JSON endpoints without tokens don’t leak; they whisper
https://ift.tt/2B9Mnu3
Submitted August 14, 2018 at 06:46PM by albinowax
via reddit https://ift.tt/2P72FXq
https://ift.tt/2B9Mnu3
Submitted August 14, 2018 at 06:46PM by albinowax
via reddit https://ift.tt/2P72FXq
Medium
JSON endpoints without tokens doesn’t leak they whisper
Exploiting interesting feature in HTML5 https://developer.mozilla.org/en-US/docs/Web/API/Resource_Timing_API/Using_the_Resource_Timing_API…
Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution
https://ift.tt/2MJ36Wl
Submitted August 14, 2018 at 10:41PM by u0000
via reddit https://ift.tt/2Mn4XmQ
https://ift.tt/2MJ36Wl
Submitted August 14, 2018 at 10:41PM by u0000
via reddit https://ift.tt/2Mn4XmQ
reddit
r/netsec - Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution
7 votes and 1 comment so far on Reddit
Multi-Factor Mixup: Who Were You Again? Exploiting Microsoft ADFS MFA integration
https://ift.tt/2MmRZFv
Submitted August 14, 2018 at 10:56PM by overflowingInt
via reddit https://ift.tt/2OyvRpa
https://ift.tt/2MmRZFv
Submitted August 14, 2018 at 10:56PM by overflowingInt
via reddit https://ift.tt/2OyvRpa
Okta
Multi-Factor Mixup: Who Were You Again?
Summary:
hideNsneak - enabling obfuscation of attack infrastructure through DevOps
https://ift.tt/2Jkz2xH
Submitted August 15, 2018 at 12:33AM by karmicSec
via reddit https://ift.tt/2BcPG3L
https://ift.tt/2Jkz2xH
Submitted August 15, 2018 at 12:33AM by karmicSec
via reddit https://ift.tt/2BcPG3L
GitHub
rmikehodges/hideNsneak
hideNsneak - a CLI for ephemeral penetration testing
Playback - a TLS 1.3 story
https://ift.tt/2OBJNih
Submitted August 15, 2018 at 04:54AM by vamediah
via reddit https://ift.tt/2KRVhfk
https://ift.tt/2OBJNih
Submitted August 15, 2018 at 04:54AM by vamediah
via reddit https://ift.tt/2KRVhfk
Linux kernel: CVE-2017-18344: arbitrary-read vulnerability in the timer subsystem
https://ift.tt/2LKMf98
Submitted August 15, 2018 at 04:41AM by thebrachy
via reddit https://ift.tt/2P8wQgM
https://ift.tt/2LKMf98
Submitted August 15, 2018 at 04:41AM by thebrachy
via reddit https://ift.tt/2P8wQgM
seclists.org
oss-sec: Linux kernel: CVE-2017-18344: arbitrary-read vulnerability in the timer subsystem
August 2018 .NET Framework Security and Quality Rollup
https://ift.tt/2MJi5PT
Submitted August 15, 2018 at 04:33AM by jdrch
via reddit https://ift.tt/2BbsmDj
https://ift.tt/2MJi5PT
Submitted August 15, 2018 at 04:33AM by jdrch
via reddit https://ift.tt/2BbsmDj
Microsoft
August 2018 .NET Framework Security and Quality Rollup
A first-hand look from the .NET engineering teams
L1 Terminal Fault / CVE-2018-3615 , CVE-2018-3620,CVE-2018-3646 / INTEL-SA-00161
https://ift.tt/2MqlgPB
Submitted August 15, 2018 at 05:26AM by jdrch
via reddit https://ift.tt/2MplMNW
https://ift.tt/2MqlgPB
Submitted August 15, 2018 at 05:26AM by jdrch
via reddit https://ift.tt/2MplMNW
reddit
r/netsec - L1 Terminal Fault / CVE-2018-3615 , CVE-2018-3620,CVE-2018-3646 / INTEL-SA-00161
1 vote and 0 comments so far on Reddit
CVE-2018-8302: Getting code execution on Microsoft Exchange through a .NET BinaryFormatter Deserialization vulnerability.
