はじめに 対象イベント 読み方、使い方 Remote Code Execution(RCE) 親ディレクトリ指定によるopen_basedirのバイパス PHP-FPMのTCPソケット接続によるopen_basedirとdisable_functionsのバイパス JavaのRuntime.execでシェルを実行 Cross-Site Scripting(XSS) nginx環境でHTTPステータスコードが操作できる場合にCSPヘッダーを無効化 GoogleのClosureLibraryサニタイザーのXSS脆弱性 WebのProxy機能を介したService Workerの登録 括弧を使わないXSS /記号を使用せずに遷移先URLを指定 SOME(Same Origin Method Execution)を利用してdocument.writeを順次実行 SQL Injection MySQ
Announcing AWS Lambda Function URLs: Built-in HTTPS Endpoints for Single-Function Microservices | Amazon Web Services
AWS News Blog Announcing AWS Lambda Function URLs: Built-in HTTPS Endpoints for Single-Function Microservices Organizations are adopting microservices architectures to build resilient and scalable applications using AWS Lambda. These applications are composed of multiple serverless functions that implement the business logic. Each function is mapped to API endpoints, methods, and resources using s
yt-dlp オプション一覧及びそのメモ - †MASAYOSHI†のオンラインメモ帳
youtube-dlの開発が止まっておりfork版のyt-dlpに移る事にした。yt-dlpはyoutube-dlのforkであるyoutube-dlcのそのまたforkになる。オリジナルであるyoutube-dlのオプション解説はyoutube-dl オプション一覧及びそのメモ。 2022/06/19更新 2022/09/06更新 OPTIONS -h, --helpヘルプを表示する。 --versionプログラムのVerを表示する。 -U, --update --no-update (default)プログラムのupdateを実行するかどうか。 -i, --ignore-errorsダウンロードエラーを無視する。プレイリストごとダウンロードするような時に使う。エラーで失敗してもダウンロードは成功したとみなされる。 --no-abort-on-error (default) --abor
Raspberry PiとAWSを利用して子どもたちのゲーム時間を可視化してみた | DevelopersIO
DynamoDBの作成 さっそくテーブルをCDKで構築してみます。 from aws_cdk import ( Stack, RemovalPolicy, aws_dynamodb as dynamodb, # DynamoDBのライブラリをimport ) from constructs import Construct class GameCounterStack(Stack): def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) # The code that defines your stack goes here # ここから下に追記していきます。 # DynamoDB ログデータ格納用
Security best practices when using ALB authentication | Amazon Web Services
Networking & Content Delivery Security best practices when using ALB authentication At AWS, security is the top priority, and we are committed to providing you with the necessary guidance to fortify the security posture of your environment. In 2018, we introduced built-in authentication support for Application Load Balancers (ALBs), enabling secure user authentication as they access applications.
Cookie Theft 対策と Device Bound Session Credentials | blog.jxck.io
Intro Chrome チームより提案された Device Bound Session Credentials の実装が進み、Flag 付きで試すことができる。 この提案の背景と、解決する問題、現時点での挙動について解説する。 Update 2025/05/15: OT が始まったため、内容を大幅に更新 背景 2FA や Passkey の普及により、認証部分はかなりセキュアになってきた。インシデントによりパスワードが漏洩しても、それだけでなりすましを成立させるのも困難になっている。 そこで攻撃者の注目を集めているのが、Cookie の窃取(Cookie Theft)だ。 認証がいかに堅牢になっても、有効な Session Cookie を盗むことができれば、その値を Cookie フィールドに付与してリクエストするだけで、なりすましを成立させることができる。 いわゆる Session
Today, we are excited to announce the launch of .NET 10, the most productive, modern, secure, intelligent, and performant release of .NET yet. It’s the result of another year of effort from thousands of developers around the world. This release includes thousands of performance, security, and functional improvements across the entire .NET stack-from languages and developer tools to workloads-enabl
Assessing Claude Mythos Preview’s cybersecurity capabilities April 7, 2026 Nicholas Carlini, Newton Cheng, Keane Lucas, Michael Moore, Milad Nasr, Vinay Prabhushankar, Winnie Xiao Hakeem Angulu, Evyatar Ben Asher, Jackie Bow, Keir Bradwell, Ben Buchanan, David Forsythe, Daniel Freeman, Alex Gaynor, Xinyang Ge, Logan Graham, Kyla Guru, Hasnain Lakhani, Matt McNiece, Mojtaba Mehrara, Renee Nichol, A
We are delighted to introduce Spin 1.0, the first stable release of the open source developer tool for building serverless applications with WebAssembly (Wasm)! Since we first introduced Spin last year, we have been hard at work together with the community on building a frictionless developer experience for building and running serverless applications with Wasm. For this release, we focused on bui
SuperwhisperとVSCodeのCopilot Agentを使って、音声から素早くブログを書き上げる - yasuhisa's blog
3行まとめ アウトプットの速度を上げたいが、記事を書くのは時間がかかる SuperwhisperとVSCodeのCopilot Agentを組み合せて、音声からブログを書き上げるワークフローを組んだ 実際に使っているpromptを含め、真似しやすいように詳しく紹介 3行まとめ 背景: アウトプット速度を上げたい & LLMの急速な進化 利用している技術 Superwhisper: 技術用語も認識する書き起しアプリ VSCode Copilot Agent: 自然言語で校正のワークフローを組み込む 実用例: どれくらい早くアウトプットできるようになるか 実際のワークフロー 工夫した点 過去に自分が執筆したテキストの資産を活用する 依存関係の抽出を自動で行なう 複数のAgentにレビューをさせる タイトル案の自動生成 実装を通して得られた学び 自然言語でワークフローを組み立てることの難しさ エ
