Until NTLM gets disabled by default, Microsoft is working on shoring up defenses against NTLM relay attacks.

Learn how to bypass HTML sanitizers by abusing the intricate parsing rules and mutations. Including my CVE-2024-52595 (lxml_html_clean bypass) and the solution to a hard challenge I shared online

We’ve crafted a bold defense strategy that not only slows scans but actively disrupts and deceives attackers.

Firefox is removing the Do Not Track setting from version 135 onwards. Mozilla recommends using Global Privacy Control setting as alternative,

Want to learn about using a static analysis tool called CodeQL to search for vulnerabilities in Google Chrome? Then this blog post is for you!

Misimplementation of PublicKeyCallback leads to authorization bypass in Go's x/crypto/sshPlatform.

By Nati Tal (Head of Guardio Labs)

This is the personal website of Egidio Romano, a very curious guy from Sicily, Italy. He's a computer security enthusiast, particularly addicted to webapp security.

The WordPress Multilingual Plugin (WPML), with over 1,000,000 active installations, was vulnerable to Remote Code Execution (RCE) via a Server-Side Template Injection (SSTI) vulnerability in the Twig template engine. WPML is a premium plugin that provides…

A Python tool for scanning offline SAP ABAP source code to detect security vulnerabilities

Craft CMS is one of the most popular PHP-based CMSes globally, boasting over 150,000 sites worldwide. This blog post details a pre-authentication RCE vulnerability affecting Craft CMS versions below 4.13.1 and 5.5.1.

TL;DR Reflected input is often unexploitable because the attack ends up in a place which stops it working, such as inside a quoted attribute.

A series of API flaws in McDelivery India made it possible to order food for a penny, hijack other people’s delivery orders, view user information, and more.