There’s usually no need to get fancy when implementing discount codes, but Grubhub’s scale has pushed us to go beyond random strings.

AppSec is often very heavily focused on pre-exploitation. Frameworks like BeEF break this norm a little and can be used as tools to move laterally from the browser, to implant malware on adjacent machines. Unfortunately, performing network reconnaissance…

Scripts to execute enumeration via LFI. Contribute to mthbernardes/LFI-Enum development by creating an account on GitHub.

0 votes and 0 comments so far on Reddit

CVE-2019-0227, a vulnerability where an insecure HTTP request or an expired hard coded domain can be used to achieve RCE in Apache Axis 1.4

Text originally published by Lyton Atinga on the Cyber Secure Central Forums.

During the course of a Red Team exercise serveral QA assets where discovered. In particular the usage of the Selenium Grid platform without authentication caught the team's attention.The aim for this article is to explain how a QA platform exposed to the…

Twitter: chybeta

Rooting the Verizon Fios Quantum Gateway

Contribute to mthbernardes/CuppaCMS development by creating an account on GitHub.

So I m starting my blog with this technical writeup. I have tried to write this blog for a long time. but as I was coding and reading different books in Freetime. it took me a bit of time but here am I with this.

In this blog post I will discuss leveraging Meterpreter’s powershell module to execute .NET assemblies in-memory. Metasploit and Meterpreter are effective and useful tools, but occasionally one encounters a situation where they lack features. Cobalt Strike…

Intel Active Management Technology (AMT) is a feature provided by Intel for remote administration. Death Metal is a toolkit designed to exploit AMT’s legitimate features, as the AMT framework’s functionality, designed for innocent system administration purposes…

0 votes and 0 comments so far on Reddit

Phrack staff website.

Expression Language injection or EL Injection for short is an attack vector I'd never heard of until recently. This post talks about leveraging EL for RCE.

The cloak and dagger attack exploits a combination of drawing over other apps and the large amount of access to other apps given to…

In this first blog post in a series about Azure Security Logging, we will give a general overview of the types of logs available for Azure services including their storage options. We will also dis…

A complex attack chain incorporating the CVE-2018-20250 exploit and multiple code execution techniques attempted to run a fileless PowerShell backdoor that could allow an adversary to take full control of compromised machines.

Technical post about vulnerabilies in Nagios XI 5.5.10 which allow a remote attacker to gain root privileges on the system through an XSS, RCE and LPE.