Learn how the OpenSSL punycode vulnerability (CVE-2022-3602) works, how to detect it, and how it can be exploited.

Last week, our automated risk detection platform alerted us to suspicious activity in dozens of newly published PyPI packages. Here's what we uncovered.

Periodic cyber security newsletters that capture the latest news, summaries of conference talks, research, best practices, tools, events, vulnerabilities, and analysis of trending threats and attac...

Symbolic Execution can get a bad rap. Generic symbex tools have a hard time proving their worth when confronted with a sufficiently complex target. However, I have found symbolic execution can be very helpful in certain targeted situations. One of those situations…

We explore the security service urlscan.io and showcase through various "dorks" that their searchable scan database is a treasure trove of URLs pointing to sensitive user information, allowing account takeover, and much more. Part of the data has been leaked…

About Steampipe

Steampipe organizes your cloud metadata into tables and fields that are easily discoverable and readable.

It is the universal interface to APIs. You can SQL to query cloud infrastructure, SaaS, code, logs, and more.
Painlessly joi...

We discovered multiple vulnerabilities in Checkmk, which can be chained together by an unauthenticated, remote attacker to fully take over a vulnerable server.

By Felix Wilhelm, Project Zero Earlier this year, I discovered a surprising attack surface hidden deep inside Java’s standard library: A cus...

Contribute to jfrog/jfrog-openssl-tools development by creating an account on GitHub.

Background The endless cyber “war” in the levels of OS

A collection of real-world threat model examples across various technologies, providing practical insights into identifying and mitigating security risks. - GitHub - TalEliyahu/Threat_Model_Exampl...

What's New
Change History
Installation Guide
SHA-256: a5163f50bd6ce725c4c8638f7505b64bb603ea6bfe3f7d9ed4e403236716f787

We look at how fuzzing should have caught the OpenSSL Punycode vulnerability, and why that code was even necessary in the first place.

One day based on https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html - GitHub - Bdenneu/CVE-2022-33679: One day based on https://googleprojectzero.blogspot.com/2022/...

Determine whether your compute is truly vulnerable to a specific vulnerability by accounting for all factors which affect *actual* exploitability (runtime execution, configuration, permissions, exi...

The threat intelligence team of Cleafy analyzed the Android Malware Vultur and its journey from Google Play to banking fraud. Read here the technical analysis.

AWS Organizations is a common service to run into in AWS environments. It's default behavior can make it a target for attackers.

Keeping up with security research is near impossible. ThinkstScapes helps with this. We scour through thousands of blog posts, tweets and conference proceedings to give you an overview of the work we think significantly moves the needle.