API Tokens: A Tedious Survey Author Name Thomas Ptacek @tqbf @tqbf Image by Annie Ruygt We’re Fly.io. This post isn’t about Fly.io, but you have to hear about us anyways, because my blog, my rules. Our users ship us Docker containers and we transmute them into Firecracker microvms, which we host on our own hardware around the world. With a working Dockerfile, getting up and running will take you l
Update 1.69.1: The update addresses these issues. Update 1.69.2: The update addresses these issues. Downloads: Windows: x64 Arm64 | Mac: Universal Intel silicon | Linux: deb rpm tarball Arm snap Welcome to the June 2022 release of Visual Studio Code. There are many updates in this version that we hope you'll like, some of the key highlights include: 3-way merge editor - Resolve merge conflicts wit
Vjeux » Birth of Prettier
React Conf is around the corner and it's been almost 10 years since Prettier was released. I figured it would be a good time to recount the journey from its early days to now. This is the story of how the "Space vs Tabs Holy War" ended, not through one side winning over the other but instead a technological invention making it the underlying source of tensions no longer being a thing. Back Story S
Join a VS Code Dev Days event near you to learn about AI-assisted development in VS Code. Update 1.67.1: The update addresses this security issue. Update 1.67.2: The update addresses these issues. Downloads: Windows: x64 Arm64 | Mac: Universal Intel silicon | Linux: deb rpm tarball Arm snap Welcome to the April 2022 release of Visual Studio Code. There are many updates in this version that we hope
How to Bypass Cloudflare in 2023: The 8 Best Methods - ZenRows
About 1/5 of websites you need to scrape use Cloudflare, a hardcore anti-bot protection system that gets you blocked easily. So what can you do? 😥 We spent a million dollars figuring out how to bypass Cloudflare in 2023 so that you don't have to and wrote the most complete guide (you're reading it!). These are some of the techniques you'll get home today: Method 1: Get around Cloudflare CDN. Meth
Over the course of my Spring 2020 semester at Harvey Mudd College, I developed a self-hosting compiler entirely from scratch. This article walks through many interesting parts of the project. It’s laid out so you can just read from beginning to end, but if you’re more interested in a particular topic, feel free to jump there. Or, take a look at the project on GitHub. Table of contents What the pro
"MCP is an open protocol that standardizes how applications provide context to LLMs. Think of MCP like a USB-C port for AI applications. Just as USB-C provides a standardized way to connect your devices to various peripherals and accessories, MCP provides a standardized way to connect AI models to different data sources and tools." ― Anthropic TL;DR I would like for this to turn out to be a skill
Version 1.108 is now available! Read about the new features and fixes from December. Release date: May 8, 2025 Update: Enable Next Edit Suggestions (NES) by default in VS Code Stable (more...). Update 1.100.1: The update addresses these security issues. Update 1.100.2: The update addresses these issues. Update 1.100.3: The update addresses these issues. Downloads: Windows: x64 Arm64 | Mac: Univers
Update 1.97.1: The update addresses these security issues. Update 1.97.2: The update addresses these issues. Downloads: Windows: x64 Arm64 | Mac: Universal Intel silicon | Linux: deb rpm tarball Arm snap Welcome to the January 2025 release of Visual Studio Code. There are many updates in this version that we hope you'll like, some of the key highlights include: Next Edit Suggestions (preview) - Co
Google Cloud Champion Innovators Advent Calendar 2024 の 12 日目の記事です。 はじめに LLM が広く普及し、活用範囲が急速に拡大してきたことで、ツール連携機能を活用した AI エージェントを構築する機会も増えてきています。このような LLM とツールの連携により、チャットインターフェースから様々なシステムやサービスを制御・自動化できるようになりました。 しかし、AI エージェントの開発には2つの困りごとがあると感じています。1つ目は、複雑な指示を処理するために必要な高性能モデルの応答速度が遅い点、2つ目は複数のプロジェクトでツールを再利用する際の実装効率の問題です。 本記事では、これらに対する解決策の一例を紹介します。LLM から BigQuery を操作するユースケースにおいて、応答速度が遅い点については Gemini 2.0
Update 1.86.2: The update addresses these issues. Update 1.86.1: The update addresses these issues. Downloads: Windows: x64 Arm64 | Mac: Universal Intel silicon | Linux: deb rpm tarball Arm snap Welcome to the January 2024 release of Visual Studio Code. There are many updates in this version that we hope you'll like, some of the key highlights include: Per-window zoom levels - Adjust the zoom leve
