After the initial investigation ennoscriptd “AWS CloudQuarry: Digging for secrets in Public AMIs” was finalized, we continued with the same idea on Azure in order to search for hidden and …

XSS on www.bing.com context via Maps SDK

Join us as we explore seemingly safe but deceptively tricky ground in Elixir, Python, and the Golang standard library. We cover officially documented, or at least previously discussed, code functionality that could unexpectedly introduce vulnerabilities.…

This blog discusses the security risks of S3 bucket namesquatting in AWS, where attackers could potentially exploit predictable bucket naming patterns that include region names, and documents the author's research finding buckets pre-created for non-existent…

We share a few inconsistencies found in Azure logs which make detection engineering more challenging.

Faction is an open-source security assessment collaboration framework designed to streamline and enhance your security workflows. With…

Local file disclosure in Sitecore 8.x to 10.x that can lead to RCE (CVE-2024-46938) due to an order of operations bug within a handler responsible for reading local files.

Get the latest security insights, tech updates, and impactful tools reviewed in our November 22, 2024, newsletter.

A software engineer's journey into offensive security, sharing insights and tips for transitioning careers and thriving in the infosec field.

The Prototype Pollution vulnerability is specific to the JavaScript programming language. It enables an attacker to add or alter any properties of global object prototypes. Once the property is changed, the code that inherits it will use the injected property…

In early February 2022, notably just ahead of the Russian invasion of Ukraine, Volexity made a discovery that led to one of the most fascinating and complex incident investigations Volexity had ever worked. The investigation began when an alert from a custom…

Discrepancies in how browsers and libraries handle HTTP cookies, and the problems caused by such things.

Making Udon a bit too flexible.

Learn how JWT libraries prevent algorithm confusion attacks and key lessons for improving security code reviews through effective practices and safeguards. A must-read for code reviewers and security engineers

Information Security Services. Offensive Security, Penetration Testing, Mobile and Application, Purple Team, Red Team

Presentation on the vulnerability research conducted on VirtualBox for Pwn2Own Vancouver 2024.

Setting up the environment + Hello World Inspecting and tampering HTTP requests and responses Inspecting and tampering WebSocket messages Creating […]

Brainstorm is a new, smarter web fuzzing tool that combines local LLM models and ffuf to optimize directory and file discovery

AmberWolf Security Research Blog