はじめに 対象イベント 読み方、使い方 Remote Code Execution(RCE) 親ディレクトリ指定によるopen_basedirのバイパス PHP-FPMのTCPソケット接続によるopen_basedirとdisable_functionsのバイパス JavaのRuntime.execでシェルを実行 Cross-Site Scripting(XSS) nginx環境でHTTPステータスコードが操作できる場合にCSPヘッダーを無効化 GoogleのClosureLibraryサニタイザーのXSS脆弱性 WebのProxy機能を介したService Workerの登録 括弧を使わないXSS /記号を使用せずに遷移先URLを指定 SOME(Same Origin Method Execution)を利用してdocument.writeを順次実行 SQL Injection MySQ
アソビュー! Advent Calendar 2022の2日目(裏面)の記事です。 アソビューでQAをしている渡辺です。 前職ではエンジニア、およびQAをしておりましたが、10月よりアソビューにQAとして入社しました。 今回は、API呼び出しを含むE2Eテストの自動化を、他社ウェブサイトに仕様記載の無料公開APIで試してみた話となります。 アソビューのQAでは、開発スピードと品質向上の両立を図ることを重視しています。 そのためにも、シフトレフトやテスト自動化推進の取り組みは重要です。 現在QAとして参画中のプロジェクトでAPIの外部公開があり、E2EテストとしてAPIを含むテストの自動化はこれまでしていないので、APIを含むテストについて、Seleniumで簡単に自動化できないか試してみました。 なぜSeleniumか? なぜPythonか? 試してみるテストケース 天気予報APIの仕様
WebVM: server-less x86 virtual machines in the browser
TL;DR — We made a server-less virtual Linux environment that runs unmodified Debian binaries in the browser. This is powered by CheerpX, a WebAssembly virtualization platform. Feel free to play with it and report bugs: https://webvm.io WebVM — a server-less virtual Linux environment running fully client-side in HTML5/WebAssembly. The web platform is well on its way to becoming the dominant platfor
GitHub - modelcontextprotocol/servers: Model Context Protocol Servers
Official integrations are maintained by companies building production ready MCP servers for their platforms. 21st.dev Magic - Create crafted UI components inspired by the best 21st.dev design engineers. 2slides - An MCP server that provides tools to convert content into slides/PPT/presentation or generate slides/PPT/presentation with user intention. ActionKit by Paragon - Connect to 130+ SaaS inte
Introducing Ezno
Ezno is an experimental compiler I have been working on and off for a while. In short, it is a JavaScript compiler featuring checking, correctness and performance for building full-stack (rendering on the client and server) websites. This post is just an overview of some of the features I have been working on which I think are quite cool as well an overview on the project philosophy ;) It is still
How uv got so fast
uv installs packages faster than pip by an order of magnitude. The usual explanation is “it’s written in Rust.” That’s true, but it doesn’t explain much. Plenty of tools are written in Rust without being notably fast. The interesting question is what design decisions made the difference. Charlie Marsh’s Jane Street talk and a Xebia engineering deep-dive cover the technical details well. The intere
Assessing Claude Mythos Preview’s cybersecurity capabilities April 7, 2026 Nicholas Carlini, Newton Cheng, Keane Lucas, Michael Moore, Milad Nasr, Vinay Prabhushankar, Winnie Xiao Hakeem Angulu, Evyatar Ben Asher, Jackie Bow, Keir Bradwell, Ben Buchanan, David Forsythe, Daniel Freeman, Alex Gaynor, Xinyang Ge, Logan Graham, Kyla Guru, Hasnain Lakhani, Matt McNiece, Mojtaba Mehrara, Renee Nichol, A
What We Learned from a Year of Building with LLMs (Part I)
It’s an exciting time to build with large language models (LLMs). Over the past year, LLMs have become “good enough” for real-world applications. The pace of improvements in LLMs, coupled with a parade of demos on social media, will fuel an estimated $200B investment in AI by 2025. LLMs are also broadly accessible, allowing everyone, not just ML engineers and scientists, to build intelligence into
In 2021 Ben Bridts published a highly inventive method for finding the AWS Account ID of a public S3 bucket. This post describes a technique to find the Account ID of any S3 bucket (both private and public). I'd highly recommend reading Ben's technique first as we will re-use a lot of concepts. S3 Bucket to AWS Account IDShell output can be worth a thousand words, here's what our technique enables
GitHub - punkpeye/awesome-mcp-servers: A collection of MCP servers.
