Seclog - 1

Spotlight : The OpenSSL punycode vulnerability (CVE-2022-3602), GitHub at Black Hat Europe, WordPress Vulnerabilities & Patch etc.


3 min read

CSP-bypass XSS in project settings page (#364164)

XSS with CSP bypass allows attacks to perform arbitrary malicious requests on behalf of victims on HTTP client side, such as, do an API request to access to private resources, etc.

What I learnt from reading 217* Subdomain Takeover bug reports.

A comprehensive analysis of Subdomain Takeovers (SDTO), DNS Hijacking, Dangling DNS, CNAME misconfigurations…

GitHub at Black Hat Europe - GitHub Resources

The OpenSSL punycode vulnerability (CVE-2022-3602): Overview, detection, exploitation, and remediation

The OpenSSL punycode vulnerability (CVE-2022-3602): Overview, detection, exploitation, and remediation

Accused ‘Raccoon’ Malware Developer Fled Ukraine After Russian Invasion – Krebs on Security

A 26-year-old Ukrainian man is awaiting extradition from The Netherlands to the United States on charges that he acted as a core developer for Raccoon, a popular “malware-as-a-service” offering that helped paying customers steal passwords and financial data from millions of cybercrime victims.

Vulnerable Client-Server Application (VuCSA)

Vulnerable client‑server application (VuCSA) is made for learning/presenting how to perform penetration tests of non‑http thick clients. It is written in Java (with JavaFX graphical user interface).

AWS Organizations Defaults - Hacking The Cloud

To help organize and manage those accounts, AWS offers a service called AWS Organizations.

Project Zero: Gregor Samsa: Exploiting Java's XML Signature Verification

This post discusses CVE-2022-34169, an integer truncation bug in this JIT compiler resulting in arbitrary code execution in many Java-based web applications and identity providers that support the SAML single-sign-on standard.

Security Releases: Ember 4.8.1, 4.4.4, 3.28.10, 3.24.7

Ember.js 3.24.7, 3.28.10, 4.4.4, 4.8.1, and 4.9.0-beta.3 to patch a security vulnerability.

Top 5 Amazon S3 Bucket Misconfigurations and How to Monitor Them

Amazon S3 bucket misconfigurations

A tale of a simple Apple kernel bug ::

I discovered a flaw in XNU, which is the kernel that Apple uses on both macOS and iOS.

#1685822 RepositoryPipeline allows importing of local git repos

Allows an attacked to clone any repo on gitlab with just the project id

Hanko – Open source authentication beyond passwords

Hanko provides a beautiful login that meets your users where they are, and carefully guides them into a world beyond passwords.

Open Source Authentication and Authorization

About of Authentication and Authorization

WordPress Vulnerabilities & Patch

for wordpress, a good lists.

British govt is scanning all Internet devices hosted in UK

The United Kingdom's National Cyber Security Centre (NCSC), the government agency that leads the country's cyber security mission, is now scanning all Internet-exposed devices hosted in the UK for vulnerabilities.

Microsoft's Digital Defense Report 2022

During the past year, cyberattacks targeting critical infrastructure jumped from comprising 20% of all nation-state attacks Microsoft detected to 40%.

Hacking The Cloud - Hacking The Cloud

Hacking the cloud is an encyclopedia of the attacks/tactics/techniques that offensive security professionals can use on their next cloud exploitation adventure.

Tactical Lock Picking 101 | Uncensored Tactical

Lock picking and bypasses to get you into locked areas and out of locked restraints during emergencies.

Paralus | Paralus

Zero trust Kubernetes with zero friction