https://ift.tt/2KSIvNI
Submitted August 15, 2018 at 07:12AM by RedmondSecGnome
via reddit https://ift.tt/2nFNs2U
https://ift.tt/2KSIvNI
Submitted August 15, 2018 at 07:12AM by RedmondSecGnome
via reddit https://ift.tt/2nFNs2U
Zero Day Initiative
Voicemail Vandalism: Getting Remote Code Execution on Microsoft Exchange Server
We recently received a bug report with an intriguing denoscription: “A non-privileged Exchange user can run arbitrary code as "NT AUTHORITY\SYSTEM" in the Exchange Server through a .NET BinaryFormatter Deserialization vulnerability.” It definitely caught…
Phone Call to XXE via Interactive Voice Response
https://ift.tt/2Pat1I3
Submitted August 15, 2018 at 07:09AM by sxcurity
via reddit https://ift.tt/2MPPGrP
https://ift.tt/2Pat1I3
Submitted August 15, 2018 at 07:09AM by sxcurity
via reddit https://ift.tt/2MPPGrP
HackerOne
cdl published a vulnerability from ██████ on HackerOne: Phone Call...
| Summary |
|--|
> ████ is vulnerable to XXE due to the processing of DTDs
| Denoscription |
|--|
> *"VoiceXML (VXML) is a digital document standard for specifying interactive media and voice...
|--|
> ████ is vulnerable to XXE due to the processing of DTDs
| Denoscription |
|--|
> *"VoiceXML (VXML) is a digital document standard for specifying interactive media and voice...
Australian Govt releases draft laws targeting encryption
https://ift.tt/2MsouC8
Submitted August 15, 2018 at 09:26AM by StewPoll
via reddit https://ift.tt/2MKDNmB
https://ift.tt/2MsouC8
Submitted August 15, 2018 at 09:26AM by StewPoll
via reddit https://ift.tt/2MKDNmB
Account takeover due to blind MongoDB injection
https://ift.tt/2MO3FhG
Submitted August 15, 2018 at 07:58PM by albinowax
via reddit https://ift.tt/2nGfziJ
https://ift.tt/2MO3FhG
Submitted August 15, 2018 at 07:58PM by albinowax
via reddit https://ift.tt/2nGfziJ
HackerOne
Node.js third-party modules disclosed on HackerOne: [flintcms]...
I would like to report a privilege escalation vulnerability in flintcms.
It allows to reset a known user password, extract its password reset token and reset its password to then access the...
It allows to reset a known user password, extract its password reset token and reset its password to then access the...
hideNsneak - An Attack Infrastructure Obfuscation Framework
https://ift.tt/2Jkz2xH
Submitted August 15, 2018 at 08:41PM by karmicSec
via reddit https://ift.tt/2MOTmtR
https://ift.tt/2Jkz2xH
Submitted August 15, 2018 at 08:41PM by karmicSec
via reddit https://ift.tt/2MOTmtR
GitHub
rmikehodges/hideNsneak
hideNsneak - a CLI for ephemeral penetration testing
hideNsneak - Automate, Manage, and Configure Your Attack Infrastructure with Cloud Solutions to Save Time and Evade Detection
https://ift.tt/2Jkz2xH
Submitted August 15, 2018 at 09:03PM by karmicSec
via reddit https://ift.tt/2MM3lQt
https://ift.tt/2Jkz2xH
Submitted August 15, 2018 at 09:03PM by karmicSec
via reddit https://ift.tt/2MM3lQt
GitHub
rmikehodges/hideNsneak
hideNsneak - a CLI for ephemeral penetration testing
PHAR Deserialization - A New PHP Exploitation Technique
https://ift.tt/2Bm85ey
Submitted August 15, 2018 at 09:39PM by martinbdz
via reddit https://ift.tt/2BbcLUr
https://ift.tt/2Bm85ey
Submitted August 15, 2018 at 09:39PM by martinbdz
via reddit https://ift.tt/2BbcLUr
Announcing Gopherus: Generate Gopher payload for exploiting SSRF and lead to RCE, on SSRF vulnerable sites
I've written this tool for MySQL, FastCGI, Memcached, Redis, Zabbix, SMTP servers.A detailed denoscription can be found here: https://github.com/tarunkant/Gopherusblog post on the same: https://spyclub.tech/2018/blog-on-gopherus/
