サプライチェーン攻撃”を語る セキュリティ Night」, 2025年12月)をもとに、補足等を加えて再構成した入門内容になります。 speakerdeck.com https://speakerdeck.com/scgajge12/baguhantashi-dian-niyorusapuraitiennocui-ruo-xing https://x.com/scgajge12/status/1996546273403600953?s=20 注意事項 本記事で紹介する手法や事例はすべて、正規のバグバ
Version 1.108 is now available! Read about the new features and fixes from December. Release date: June 12, 2025 Security update: The following extension has security updates: ms-python.python. Update 1.101.1: The update addresses these issues. Update 1.101.2: The update addresses these issues. Downloads: Windows: x64 Arm64 | Mac: Universal Intel silicon | Linux: deb rpm tarball Arm snap Welcome t
Feb 11, 2025 RONI CARTA | LUPIN supply chain attack, docker, red team, artifact, bug bounty, pwn Introduction Back in 2021, I was still early in my offensive security journey. I had already hacked several companies and was earning a steady income through Bug Bounty Hunting, an ethical hacking practice where security researchers find and report vulnerabilities for monetary rewards. However, I wasn’
When a single-page application needs to fetch data from a remote source, it needs to do so while remaining responsive and providing feedback to the user during an often slow query. Five patterns help with this. Asynchronous State Handler wraps these queries with meta-queries for the state of the query. Parallel Data Fetching minimizes wait time. Fallback Markup specifies fallback displays in marku
Anthropic’s Claude 3 Opus model is now available on Amazon Bedrock | Amazon Web Services
AWS News Blog Anthropic’s Claude 3 Opus model is now available on Amazon Bedrock We are living in the generative artificial intelligence (AI) era; a time of rapid innovation. When Anthropic announced its Claude 3 foundation models (FMs) on March 4, we made Claude 3 Sonnet, a model balanced between skills and speed, available on Amazon Bedrock the same day. On March 13, we launched the Claude 3 Hai
Update 1.97.1: The update addresses these security issues. Update 1.97.2: The update addresses these issues. Downloads: Windows: x64 Arm64 | Mac: Universal Intel silicon | Linux: deb rpm tarball Arm snap Welcome to the January 2025 release of Visual Studio Code. There are many updates in this version that we hope you'll like, some of the key highlights include: Next Edit Suggestions (preview) - Co
The Grug Brained Developer
The Grug Brained Developer A layman's guide to thinking like the self-aware smol brained Introduction this collection of thoughts on software development gathered by grug brain developer grug brain developer not so smart, but grug brain developer program many long year and learn some things although mostly still confused grug brain developer try collect learns into small, easily digestible and fun
My thoughts on writing a Minecraft server from scratch (in Bash) For the past year or so, I've been thinking about writing a Minecraft server in Bash as a thought excercise. I once tried that before with the Classic protocol (the one from 2009), but I quickly realized there wasn't really a way to properly parse binary data in bash. Take the following code sample: function a() { read -n 2 uwu echo
WebKit Features in Safari 18.4
Mar 31, 2025 by Jen Simmons, Saron Yitbarek, Jon Davis, Razvan Caliman, Karl Dubost, Brady Eidson, Elika Etemad, Youenn Fablet, Matthew Finkel, Simon Fraser, Timothy Hatcher, David Johnson, Anne van Kesteren, Daniel Liu, Keith Miller, Rupin Mittal, Tim Nguyen, Pascoe, Abrar Rahman Protyasha, Richard Robinson, Lily Spiniolas, Brandon Stewart, John Wilander and Luming Yin ContentsDeclarative Web Pus
research!rsc: Floating-Point Printing and Parsing Can Be Simple And Fast (Floating Point Formatting, Part 3)
Introduction A floating point number f has the form f=m·2e where m is called the mantissa and e is a signed integer exponent. We like to read numbers scaled by powers of ten, not two, so computers need algorithms to convert binary floating-point to and from decimal text. My 2011 post “Floating Point to Decimal Conversion is Easy” argued that these conversions can be simple as long as you don’t car
If you are a Rubyist, you’ve likely been writing # frozen_string_literal: true at the top of most of your Ruby source code files, or at the very least, that you’ve seen it in some other projects. Based on informal discussions at conferences and online, it seems that what this magic comment really is about is not always well understood, so I figured it would be worth talking about why it’s there, w
ChatGPT Containers can now run bash, pip/npm install packages, and download files
Sponsored by: Teleport — Secure, Govern, and Operate AI at Engineering Scale. Learn more ChatGPT Containers can now run bash, pip/npm install packages, and download files 26th January 2026 One of my favourite features of ChatGPT is its ability to write and execute code in a container. This feature launched as ChatGPT Code Interpreter nearly three years ago, was half-heartedly rebranded to “Advance
