Exploit Subdomain Takeover Vulnerability

Subdomain and bucket sniping is very easy to find and dangerous vulnerability that attacker uses to exploit and perform phishing attacks. In this episode, we have discussed what are these vulnerabilities, examples and mitigation strategy.

https://youtu.be/FrleeNN-gXw

CVE-2020-1350 SIGRed PoC Demo - Microsoft Windows DNS Server DoS Vulnerability

This vulnerability has been identified by researchers from CheckPoint and Microsoft as Critical with the ability to perform Remote Code Execution. In this Proof of Concept, the vulnerability is designed to crash the DNS Server as a Denial of Service.

https://youtu.be/gZo1EufWj-E

DNS Amplification Attack

Attackers are taking advantage of weaknesses in the DNS protocol in order to launch a high bandwidth sophisticated attack on their victim using amplification effects. Learn more about how to prevent DNS amplification attacks

https://youtu.be/xTKjHWkDwP0

Security+ Cert. Training - DNS Amplification Attack

In this video we will be going over a DNS attack what to look out for and how to prevent it.

https://youtu.be/31lP8thRS3w

Spootniks - Muitos países erraram na luta contra o coronavírus. Ninguém errou mais que o governo chinês.

Este documentário foi produzido com um único objetivo: seguir os primeiros passos da maior pandemia do século vinte e um. Para isso, construímos uma linha do tempo com literalmente centenas de informações fundamentais para entender como saímos de um surto de pneumonia supostamente inofensivo numa cidade do interior da China para o maior perigo à humanidade desde o fim da Segunda Guerra Mundial.

https://youtu.be/_V4r5ibOm5g

Breach: From Recon to penetrating the perimeter, to actions on the target

https://youtu.be/e99iQC-dod8

@SecTalks

XXE on www.publish.engelvoelkers.com

A XML External Entities vulnerability has been found on www.publish.engelvoelkers.com:8443. Initially a GET request was made to /dp/services and that returned a 500 Error with some XML data. Changing the HTTP request method to POST with some XML data produced a different response, so it appeared to process XML data.

https://hackerone.com/reports/914801

IDS / IPS - Conceitos Basicos

Vídeo da série Segurança em Redes de Computadores cujo assunto é IDS e IPS - Os Intrusion Detection Systems e os Intrusion Prevention Systems.

https://youtu.be/a_Vp0ca4G2g

TikTok Careers Portal Account Takeover

The following (slightly modified) vulnerability report was sent to TikTok using Hackerone on 17th October 2020 and was resolved within 12 days.

https://security.lauritz-holtmann.de/advisories/tiktok-account-takeover/

Starbucks - Unrestricted File Upload Leads to RCE on mobile.starbucks.com.sg

ko2sec discovered an .ashx endpoint on mobile.starbucks.com.sg intended for image files permitted unrestricted file type uploads which could lead to a potential RCE. ko2sec's thorough analysis provided additional endpoints on other out of scope domains that shared this vulnerability.

https://hackerone.com/reports/1027822

Dumping S3 Buckets | Exploiting S3 Bucket Misconfigurations

In this video, we will take a look at how to perform reconnaissance on AWS S3 buckets and how to exploit S3 bucket permission configurations to list and dump the contents of a poorly configured S3 bucket.

https://youtu.be/ITSZ8743MUk

What is a Web Application Firewall (WAF)?

Traditional network firewalls (Layer 3-4) do a great job preventing outsiders from accessing internal networks. But, these firewalls offer little to no support in the protection of application layer traffic.

https://youtu.be/p8CQcF_9280

TOP FIREWALL MISCONFIGURATIONS THAT LEAD TO EASY EXPLOITATIONS BY ATTACKERS

Network security should be a major focus for companies moving to the cloud. Cloud networks are exposed to the Internet and companies don’t have direct control of the hardware running them. When not configured correctly, networks in the cloud could be attacked and breached.

https://www.hackerone.com/blog/Top-Firewall-Misconfigurations-that-Lead-to-Easy-Exploitations

NSA - Projeto X: Ataque Atômico (Documentário de Laura Poitras - Narrado por Rami Malek) [Legendado]

O misterioso edifício 33 Thomas Street, é capaz de resistir a uma bomba atômica nele há bilhões de e-mails e registros de metadados, espionando mais de 38 países. A NSA (Agência de Segurança Nacional) coletou estes dados.

https://youtu.be/JLrtmPAV8I4

[webapps] Online Voting System 1.0 - SQLi (Authentication Bypass) + Remote Code Execution (RCE)

Online Voting System 1.0 - SQLi (Authentication Bypass) + Remote Code Execution (RCE)

https://www.exploit-db.com/exploits/50088

[Vulnerability] - Cookie Stored injection - XSS at Heroic Third Service, call cookies!

the application calls an external service to create the cookies and they are sent back to the server!

https://youtu.be/maatBdt8TPY

Youtube: @Phatansm_Lab

Network Security Horror Stories: Firewall Misconfigurations

Here we are with our second installment of network security horror stories and having already discuss some of the firewall change control issues in this article we’re going to review some firewall misconfigurations I’ve seen at client sites. The firewall plays an important part in your security architecture and needs to be configured properly in order to gain the most from this layer of security. Here are a few stories of classic firewall misconfigurations:

https://www.algosec.com/blog/network-security-horror-stories-firewall-misconfigurations/