Submitted August 15, 2018 at 09:10PM by tarunkant
via reddit https://ift.tt/2vSRJoz
I've written this tool for MySQL, FastCGI, Memcached, Redis, Zabbix, SMTP servers.A detailed denoscription can be found here: https://github.com/tarunkant/Gopherusblog post on the same: https://spyclub.tech/2018/blog-on-gopherus/
Submitted August 15, 2018 at 09:10PM by tarunkant
via reddit https://ift.tt/2vSRJoz
GitHub
tarunkant/Gopherus
This tool generates gopher link for exploiting SSRF and gaining RCE in various servers - tarunkant/Gopherus
Analysing CVE-2018-13417 for files, hashes and shells
https://ift.tt/2KXacF0
Submitted August 15, 2018 at 09:52PM by r3b00tu53r
via reddit https://ift.tt/2KUv4gc
https://ift.tt/2KXacF0
Submitted August 15, 2018 at 09:52PM by r3b00tu53r
via reddit https://ift.tt/2KUv4gc
in.security Cyber Security Services
Analysing CVE-2018-13417 for files, hashes and shells | in.security Cyber Security Services
CVE-2018-13417 was released this August that disclosed an out-of-band XXE vulnerability in the SSDP/UPnP functionality of the XML parsing engine in the popular Vuze Bittorrent client
Password and Credential Management in 2018 - State of the art security for the most valuable secrets
https://ift.tt/2ML1gEh
Submitted August 15, 2018 at 01:48PM by fharw
via reddit https://ift.tt/2ODErCZ
https://ift.tt/2ML1gEh
Submitted August 15, 2018 at 01:48PM by fharw
via reddit https://ift.tt/2ODErCZ
Medium
Password and Credential Management in 2018 🔒
State of the art security for the most valuable secrets
Decided to write a proper guide for WP malware removal. Hopefully it can be helpful if someone comes to you with such issue.
https://ift.tt/2OE4dXX
Submitted August 16, 2018 at 02:18AM by ded1cated
via reddit https://ift.tt/2vLzLUN
https://ift.tt/2OE4dXX
Submitted August 16, 2018 at 02:18AM by ded1cated
via reddit https://ift.tt/2vLzLUN
WebARX
Comprehensive WordPress Malware Removal Guide
Complete step-by-step technical tutorial for WordPress malware removal. Remove WordPress malware, backdoors, SEO Injection, htaccess hack and learn how to remove WordPress site from google blacklist. Extra tips for making the site secure! Everything in one…
A cr4cking g00d time – walkthrough (password cracking CTF answers)
https://ift.tt/2vOdNQT
Submitted August 16, 2018 at 07:23PM by Griffnut
via reddit https://ift.tt/2PbtKsJ
https://ift.tt/2vOdNQT
Submitted August 16, 2018 at 07:23PM by Griffnut
via reddit https://ift.tt/2PbtKsJ
in.security Cyber Security Services
A cr4cking g00d time - walkthrough | in.security Cyber Security Services
It's been a few weeks since we released A cr4cking g00d time and we'd first like to thank everyone who gave it a go. We've received great feedback and are very pleased to hear that people have attained new levels of password cracking-fu in the process
British and Canadian Governments Accidentally Exposed Passwords and Security Plans to the Entire Internet
https://ift.tt/2MWlyuU
Submitted August 17, 2018 at 12:12AM by KushagraX
via reddit https://ift.tt/2MipBFn
https://ift.tt/2MWlyuU
Submitted August 17, 2018 at 12:12AM by KushagraX
via reddit https://ift.tt/2MipBFn
The Intercept
British and Canadian Governments Accidentally Exposed Passwords and Security Plans to the Entire Internet
On Trello, a project management site, the governments posted credentials for servers and domain names and even some emails and code.