Version 1.108 is now available! Read about the new features and fixes from December. Update 1.75.1: The update addresses these issues. Downloads: Windows: x64 Arm64 | Mac: Universal Intel silicon | Linux: deb rpm tarball Arm snap Welcome to the January 2023 release of Visual Studio Code. There are many updates in this version that we hope you'll like, some of the key highlights include: Profiles -
Update 1.60.1: The update addresses these issues. Update 1.60.2: The update addresses these issues. Downloads: Windows: x64 Arm64 | Mac: Universal Intel silicon | Linux: deb rpm tarball Arm snap Welcome to the August 2021 release of Visual Studio Code. There are many updates in this version that we hope you will like, some of the key highlights include: Automatic language detection - Programming l
この記事は はてなエンジニア Advent Calendar 2021 の 5 日目の記事です。 4 日目は id:anatofuz さんの 「入社してから書いていた分報の行数を眺めてみる」 でした。日報に書き込んだ行数を可視化するというアイデアが面白い! 僕も日報書いているので今度可視化してみようと思います。 anatofuz.hatenablog.com 本題 さて今回はタイトルにもある通り、Babel の話をします。Babel というのは JavaScript のトランスパイラです。 JavaScript のソースコードを入力として受け取り、適切な変換を施し、JavaScript のソースコードを出力する (トランスパイルする) ツールです。主に新しい構文で書かれた JavaScript を、古いブラウザなどでも動くよう、古い構文で書かれた JavaScript に変換するために使わ
Join a VS Code Dev Days event near you to learn about AI-assisted development in VS Code. Update 1.57.1: The update addresses these issues. The Workspace Trust feature addresses CVE-2021-34529. Downloads: Windows: x64 Arm64 | Mac: Universal Intel silicon | Linux: deb rpm tarball Arm snap Welcome to the May 2021 release of Visual Studio Code. There are a number of updates in this version that we ho
A Tour of WebAuthn
This book was distributed at the FIDO Authenticate conference in 2024. Its intended format was as a PDF, which you can find here. The following is the contents of the PDF converted to HTML. 1: Introduction Passwords are rubbish. If you’re reading this book then hopefully you’re already on board with this idea, but let’s recap anyway. The typical practice with passwords is to remember a few differe
Biome v1.5
Along with the Roadmap for 2024, the new logo and homepage, we also published a new version. This version has few features around the CLI and many fixes in our formatter. Our TypeScript, JSX and JavaScript formatting has surpassed the 97% compatibility rate with Prettier. Biome now provides over 190 lint rules. Update Biome using the following commands: npm install --save-dev --save-exact @biomejs
1. Introduction What is Lit Lit is a simple library for building fast, lightweight web components that work in any framework, or with no framework at all. With Lit you can build shareable components, applications, design systems, and more. What you'll learn How to translate several React concepts to Lit such as: JSX & Templating Components & Props State & Lifecycle Hooks Children Refs Mediating St
GitHub - taishi-i/awesome-ChatGPT-repositories: A curated list of resources dedicated to open source GitHub repositories related to ChatGPT and OpenAI API
awesome-chatgpt-api - Curated list of apps and tools that not only use the new ChatGPT API, but also allow users to configure their own API keys, enabling free and on-demand usage of their own quota. awesome-chatgpt-prompts - This repo includes ChatGPT prompt curation to use ChatGPT better. awesome-chatgpt - Curated list of awesome tools, demos, docs for ChatGPT and GPT-3 awesome-totally-open-chat
OAuth 2.0 Simplified | What is Oauth and How Does it Work | FusionAuth | FusionAuth Docs
OAuth 2.0 Simplified | What is Oauth and How Does it Work | FusionAuthBy Brian Pontarelli, Ahmed Hashesh and Dan Moore I know what you are thinking, is this really another guide to OAuth 2.0? Well, yes and no. This guide is different from most of the others out there because it covers all of the ways that we actually use OAuth. It also covers all of the details you need to be an OAuth expert witho
Logging with Pino and AsyncLocalStorage in Node.js - LogRocket Blog
Maxim Orlov "Helping JavaScript developers deploy their applications 🚀 Find me online at maximorlov.com and follow me on Twitter @_maximization." Spending hours, or even days, trying to fix an obscure bug is frustrating and unproductive. Eventually, you’ll end up staring at the screen waiting for an eureka moment to magically happen. But what if instead of waiting for the solution to magically co
From XML to JSON to CBOR - The CBOR, dCBOR, and Gordian Envelope Book
Press ← or → to navigate between chapters Press S or / to search in the book Press ? to show this help Press Esc to hide this help From XML to JSON to CBOR A Lingua Franca for Data? In modern computing, data exchange is foundational to everything from web browsing to microservices and IoT devices. The ability for different systems to represent, share, and interpret structured information drives ou
JSON formatter is an online JSON formatter and validator tool that can perform many complex JSON operations such as format, validate, tree view, minify and edit JSON text. With this, you can also convert JSON to CSV, JSON to XML, and download formatted/converted output instantly. The main purpose of our online JSON formatter and validator utility is to format and validate JSON string in real time.
