@kyrylosilin My totally serious response to justfuckingusehtml.com:

curl https://justfuckingusehttp.com
(the URL has to have https://, Mastodon just doesn't display it...)

On Windows you can use this command:
(Invoke-WebRequest https://justfuckingusehttp.com/).Content

My totally serious response to justfuckingusehtml.com:

curl https://justfuckingusehttp.com
(the URL has to have https://, Mastodon just doesn't display it...)

On Windows you can use this command:
(Invoke-WebRequest https://justfuckingusehttp.com/).Content

#http response codes if the #iana engineer was trying to get the #cat off the #keyboard while designing the #protocol.

doubles as #blink codes if you've found yourself in a responding to http requests while under duress type of situation:

HTTP 0 - no reaction.
HTTP 0.5 - reaction, no information.
HTTP 1 - don't do that.
HTTP 2 - acknowledged.
HTTP 3 - see other.
HTTP 4 - inconceivable.
HTTP 5 - sEnPaI~~~

Neu im Forum:

HTTP Referrer - Backend nicht aufrufbar

https://t3forum.net/d/901-http-referrer-backend-nicht-aufrufbar

#t3academyforum #http-referrer #backend-fehler

Permissions-Policy: storage-access
Limited availability

https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/storage-access

The HTTP Permissions-Policy header storage-access directive controls whether a document loaded in a third-party context (i.e., embedded in an <iframe>) is allowed to use the Storage Access API to request access to unpartitioned cookies.

iX-Workshop: API-Design und -Entwicklung mit HTTP, REST und OpenAPI

Lernen Sie, wie man effiziente und benutzerfreundliche APIs entwickelt, HTTP- und REST-Standards anwendet und standardisierte Referenzdokumentationen erstellt.

https://www.heise.de/news/iX-Workshop-API-Design-und-Entwicklung-mit-HTTP-REST-und-OpenAPI-10373876.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon

Coinbase’s x402: Crypto payments over HTTP for AI and APIs - What is HTTP 402, and why does it matter? ... - https://cointelegraph.com/explained/coinbases-x402-crypto-payments-over-http-for-ai-and-apis #cryptopayments #coinbase #http #api #ai

A New Breed of Infostealer

A newly discovered .NET-based infostealer, Chihuahua Stealer, combines common malware techniques with advanced features. The infection begins with an obfuscated PowerShell script shared via Google Drive, initiating a multi-stage payload chain. Persistence is achieved through scheduled tasks, and the main payload targets browser data and crypto wallet extensions. Stolen data is compressed, encrypted using AES-GCM via Windows CNG APIs, and exfiltrated over HTTPS. The malware employs stealth techniques, including multi-stage execution, Base64 encoding, hex-string obfuscation, and scheduled jobs. It targets browser data, crypto wallets, and uses unique identifiers for each infected machine. The stealer's sophistication is evident in its use of Windows Cryptography API for encryption and its thorough cleanup process.

Pulse ID: 682345233e3c2b7479bfdf61
Pulse Link: https://otx.alienvault.com/pulse/682345233e3c2b7479bfdf61
Pulse Author: AlienVault
Created: 2025-05-13 13:12:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BSI WID-SEC-2025-1005: [NEU] [mittel] #Varnish #HTTP #Cache: Schwachstelle ermöglicht Manipulation von Dateien

Ein Angreifer kann eine Schwachstelle in Varnish HTTP Cache ausnutzen, um Dateien zu manipulieren.

https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1005

RFCs you should probably read if you're bug hunting modern stacks:

* RFC 8820: URI Design and Ownership
* RFC 8725: JSON Web Token Best Current Practices
* RFC 9110: HTTP Semantics
* RFC 9111: HTTP Caching
* RFC 9112: HTTP/1.1
* RFC 9113: HTTP/2
* RFC 9114: HTTP/3

Also worth a read:

* RFC 7230: Message Syntax and Routing
* RFC 7231: Semantics and Content
* RFC 7232: Conditional Requests
* RFC 7233: Range Requests
* RFC 7234: Caching
* RFC 7235: Authentication

#research, #exploitation, #http

CSP: script-src-attr
Newly available (from Dec 2022)

https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/script-src-attr

The HTTP Content-Security-Policy (CSP) script-src-attr directive specifies valid sources for JavaScript inline event handlers.

Sec-CH-UA-WoW64
Limited availability

https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-CH-UA-WoW64

The HTTP Sec-CH-UA-WoW64 request header is a user agent client hint indicating if a 32-bit user-agent application is running on a 64-bit Windows machine.

CORS errors

https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS/Errors

Cross-Origin Resource Sharing (CORS) is a standard that allows a server to relax the same-origin policy. This is used to explicitly allow some cross-origin requests while rejecting others. For example, if a site offers an embeddable service, it may be necessary to relax certain restrictions. Setting up such a CORS configuration isn't necessarily easy and may present some challenges. In these…

#aria2 is a lightweight multi-protocol & multi-source, cross platform download utility operated in command-line. It supports #HTTP #HTTPS #FTP #SFTP #BitTorrent and #Metalink https://github.com/aria2/aria2

#til

* URLs' paths might or might not be case sensitive; it all depends on the actual system serving the resource.

In any case (!!!), consider them case sensitive.

#FrageFürEinenFreund gibt es einen modernen Rewrite von #LOIC für Lasttests von Internetseiten? Wäre cool wenn man einfach ein paar Leuten eine Liste von URLs geben könnte die sich dann beteiligen um eine gewisse Uhrzeit, damit die Seiten getestet werden können. #highAvailability #distributedTesting #HTTP #Verfügbarkeit #followerpower

https://de.m.wikipedia.org/wiki/Low_Orbit_Ion_Cannon