Servers for accessing many apps and tools through a single MCP server. 1mcp/agent 📇 ☁️ 🏠 🍎 🪟 🐧 - A unified Model Context Protocol server implementation that aggregates multiple MCP servers into one. tadas-github/a2asearch-mcp 📇 ☁️ - MCP server to search 4,800+ MCP servers, AI agents, CLI tools and agent skills. Install: npx -y a2asearch-mcp. Ask Claude: "Find MCP servers for database access"
GitHub - anderspitman/awesome-tunneling: List of ngrok/Cloudflare Tunnel alternatives and other tunneling software and services. Focus on self-hosting.
Telebit - Written in JS. Code. tunnel.pyjam.as - No custom client; uses WireGuard directly instead. Written in Python. source code SSH-J.com - Public SSH Jump & Port Forwarding server. No software, no registration, just an anonymous SSH server for forwarding. Users are encouraged to use it for SSH exposure only, to preserve end-to-end encryption. No public ports, only in-SSH connectivity. Run ssh
One of the main barriers to a wider adoption and experimentation with open-source agents is the dependency on extra tools and frameworks that need to be installed before the agents can be run. In this post, we introduce the Wasm agents blueprint, aimed at showing how to write agents as HTML files, which can just be opened and run in a browser, without the need for any extra dependencies. This is s
Onyx, a new programming language powered by WebAssemblyLearn about Onyx, a new imperative programming language that leverages WebAssembly and Wasmer for seamless cross-platform support What is Onyx? Onyx is a new programming language featuring a modern, expressive syntax, strict type safety, blazingly-fast build times, and out-of-the-box cross platform support thanks to WebAssembly. Over the past
Update 1.99.1: The update addresses these security issues. Update 1.99.2: The update addresses these issues. Update 1.99.3: The update addresses these issues. Downloads: Windows: x64 Arm64 | Mac: Universal Intel silicon | Linux: deb rpm tarball Arm snap Welcome to the March 2025 release of Visual Studio Code. There are many updates in this version that we hope you'll like, some of the key highligh
Prompt Engineering
Date: March 15, 2023 | Estimated Reading Time: 21 min | Author: Lilian Weng Prompt Engineering, also known as In-Context Prompting, refers to methods for how to communicate with LLM to steer its behavior for desired outcomes without updating the model weights. It is an empirical science and the effect of prompt engineering methods can vary a lot among models, thus requiring heavy experimentation a
AWS Lambda turns 10: A rare look at the doc that started it
AWS Lambda turns 10: A rare look at the doc that started itNovember 14, 2024 • 5460 words One of our strengths at AWS has always been our ability to get primitives into the hands of our customers and observe what they do. In nearly every instance, someone uses these building blocks in interesting ways that we didn’t expect. Sometimes it’s domain-specific innovation, but other times it’s customers
How to Bypass Cloudflare in 2023: The 8 Best Methods - ZenRows
About 1/5 of websites you need to scrape use Cloudflare, a hardcore anti-bot protection system that gets you blocked easily. So what can you do? 😥 We spent a million dollars figuring out how to bypass Cloudflare in 2023 so that you don't have to and wrote the most complete guide (you're reading it!). These are some of the techniques you'll get home today: Method 1: Get around Cloudflare CDN. Meth
Update 1.80.1: The update addresses these issues. Update 1.80.2: The update addresses this security issue. Downloads: Windows: x64 Arm64 | Mac: Universal Intel silicon | Linux: deb rpm tarball Arm snap Welcome to the June 2023 release of Visual Studio Code. There are many updates in this version that we hope you'll like, some of the key highlights include: Accessibility improvements - Accessible V
Over the course of my Spring 2020 semester at Harvey Mudd College, I developed a self-hosting compiler entirely from scratch. This article walks through many interesting parts of the project. It’s laid out so you can just read from beginning to end, but if you’re more interested in a particular topic, feel free to jump there. Or, take a look at the project on GitHub. Table of contents What the pro
Patterns for Building LLM-based Systems & Products [ llm engineering production 🔥 ] · 66 min read Discussions on HackerNews, Twitter, and LinkedIn “There is a large class of problems that are easy to imagine and build demos for, but extremely hard to make products out of. For example, self-driving: It’s easy to demo a car self-driving around a block, but making it into a product takes a decade.”