はじめての自然言語処理 Hugging Face Transformers で T5 を使ってみる | オブジェクトの広場
前回が分量的にやたらと重かったので、今回はその反省(反動?)を踏まえて軽い感じでいってみます。第7回で紹介した T5 ですが Hugging Face の Transformers でもサポートされてますので、その使用方法をご紹介したいと思います。 1. はじめに 今回は久しぶりに T5 の話です。T5 に関しては第7回、第8回で一度紹介しているので、未読の方は記事に目を通してから戻ってきて頂けると、より理解がしやすいと思います。 さて、 T5 ですが Google のオリジナルコード(以下 “t5"と記述)1は敷居が高いと感じる方もいらっしゃるのではないでしょうか。 Estimator API ベースのコードや gin による設定など慣れていないと、とっつきにくいのではないかと思います。 そこで今回は Hugging Face の Transformers 2を使って T5 を動かす方法
はじめに 基礎技術研究部リサーチエンジニアの末吉です。 HTTP リクエストスマグリング(HTTP Request Smuggling: HRS)の CVE 登録数を見ると、最初に発表された 2005 年に大量に登録されて以降は下火傾向で、2018 年までは毎年数件ずつ登録される程度でした*1。 ところが 2019 年から再燃し、今年に至るまで再び大量に登録されだしています。 上記は CVE の登録数だけを見た傾向ですが、実際 HTTP リクエストスマグリングは 2019 年を境に急激に発展し、今年に至るまで毎年様々な新手法が発表され、注目を浴びています。 ただ、その割には日本語で HTTP リクエストスマグリングを扱った記事は少なく、この名前を聞いたこともないという方もそこそこ多いと思います。 そこで、この記事では HTTP リクエストスマグリングの基礎から Black Hat USA
Blog
Hachi: An (Image) Search engine Only the dead have seen the end of war .. George Santayana For quite some time now, i have been working on and off on a fully self-hosted search engine, in hope to make it easier to search across Personal data in an end to end manner. Even as individuals, we are hoarding and generating more and more data with no end in sight. Such "personal" data is being stored fro
In Praise of dhh
In Praise of dhh November 8, 2025 | #tech #politics A reflection on Ruby’s past, present, and future. This is a long essay. I strongly recommend you read it from the beginning, but to help navigate it I have created this table of contents. Prologue The Past How I Learned To Love Ruby A Breath Of Fresh Air A Shared Worldview The Present Tragedy Strikes Recent Conflict In The Community Strength and
Update: I originally published this post few months ago, and it only covered Turbo Drive and Turbo Frames then, with a static site. I've since had a bunch of conversations with people working with other tech stacks (Rust, PHP, and Go) wanting to integrate Hotwire into their front-ends, and everyone kept asking about Turbo Streams, since it needs a back-end server. So I've updated the post to build
GitHub Pull Requests Version 0.100.0 of the GitHub Pull Requests extension adds Copilot integration: Use the @githubpr chat participant in the Chat view to search for issues, summarize issues/prs, and suggest fixes for issues. @githubpr uses a number of Language Model tools to accomplish this. There's also a new Notifications view that shows GitHub notifications, with an action to prioritize them
If you are a Rubyist, you’ve likely been writing # frozen_string_literal: true at the top of most of your Ruby source code files, or at the very least, that you’ve seen it in some other projects. Based on informal discussions at conferences and online, it seems that what this magic comment really is about is not always well understood, so I figured it would be worth talking about why it’s there, w
Hello friends, this is the first of two, possibly three (if and when I have time to finish the Windows research) writeups. We will start with targeting GNU/Linux systems with an RCE. As someone who’s directly involved in the CUPS project said: From a generic security point of view, a whole Linux system as it is nowadays is just an endless and hopeless mess of security holes waiting to be exploited
Open sourcing h3i: a command line tool and library for low-level HTTP/3 testing and debugging
Open sourcing h3i: a command line tool and library for low-level HTTP/3 testing and debugging2024-12-30 Have you ever built a piece of IKEA furniture, or put together a LEGO set, by following the instructions closely and only at the end realized at some point you didn't quite follow them correctly? The final result might be close to what was intended, but there's a nagging thought that maybe, just
Release date: November 12, 2025 Update 1.106.1: The update addresses these issues Update 1.106.2: The update addresses these issues Update 1.106.3: The update addresses these issues Downloads: Windows: x64 Arm64 | Mac: Universal Intel silicon | Linux: deb rpm tarball Arm snap Welcome to the October 2025 release of Visual Studio Code. This release brings significant updates across three key areas:
--- name: skill-creator description: Guide for creating effective skills. This skill should be used when users want to create a new skill (or update an existing skill) that extends Claude's capabilities with specialized knowledge, workflows, or tool integrations. license: Complete terms in LICENSE.txt --- # Skill Creator This skill provides guidance for creating effective skills. ## About Skills S
