Dylan Ayrey

You're going to experience a lot of unverified false positives, but the verification feature should sort them all out for you. Are you able to enable that flag?

Here's a related short blog: https://trufflesecurity.com/blog/its-impossible-to-find-every-vulnerability-so-we-dont-try-to/

I think when the handler unpacks the SQLi data, it should include the column name nearby to help with detection. This is because for some detectors that require keywords close...

Hi @dinvlad , Unfortunately some basic testing of detecting JWT's on Github turned up greater than 90% of the JWT's uncovered to be test/non-sensitive JWT's. This level of signal to...

You can also find more information about our detection philosophy here https://trufflesecurity.com/blog/its-impossible-to-find-every-vulnerability-so-we-dont-try-to/

Yeah, verifying against JWKS endpoints would be something we'd be open to exploring, that's actually simpler than the idea I had in mind originally

A PR would be good, but it might be good to chat through a little more. Is the JWKS endpoint usually referenced in the JWT body? Or is the thinking...

I think we should leave off pre-shared key / secret JWT detection for now. The reason I know those have such high false positive rates is I guessed the secret...

@mathbr I just pushed an update that ties into the copy event, instead of the key press event. Can you check to see if it works via highlighting now? https://security.love/Pastejacking

Interesting. So I'm just adding contents to the wrong clipboard then? I believe you'd still be vulnerable to the classic css/html issue https://thejh.net/misc/website-terminal-copy-paste