2021年7月1日に、EUでCOVID-19ワクチン接種のデジタル証明書(EU Digital COVID Certificate:EUDCC)の運用が正式にスタートした。このEUDCC、技術的に面白いところがあって、例えば、Base45という新たなエンコード方式を導入していたり(ビットコインのBase58を彷彿させますよね)、フォーマットとしてCWT(CBOR Web Token)を採用していたりする。CWTは、JWTのバイナリ版と言ってよいもので、比較的新しく故にマイナーな規格である。最近、個人的にCWTと戯れていることもあって、このEUDCCの規格まわりの調査と、テストデータを使った検証コードの実装を行ってみたので備忘録としてまとめておく。 なお、こうした新しい技術を取り入れた規格をこのCOVID騒動のさなか1年足らずで出せるのすごいなーということで、付録として規格化と実装の経緯も軽
Wasm core dumps and debugging Rust in Cloudflare Workers
Wasm core dumps and debugging Rust in Cloudflare Workers2023-08-14 A clear sign of maturing for any new programming language or environment is how easy and efficient debugging them is. Programming, like any other complex task, involves various challenges and potential pitfalls. Logic errors, off-by-ones, null pointer dereferences, and memory leaks are some examples of things that can make software
How to improve Python packaging, or why fourteen tools are at least tw
There is an area of Python that many developers have problems with. This is an area that has seen many different solutions pop up over the years, with many different opinions, wars, and attempts to solve it. Many have complained about the packaging ecosystem and tools making their lives harder. Many beginners are confused about virtual environments. But does it have to be this way? Are the current
Phylum Discovers Dozens More PyPI Packages Attempting to Deliver W4SP Stealer in Ongoing Supply-Chain Attack
Phylum Discovers Dozens More PyPI Packages Attempting to Deliver W4SP Stealer in Ongoing Supply-Chain Attack Last week, our automated risk detection platform alerted us to some suspicious activity in dozens of newly published PyPI packages. It appears that these packages are a more sophisticated attempt to deliver the W4SP Stealer on to Python developer’s machines by hiding a malicious __import__
SemVer in Rust: Tooling, Breakage, and Edge Cases — FOSDEM 2024 Last month, I gave a talk titled "SemVer in Rust: Breakage, Tooling, and Edge Cases" at the FOSDEM 2024 conference. The talk is a practical look at what semantic versioning (SemVer) buys us, why SemVer goes wrong in practice, and how the cargo-semver-checks linter can help prevent the damage caused by SemVer breakage. TL;DR: SemVer is
redbean
redbean single-file distributable web server redbean is an open source webserver in a single-file that runs natively on six OSes for both AMD64 and ARM64. Basic idea is if you want to build a web app that runs anywhere, then you download the redbean.com file, put your .html and .lua files inside it using the zip command, and you've got a hermetic app you deploy and share. redbean embeds Lua, SQLit
How a simple Linux kernel memory corruption bug can lead to complete system compromise
In this case, reallocating the object as one of those three types didn't seem to me like a nice way forward (although it should be possible to exploit this somehow with some effort, e.g. by using count.counter to corrupt the buf field of seq_file). Also, some systems might be using the slab_nomerge kernel command line flag, which disables this merging behavior. Another approach that I didn't look
Introducing the AWS Lambda Telemetry API | Amazon Web Services
AWS Compute Blog Introducing the AWS Lambda Telemetry API This blog post is written by Anton Aleksandrov, Principal Solution Architect and Shridhar Pandey, Senior Product Manager Today AWS is announcing the AWS Lambda Telemetry API. This provides an easier way to receive enhanced function telemetry directly from the Lambda service and send it to custom destinations. This makes it easier for develo
The Go Programming Language and Environment – Communications of the ACM
Go is a programming language created at Google in late 2007 and released as open source in November 2009. Since then, it has operated as a public project, with contributions from thousands of individuals and dozens of companies. Go has become a popular language for building cloud infrastructure: Docker, a Linux container manager, and Kubernetes, a container deployment system, are core cloud techno
Date: June 23, 2023 | Estimated Reading Time: 31 min | Author: Lilian Weng Building agents with LLM (large language model) as its core controller is a cool concept. Several proof-of-concepts demos, such as AutoGPT, GPT-Engineer and BabyAGI, serve as inspiring examples. The potentiality of LLM extends beyond generating well-written copies, stories, essays and programs; it can be framed as a powerfu
Join a VS Code Dev Days event near you to learn about AI-assisted development in VS Code. Update 1.66.1: The update addresses these issues. Update 1.66.2: The update addresses these security issues. Downloads: Windows: x64 Arm64 | Mac: Universal Intel silicon | Linux: deb rpm tarball Arm snap Welcome to the March 2022 release of Visual Studio Code. There are many updates in this version that we ho