Update 1.58.1: The update addresses these security issues. Update 1.58.2: The update addresses these issues. Downloads: Windows: x64 Arm64 | Mac: Universal Intel silicon | Linux: deb rpm tarball Arm snap Welcome to the June 2021 release of Visual Studio Code. There are a number of updates in this version that we hope you will like, some of the key highlights include: Terminals in the editor - Crea
Mitmproxy 8
We’re delighted to announce the release of mitmproxy 8, a free and open source interactive HTTPS proxy. This release brings major improvements to mitmweb, our web interface, and new functionality for addon developers. Web UI Improvements This release includes a whole bunch of mitmweb improvements, contributed by our fantastic Google Summer of Code 2021 student, Toshiaki Tanaka! Mitmweb now renders
Try Mastering Emacs for free! Are you struggling with the basics? Have you mastered movement and editing yet? When you have read Mastering Emacs you will understand Emacs. It’s that time again: there’s a new major version of Emacs and, with it, a treasure trove of new features and changes. Notable features include the formal inclusion of native compilation, a technique that will greatly speed up y
< Back Leaking the email of any YouTube user for $10,000 2025-02-12 Some time ago, I was looking for a research target in Google and was digging through the Internal People API (Staging) discovery document until I noticed something interesting: "BlockedTarget": { "id": "BlockedTarget", "description": "The target of a user-to-user block, used to specify creation/deletion of blocks.", "type": "objec
21st October 2024 I’m a huge fan of Claude’s Artifacts feature, which lets you prompt Claude to create an interactive Single Page App (using HTML, CSS and JavaScript) and then view the result directly in the Claude interface, iterating on it further with the bot and then, if you like, copying out the resulting code. I was digging around in my Claude activity export (I built a claude-to-sqlite tool
Ever wanted more different ways to understand what’s going on in a program? Here I catalogue a huge variety of tracing methods you can use for varying types of problems. Tracing has been such a long-standing interest (and job) of mine that some of these will novel and interesting to anyone who reads this. I’ll guarantee it by including 2 novel tracing tools I’ve made and haven’t shared before (loo
CORS is a necessity for many APIs, but basic configurations can create a huge number of extra requests, slowing down every browser API client, and sending unnecessary traffic to your backend. This can be a problem with a traditional API, but becomes a much larger issue with serverless platforms, where your billing is often directly tied to the number of requests received, so this can easily double
[crypto] Simple Substitution Cipher [crypto] Substitution Cipher [crypto] Administrator Hash(NTLM hash) [crypto] Administrator Password [crypto] Hash Extension Attack [forensics] The Place of The First Secret Meeting [forensics] The Deleted Confidential File [forensics] They Cannot Be Too Careful. [forensics] The Taken Out Secrets [forensics] Their Perpetration [NW] Transfer [NW] Analysis [NW] Enu
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く
【2020年】CTF Web問題の攻撃手法まとめ - こんとろーるしーこんとろーるぶい
Announcing .NET 10 - .NET Blog
Claude Mythos Preview \ red.anthropic.com
Spin 1.0 — The Developer Tool for Serverless WebAssembly
API Tokens: A Tedious Survey
June 2022 (version 1.69)
April 2022 (version 1.67)
Kalyn: a self-hosting compiler for x86-64
A Critical Look at MCP - Raz Blog
April 2025 (version 1.100)
January 2025 (version 1.97)
Gemini 2.0 Flash から MCP を利用して BigQuery を操作する
January 2024 (version 1.86)
HTTP リクエストスマグリング入門から最新研究まで - FFRIエンジニアブログ
You Don't Need Rails to Start Using Hotwire
October 2024 (version 1.95)
Frozen String Literals: Past, Present, Future?
Attacking UNIX Systems via CUPS, Part I
October 2025 (version 1.106)
prompts.chat - AI Prompts Community
June 2021 (version 1.58)
What's New in Emacs 28.1?
Leaking the email of any YouTube user for $10,000
Everything I built with Claude Artifacts this week
All my favorite tracing tools: eBPF, QEMU, Perfetto, new ones I built and more - Tristan Hume
Cache your CORS, for performance & profit
防衛省サイバーコンテスト2023 Writeups - はまやんはまやんはまやん