We discovered major vulnerabilities in Control Web Panel. Here’s how we found them
https://www.immersivelabs.com/blog/we-discovered-major-vulnerabilities-in-control-web-panel-heres-how-we-found-them/
https://www.immersivelabs.com/blog/we-discovered-major-vulnerabilities-in-control-web-panel-heres-how-we-found-them/
Immersive Labs
We discovered major vulnerabilities in Control Web Panel. Here’s how we found them.
Overview
Earlier this year, researchers at Immersive Labs responsibly disclosed several vulnerabilities in Centos Web Panel, which was recently rebranded as Control Web Panel (CWP).
The vulnerabilities we found allowed malicious actors to take over accounts…
Earlier this year, researchers at Immersive Labs responsibly disclosed several vulnerabilities in Centos Web Panel, which was recently rebranded as Control Web Panel (CWP).
The vulnerabilities we found allowed malicious actors to take over accounts…
👍13❤4
How I found an XSS vulnerability via using emojis
https://medium.com/@fpatrik/how-i-found-an-xss-vulnerability-via-using-emojis-7ad72de49209
https://medium.com/@fpatrik/how-i-found-an-xss-vulnerability-via-using-emojis-7ad72de49209
Medium
How I found an XSS vulnerability via using emojis
An unusual type of Cross-Site Scripting vulnerability made by emoticons
👍26🐳12🔥6
Bypass Captcha using Turbo Intruder leads to Bruteforce attack - Bug Bounty
https://www.cyberick.com/post/bypass-captcha-using-turbo-intruder-leads-to-bruteforce-attack-bug-bounty
https://www.cyberick.com/post/bypass-captcha-using-turbo-intruder-leads-to-bruteforce-attack-bug-bounty
👍12
Let's Dance in the Cache - Destabilizing Hash Table on Microsoft IIS!
https://blog.orange.tw/2022/08/lets-dance-in-the-cache-destabilizing-hash-table-on-microsoft-iis.html
https://blog.orange.tw/2022/08/lets-dance-in-the-cache-destabilizing-hash-table-on-microsoft-iis.html
Orange Tsai
Let's Dance in the Cache - Destabilizing Hash Table on Microsoft IIS!
Hi, this is my fifth time speaking at Black Hat USA and DEFCON. You can get the slide copy and video there: Let’s Dance in the Cache - Destabilizing Hash Table on Microsoft IIS (slides) Let’s Dan
👍3
Browser-Powered Desync Attacks
A New Frontier in HTTP Request Smuggling
https://i.blackhat.com/USA-22/Wednesday/us-22-Kettle-Browser-Powered-Desync-Attacks.pdf
A New Frontier in HTTP Request Smuggling
https://i.blackhat.com/USA-22/Wednesday/us-22-Kettle-Browser-Powered-Desync-Attacks.pdf
👍4
Building Your Own Historical DNS Solution with DNSx
https://blog.projectdiscovery.io/building-your-own-historical-dns-solution-with-dnsx/
https://blog.projectdiscovery.io/building-your-own-historical-dns-solution-with-dnsx/
ProjectDiscovery
Building Your Own Historical DNS Solution with DNSx — ProjectDiscovery Blog
If you’ve been following these blogs, you’ll see that in the last article, we hacked together a basic attack surface monitoring platform using projectdiscovery tools.
Using some of those basic building blocks, we’re going to build a basic historical DNS…
Using some of those basic building blocks, we’re going to build a basic historical DNS…
👍1
Intigriti chats to Will Chilcutt of Yahoo’s Infosecurity team about their upcoming live hacking event
https://blog.intigriti.com/2022/08/18/intigriti-chats-will-chilcutt-yahoos-infosecurity-team-about-their-upcoming-live-hacking-event/
https://blog.intigriti.com/2022/08/18/intigriti-chats-will-chilcutt-yahoos-infosecurity-team-about-their-upcoming-live-hacking-event/
Intigriti
Intigriti chats to Will Chilcutt of Yahoo’s Infosecurity team about their upcoming live hacking event
Yahoo’s second live hacking event with Intigriti is just around the corner. Without giving too much away, this exciting event will bring together a select group of Intigriti’s security researchers to...
👍5
Critical Local File Read in Electron Desktop App
https://bugcrowd.com/disclosures/f7ce8504-0152-483b-bbf3-fb9b759f9f89/critical-local-file-read-in-electron-desktop-app
https://bugcrowd.com/disclosures/f7ce8504-0152-483b-bbf3-fb9b759f9f89/critical-local-file-read-in-electron-desktop-app
Bugcrowd
Critical Local File Read in Electron Desktop App - CrowdStream - Bugcrowd
Bugcrowd's bug bounty and vulnerability disclosure platform connects the global security researcher community with your business. Crowdsourced security testing, a better approach! Run your bug bounty programs with us.