The State of Python 2025: Trends and Survey Insights | The PyCharm Blog
This is a guest post from Michael Kennedy, the founder of Talk Python and a PSF Fellow. Welcome to the highlights, trends, and key actions from the eighth annual Python Developers Survey. This survey is conducted as a collaborative effort between the Python Software Foundation and JetBrains’ PyCharm team. The survey results provide a comprehensive look at Python usage statistics and popularity tre
How to turn Claude Code into a domain specific coding agent
Authored by: Aliyan Ishfaq Coding agents are great at writing code that uses popular libraries on which LLMs have been heavily trained on. But point them to a custom library, a new version of a library, an internal API, or a niche framework – and they’re not so great. That’s a problem for teams working with domain specific libraries or enterprise code. As developers of libraries (LangGraph, LangCh
Tier 4 Support § Support for these targets is entirely experimental. If this target is provided by LLVM, LLVM may have the target as an experimental target, which means that you need to use Zig-provided binaries for the target to be available, or build LLVM from source with special configure flags. zig targets will display the target if it is available. This target may be considered deprecated by
Fun with uv and PEP 723
Fun with uv and PEP 723 June 24, 2025 For the longest time, I have been frustrated with Python because I couldn’t use it for one-off scripts. I had to first ensure it was running in an environment where it could find the right Python version and the dependencies installed. That is now a thing of the past. uv¶ If you are not a Pythonista (or one possibly living under a rock), uv is an extremely fas
GitHub Pull Requests Version 0.100.0 of the GitHub Pull Requests extension adds Copilot integration: Use the @githubpr chat participant in the Chat view to search for issues, summarize issues/prs, and suggest fixes for issues. @githubpr uses a number of Language Model tools to accomplish this. There's also a new Notifications view that shows GitHub notifications, with an action to prioritize them
AWS Lambda Functions Powered by AWS Graviton2 Processor – Run Your Functions on Arm and Get Up to 34% Better Price Performance | Amazon Web Services
AWS News Blog AWS Lambda Functions Powered by AWS Graviton2 Processor – Run Your Functions on Arm and Get Up to 34% Better Price Performance December 13, 2022: Post updated to include all the AWS Regions where Lambda Functions can be powered by the Graviton2 Processor. June 19, 2023: List of AWS Regions updated. Many of our customers (such as Formula One, Honeycomb, Intuit, SmugMug, and Snap Inc.)
Hello friends, this is the first of two, possibly three (if and when I have time to finish the Windows research) writeups. We will start with targeting GNU/Linux systems with an RCE. As someone who’s directly involved in the CUPS project said: From a generic security point of view, a whole Linux system as it is nowadays is just an endless and hopeless mess of security holes waiting to be exploited
GIMP 2.99.12 is a huge milestone towards GIMP 3.0. Many of the missing pieces are getting together, even though it is still a work in progress. As usual, issues are expected and in particular in this release which got important updates in major areas, such as canvas interaction code, scripts, but also theming… “CMYK space invasion”, by Jehan (based on GPLv3 code screencast), Creative Commons by-sa
Open sourcing h3i: a command line tool and library for low-level HTTP/3 testing and debugging
Open sourcing h3i: a command line tool and library for low-level HTTP/3 testing and debugging2024-12-30 Have you ever built a piece of IKEA furniture, or put together a LEGO set, by following the instructions closely and only at the end realized at some point you didn't quite follow them correctly? The final result might be close to what was intended, but there's a nagging thought that maybe, just
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く
【2020年】CTF Web問題の攻撃手法まとめ - こんとろーるしーこんとろーるぶい
SeleniumによるAPI呼び出しを含むE2Eテスト自動化 - asoview! Tech Blog
Claude Mythos Preview \ red.anthropic.com
How to find the AWS Account ID of any S3 Bucket | Tracebit
Wasm-agents: AI agents running in your browser
Onyx, a new programming language powered by WebAssembly · Blog · Wasmer
March 2025 (version 1.99)
June 2023 (version 1.80)
Kalyn: a self-hosting compiler for x86-64
Patterns for Building LLM-based Systems & Products
EUのCOVID-19ワクチン接種証明書はCWTを使っている
SemVer in Rust: Tooling, Breakage, and Edge Cases — FOSDEM 2024
LLM Powered Autonomous Agents
March 2022 (version 1.66)
0.10.0 Release Notes ⚡ The Zig Programming Language
October 2024 (version 1.95)
Attacking UNIX Systems via CUPS, Part I
GIMP - Development version: GIMP 2.99.12 Released