Editor’s note: This article was updated on 10/25/22 by our editorial team. It has been modified to include recent sources and to align with our current editorial standards. React was developed to create interactive UIs that are declarative, modular, and cross-platform. Today, it is one of the more popular—if not the most popular—JavaScript frameworks for writing performant front-end applications.
Update 1.88.1: The update addresses these issues. Downloads: Windows: x64 Arm64 | Mac: Universal Intel silicon | Linux: deb rpm tarball Arm snap Welcome to the March 2024 release of Visual Studio Code. There are many updates in this version that we hope you'll like, some of the key highlights include: Apply custom editor labels - Distinguish between editors with same file names. Locked scrolling -
Version 1.108 is now available! Read about the new features and fixes from December. Update 1.84.1: The update addresses these issues. Update 1.84.2: The update addresses these issues. Downloads: Windows: x64 Arm64 | Mac: Universal Intel silicon | Linux: deb rpm tarball Arm snap Welcome to the October 2023 release of Visual Studio Code. There are many updates in this version that we hope you'll li
Release date: September 11, 2025 Update 1.104.1: The update addresses these issues. Update 1.104.2: The update addresses these issues. Update 1.104.3: The update addresses these issues. Downloads: Windows: x64 Arm64 | Mac: Universal Intel silicon | Linux: deb rpm tarball Arm snap Welcome to the August 2025 release of Visual Studio Code. There are many updates in this version that we hope you'll li
GitHub - ComfyUI-Workflow/awesome-comfyui: A collection of awesome custom nodes for ComfyUI
ComfyUI-Gemini_Flash_2.0_Exp (⭐+172): A ComfyUI custom node that integrates Google's Gemini Flash 2.0 Experimental model, enabling multimodal analysis of text, images, video frames, and audio directly within ComfyUI workflows. ComfyUI-ACE_Plus (⭐+115): Custom nodes for various visual generation and editing tasks using ACE_Plus FFT Model. ComfyUI-Manager (⭐+113): ComfyUI-Manager itself is also a cu
I've been using Nim for about 1-2 years now, and I believe the language is undervalued. It's not perfect, of course, but it's pleasant to write and read. My personal website uses Nim. After reading a recent article on Nim ("Why Nim") and the associated HN comments, it's clear that comments and some information about Nim are misleading and outdated. Since Nim 2, a tracing Garbage Collector is not t
Release date: March 4, 2026 Downloads: Windows: x64 Arm64 | Mac: Universal Intel silicon | Linux: deb rpm tarball Arm snap Security update: The following extension has security updates: GitHub.copilot-chat. Update 1.110.1: The update addresses these security issues in core and these security issues in the GitHub Copilot Chat extension. Welcome to the February 2026 release of Visual Studio Code. Th
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く
【2020年】CTF Web問題の攻撃手法まとめ - こんとろーるしーこんとろーるぶい
Remix vs Next.js
バグバウンティ入門(始め方) - blog of morioka12
Rubyの型チェッカーのSorbetを導入しました - freee Developers Hub
npm audit: Broken by Design — overreacted
バグハンター視点によるソフトウェアサプライチェーン入門 - blog of morioka12
May 2025 (version 1.101)
How We Hacked a Software Supply Chain for $50K
Data Fetching Patterns in Single-Page Applications
January 2025 (version 1.97)
My thoughts on writing a Minecraft server from scratch (in Bash)
Frozen String Literals: Past, Present, Future?
January 2023 (version 1.75)
August 2021 (version 1.60)
Babel をリファクタリングツールとして使う - mizdra's blog
May 2021 (version 1.57)
Lit for React Developers | Google Codelabs
JSON Formatter and Validator Tool, JSON Beautifier
React SEO Best Practices and Strategies | Toptal®
March 2024 (version 1.88)
October 2023 (version 1.84)
August 2025 (version 1.104)
A Review of Nim 2: The Good & Bad with Example Code
February 2026 (version 1.110)