Examples with how to not use secrets. Contribute to commjoen/wrongsecrets development by creating an account on GitHub.

This disclosure is of the Extensis Portfolio software which was deployed publicly on the internet with default administrative credentials found by White Oak Sec

This post describes a vulnerability found and exploited in October 2021 by Alex Plaskett, Cedric Halbronn, and Aaron Adams working at the Exploit Development Group (EDG) of NCC Group. We successful…

In January 20, 2022 Amazon AWS has introduced a new threat detection in GuardDuty to block credential exfiltrations. Can be bypassed?

If  you want to run code to provide observability, security or network functionality, running it in the kernel of your operating system gives you a lot of power because that kernel can see and control everything on the system. That’s powerful, but potentially…

Create, distribute, host, and monetize your podcast, 100% free.

As the noscript states, the latest release of Certipy contains many new features, techniques and improvements. This blog post dives into the…

rconn is a multiplatform program for creating generic reverse connections. Lets you consume services that are behind firewall or NAT without opening ports or port-forwarding. - GitHub - jafarlihi/r...

A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability…

Warning to the reader
This is my first time doing kernel exploit development - so the following probably contains some errors which I apologise in advance for.

A command-line tool to quickly analyze all IPs in a file and see which ones have open ports/ vulnerabilities. Can also be fed data from stdin to be...

Contribute to halencarjunior/plsc4n development by creating an account on GitHub.

CVE-2021-28500 Talkative Marmot For those of you who that don’t want to read the whole back story and just want to see what CVE-2021-28500 (#TalkativeMarmot) is, you can review Arista’s full detailed security advisory here.
Essentially, this is an authentication…

It was found that unexpected behaviors in the query’s escape function could cause a SQL injection in mysqljs/mysql

We built an AirTag clone capable of silently and continuously tracking someone. The device accomplishes this by sending just one beacon per generated public key, thereby staying invisible to tracking notifications for iOS users and Apple’s Tracker Detect…

Today I wanted to talk about using the deception technology called New-HoneyHash.ps1. This is a tool that was inspired by Mark Baggett and authored by Matt Graeber, that will inject fake credential…

Command line fuzzer and bruteforcer 🌪 wfuzz for command - GitHub - ariary/cfuzz: Command line fuzzer and bruteforcer 🌪 wfuzz for command

Download the Practical Guide to Attacking JWT (JSON Web Tokens). Must read for pentesters, developers, security professionals and researchers.

We recently discovered a code vulnerability in Horde Webmail that can be used by attackers to take over email accounts by sending a malicious email.