🚨 We patched an privilege escalation vulnerability for authenticated users in SysReptor with 2025.83. SysReptor cloud is fully patched. Update your SysReptor self-hosted installations as soon as possible. Find more information in our advisory:

We're hiring a senior pentester. * 40h, m/w/d, remote * German and English speaking * Permanent residence in Austria https://t.co/OKXb7IeALb Please support us by spreading the word ❤️

What do you use to write a report? I recently wrote a review for #Sysreptor on my blog and I also got a discount code for you. Have fun reading it https://t.co/VXMlgYO1aj

If you don't know something, there's only one correct answer: I don't know. Everything else is hallucinating. You know it from AI.

But there are two exceptions: Browsers cannot access the "Set-Cookie" and "Set-Cookie2" headers, as they are blacklisted. Cookies can thus not be exposed cross-origin. 3/3

It also allows access to "CORS-safelisted" response headers (like "Content-Type" or "Last-Modified"). The "Access-Control-Expose-Headers" header specifies additional header names that the user-agent (the browser) can access. 2/3

Steal cookies via misconfigured CORS? Let's see if that works. TLDR: Cookies cannot be exposed cross-origin. The response header "Access-Control-Allow-Origin" allows other origins to access the body of the cross-origin request. 1/3

https://t.co/TnwQtvdmnI.

On-Premise is wrong. Premises is not the plural of Premise. Premise ≠ Premises Based on the premise that "on-premises" is wrongly used, we prefer "self-hosted". But you can also use "on-premises" or "on-prem".

Oh, I think I urgently need to renew my bank registration. Now that there's so much cash on that account. Don't want to lose access.

"There is only one place to store the most important passwords: the handwritten password book in the safe." It depends. If you want to protect them from a random hacker, maybe. But if from your government, it's a bad idea. And the worst thing about it is usability. Opinions?

I want to compile a list of good screenshotting tools. Which one do you use and why do you like it? I'll start: I use Flameshot. It's open source and has built-in blur and rectangle. (I will, of course, publish the list later.)

"We could resell pentests for you." Often heard. We examined how many companies expressed interest in reselling our pentests in the last 1.5 years. * No Engagement * Low Engagement (1-3 closed projects) * High Engagement (4 or more projects)

New customer conversions are not everything. Retention rates are more important. Only one-quarter of our customers have completed more than one project with us. 60% of the projects we did with recurring customers, which brought more than half of our pentesting revenue.

Legend: - People we knew personally contacted us (”Known, inbound”) - People we knew personally we contacted (”Known, outbound”) - People who found us (on the Internet) and contacted us (”Inbound Request”) - People who contacted us based on a recommendation (”Recommendation”)

We analyzed our offers at Syslifters of 1,5y to find out, where our customers were coming from. I aggregated this data for my work-in-progress book #betterpentests.

Hi @magentatelekom, I'd like to get 5G Internet and according to your map, it's available. When selecting the rates it's suddenly not. I did not find a single address in Austria for which 5G was available. On the phone they told me, they did not sell 5G rates for weeks. How come?

We have set up a playground to give you a preview to the upcoming changes in the SysReptor user interface. We are looking forward to your feedback. Release will be in January. https://t.co/J5X3yV0Dcp

That's how pentesters have fun...

We once tried a Google Ads campaign for pentests. And did not win a single customer. Was anyone ever successful in finding pentesting customers via Google Ads?