Today, we are releasing a new tool called SharpConflux, a .NET application built to facilitate Confluence exploration. It allows Red Team operators to easily investigate Confluence instances with the goal of finding credential material and documentation relating…

The Leading Security Assessment Framework for Android. - ReversecLabs/drozer

On 26 March 2024, Phylum’s automated risk detection platform picked up yet another typosquat campaign targeting some attackers’ favorite targets in PyPI. As of writing, this attack still appears to be active and has come in two big waves after about a 20…

By Oriol Castejón Overview This post discusses a use-after-free vulnerability, CVE-2024-0582, in io_uring in the Linux kernel. Despite the vulnerability being patched in the stable kernel in December 2023, it wasn’t ported to Ubuntu kernels for over two months…

Bref Security Audit, sponsored by Amazon Web Services (AWS), facilitated by Open Source Technology Improvement Fund (OSTIF) and performed by Shielder.

Security research on GPTs and LLMs has only just begun. It’s already become a meme to force customer service chatbots to start programming…

In this new series, CJ May shares his expertise in implementing secure-by-design software processes that empower engineering teams.
The first stage of his DevSecOps program: vulnerability management.

A detail guide on how to capture the flag using return oriented programming buffer overflow challenge on ROP Emporium.

Discover what cyber deception is, how it works, and why organizations need it to detect, mislead, and stop attackers effectively.

In this blog post, we’ll go over the construction and tuning of a few Semgrep rules I created while looking at a Ruby on Rails application. Semgrep is a powerful code analysis tool, and while there are a fair number of community rules, the default rules don’t…

Key Takeaways In late February 2023, threat actors rode a wave of initial access using Microsoft OneNote files. In this case, we observed a threat actor deliver IcedID using this method. After load…

How I could bypass DOMPurify with XML

For this last years Binary Golf Grand Prix the goal was to:
Create the smallest self-replicating file.
Requirements:

xz/liblzma Backdoor: Open Source Nuke? Maybe Not That Bad! Story Background On March 29, 2024, a report exposing a backdoor in the upstream source code of the controversial open-source project, the xz software package, was made public on the oss-security…

notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094) - amlweems/xzbot

OSINT tool that finds domains, subdomains, directories, endpoints and files for a given seed URL. - caio-ishikawa/netscout

An IBIS hotel check-in terminal leaked room door key codes of almost half of the rooms.

See how Oligo ADR Detects Exploitation of CVE-2024-3094 (XZ backdoor in liblzma).