Cover image

In this post, we discuss a weakness we discovered in the AWS Console authentication flow that allowed an attacker to partially bypass the login rate limit.

Secrets Patterns DB: The largest open-source Database for detecting secrets, API keys, passwords, tokens, and more. - GitHub - mazen160/secrets-patterns-db: Secrets Patterns DB: The largest open-so...

We're adding support for pulling logs and enrichment data from identity and auth sources to your Matano data lake. This means you can query failed/successful sign-in attempts, view audit logs, and query user information from popular SaaS sources directly…

A tool to recover from ESXiArgs ransomware. Contribute to cisagov/ESXiArgs-Recover development by creating an account on GitHub.

Avast discovered an exploit for CVE-2021-38003 was used in the wild to attack Dota 2 players. This exploit achieved remote code execution on other players' machines by taking advantage of Dota's usage of an outdated V8 version. In response to Avast's findings…

TL;DR ¶ In this post, I investigate why developers struggle with CORS and I derive Fearless CORS, a design philosophy for better CORS middleware libraries, which comprises the following twelve principles:
Optimise for readability Strive for a simple and…

Rust is a programming language guaranteeing memory and thread safety while still being able to access raw memory and hardware. This sounds impossible, and it is, that’s why Rust has an unsafe keywo…

Welcome to the Top 10 Web Hacking Techniques of 2022, the 16th edition of our annual community-powered effort to identify the most important and innovative web security research published in the last

In this article we present the analysis of one hundred (100) vulnerabilities that you should keep an eye on and prioritize them according to your environment.

Understanding the OpenSSH CVE-2023-25136 high vulnerability. Read our analysis with Proof-of-Concept, learn what's vulnerable, and discover remediations.

This blog post evaluates the state of the art with phishing, which techniques are still relevant and what know-how is worth revisiting. Additionally an overview of various techniques across the three stages of a phishing campaign, an overview of features…

With the continuous rise of graph databases, especially Neo4j, we're seeing increased discussions among security researchers about issues found in those databases. However, given our experience with graph databases ― from designing complex and scalable solutions…

GreyNoise researchers provide context around the mass confusion that is the state of ransomware campaigns against exposed VMWare ESXi hosts and bad attribution takes.

We had a security incident. Here’s what we know. - No votes and no comments

Author : https://twitter.com/123456 Avalanche just fucked me out of a sizable bug bounty — so I immediately found another bug to disclose to the public. This is a remote API DoS/crash that should OOM chain P and render a vulnerable node mostly or entirely…

Found SaltStack on a network and don't know how to attack the thing? Check out how a few configuration issues and a new spin on Jinja template injections can undo a network managed by Salt.

convert secret patterns to gf compatible. Contribute to dwisiswant0/secpat2gf development by creating an account on GitHub.

Find Writable Shares. Contribute to oldboy21/RSMBI development by creating an account on GitHub.