Orc is a post-exploitation framework for Linux written in Bash - zMarch/Orc

CERT NZ’s ten critical controls would mitigate, or better contain, the majority of attacks we’ve seen.

Mysterious attack on PHP PEAR website, hack of popular WordPress plugin maker, and privacy risks of top free VPN Android apps.

TL;DR: Waiting in the 2FA page could allow you to log in without knowing the current password in many major websites.

Automated web application attacks are terminally limited by the number of HTTP requests they can send. It's impossible to know how many hacks have gone off the rails because you didn't quite manage to

A tool to find subdomains and interesting things hidden inside, external Javanoscript files of page, and Github. - nsonaniya2010/SubDomainizer

Intrusion testing Recently I was engaged in a project where I was supposed to breach an organization and exfiltrate data from within the perimeter of the organization without alerting their SOC. I …

1 vote and 0 comments so far on Reddit

South Korea-based Zcall Delivery Android apps are leaking delivery information, plaintext passwords, and financial information.

2 votes and 0 comments so far on Reddit

We found a new Mirai variant we’ve called Yowai and Gafgyt variant Hakai abusing a ThinkPHP flaw for propagation and DDoS attacks.

0 votes and 0 comments so far on Reddit

This is Worth Trying Out — An Open Source Project for Security Analytics with Snowflake

Steganography Steganography is hiding a file or a message inside of another file , there are many fun steganography CTF challenges out there where the flag is hidden in an image , audio file or even other types of files. Here is a list of the most tools I…

A few weeks back, I and a friend of mine were discussing web frameworks and how he claimed to have made an ‘Impossible to Bypass’ login…

MOSP - Create, edit and share JSON objects

Using this a little article, you can find an interesting security thing in content-disposition in file download and upload time.

The attack consists in 'guessing' the passwords of some dailymotion accounts by automatically trying a large number of combinations.

In this post I explore the uses and limitations of the “perimeter” metaphor and look at the impact from the growth of OSINT in recent…

Along the years, I've been influenced by many great minds on how to do research. I thought I would paste a few of their advice here.
Disregard.
That advice from Feynman’s Breakthrough, Disregard Others!
was really useful to me as I realized that I HAD to…

Back in March 2018, I embarked on an arguably pointless crusade to prove that the TrustedToAuthForDelegation attribute was meaningless, and that “protocol transition” can be achieved without it. I believed that security wise, once constrained delegation was…