September 21, 2025
September 21, 2025
Just published some notes on httpjail - this is a really interesting new sandboxing project, it lets you run a process (on macOS or Linux or in Docker) with strict restrictions on what outbound HTTP requests it can make, specified as JS or a shell script https://t.co/WOPFcn9hNm https://t.co/L8vAxSAEI1
— Simon Willison (@simonw) September 19, 2025
—
*turns on loudspeaker at 5,000 person venue*
— near (@nearcyan) September 19, 2025
"Hey Meta, text my ex and say I miss her" https://t.co/Gie0cz0nUv
Insane because Microsoft uses a tool like dnstwist to find lookalike domains in Defender for Office 365... but you have to pay for it
— Nathan McNulty (@NathanMcNulty) September 20, 2025
The good news is this tool is FREE, so everyone can and should monitor for lookalike domains:https://t.co/AolV8QhQWHhttps://t.co/5L7RlswD0I https://t.co/4mWIMOqBuP pic.twitter.com/xXzR192tnG
Another beautiful FortiWeb WAF RCE !
— Hamid Kashfi (@hkashfi) September 20, 2025
Putting the vendor aside, this is one of those cool cases that combines a couple of otherwise overlooked and simple primitives into something lethal.
CVE-2025-52970:https://t.co/7Npnke3MLJ https://t.co/xXI94N8TQE pic.twitter.com/teLgcwqWtA
A reminder that there are many IT systems that can be leveraged to disrupt transportation and logistics. You don’t have to attack the planes to cause cascading failures in our airways. https://t.co/uENx9urRE6
— John Hultquist (@JohnHultquist) September 20, 2025
You can jailbreak the httpjail 😎
— itszn (@itszn13) September 21, 2025
I found an exploit that totally bypasses all protection, allowing an attacker to still exfiltrate anything they want from the jail
The exploit tricks the proxy server, which thinks everything is cool, but it sends the request to my evil site! https://t.co/FIiPgp5HDy pic.twitter.com/vxYZGbnPrH