👍8
GraphQL Security Testing Without a Schema
https://blog.forcesunseen.com/graphql-security-testing-without-a-schema
https://blog.forcesunseen.com/graphql-security-testing-without-a-schema
👍5
You Have One New Appwntment: Exploiting iCalendar Properties in Enterprise Applications
https://spaceraccoon.dev/exploiting-icalendar-properties-enterprise-applications/
https://spaceraccoon.dev/exploiting-icalendar-properties-enterprise-applications/
spaceraccoon.dev
You Have One New Appwntment: Exploiting iCalendar Properties in Enterprise Applications
First defined in 1998, the iCalendar standard remains ubiquitous in enterprise software. However, it did not account for modern security concerns and allowed vendors to create proprietary extensions that expanded the format’s attack surface. I demonstrate…
👍1
Intercept Flutter traffic on iOS and Android (HTTP/HTTPS/Dio Pinning)
https://blog.nviso.eu/2022/08/18/intercept-flutter-traffic-on-ios-and-android-http-https-dio-pinning/
https://blog.nviso.eu/2022/08/18/intercept-flutter-traffic-on-ios-and-android-http-https-dio-pinning/
NVISO Labs
Intercept Flutter traffic on iOS and Android (HTTP/HTTPS/Dio Pinning)
This post explains how to bypass TLS verification on Flutter apps, including bypassing Dio Pinning.
Oralyzer, a simple python noscript that probes for Open Redirection vulnerability in a website. It does that by fuzzing the URL that is provided in the input. https://github.com/r0075h3ll/Oralyzer
GitHub
GitHub - r0075h3ll/Oralyzer: Open Redirection Analyzer
Open Redirection Analyzer . Contribute to r0075h3ll/Oralyzer development by creating an account on GitHub.
👍6❤1
Meet two hackers heading to Yahoo’s live hacking event, 1337UP0822
https://blog.intigriti.com/2022/08/23/meet-two-hackers-heading-to-yahoos-live-hacking-event-1337up0822/
https://blog.intigriti.com/2022/08/23/meet-two-hackers-heading-to-yahoos-live-hacking-event-1337up0822/
Must Have Browser Extensions for Bug Bounty
https://hacknopedia.com/2022/08/17/must-have-browser-add-ons-or-extensions-for-bug-bounty/
https://hacknopedia.com/2022/08/17/must-have-browser-add-ons-or-extensions-for-bug-bounty/
👍19
Visma’s Bug Bounty Program Manager speaks to Intigriti about the practice of running a successful program
https://blog.intigriti.com/2022/08/24/vismas-bug-bounty-program-manager-speaks-to-intigriti-about-the-practice-of-running-a-successful-program/
https://blog.intigriti.com/2022/08/24/vismas-bug-bounty-program-manager-speaks-to-intigriti-about-the-practice-of-running-a-successful-program/
Intigriti
Intigriti interviews Visma’s Bug Bounty Program Manager
Visma’s Bug Bounty Program Manager speaks to Intigriti about the practice of running a successful bug bounty program.
👍2
How I was able to delete 13k+ Microsoft Translator projects
https://haiderm.com/how-i-was-able-to-delete-13k-microsoft-translator-projects/
https://haiderm.com/how-i-was-able-to-delete-13k-microsoft-translator-projects/
⚡1👍1
Another day and more good news for you!🤩
We are happy to announce the launch of 2 new bug bounty programs from @avalancheavax
https://hackenproof.com/avalanche
Join and earn up to $100K!
Happy hacking!🥳🎉
Via: https://twitter.com/hackenproof/status/1547497722953011201
We are happy to announce the launch of 2 new bug bounty programs from @avalancheavax
https://hackenproof.com/avalanche
Join and earn up to $100K!
Happy hacking!🥳🎉
Via: https://twitter.com/hackenproof/status/1547497722953011201
👍6
Chaining bugs in Telegram for Android app to steal session-related files
https://dphoeniixx.medium.com/chaining-telegram-bugs-to-steal-session-related-files-c90eac4749bd
https://dphoeniixx.medium.com/chaining-telegram-bugs-to-steal-session-related-files-c90eac4749bd
Medium
Chaining Telegram bugs to steal session-related files.
We will discuss the chaining of two bugs on the telegram android application, which can make malicious applications steal internal telegram…
👍11