当前节点:rss
时间节点
2021-09-21 01:20:41Bug Bounty in InfoSec Write-up
Hey guyz, once again I am back with a new writeup!!
To all who don't know me: I am Krishnadev P Melevila , a cyber security researcher and Google certified digital marketer. You can search my name on google.
Photo by National Cancer Institute on Unsplash
Here I mention the target as example.com as I am not able to disclose the target details as per their policy.
So let's start!!!
https://medium.com/media/df73f6c09d1622acd356d392fa884949/href
I was totally bored one day, Then I thought of finding some bugs, every time I usually enumerate educational websites like entri app, linways etc… So I think about a change. So I google search “Hospital management system” and came to my target website called example.com.
On that site, we can take appointments for hospital consultations and direct doctor consultations. So I went to the profile section, there I entered “<h1>hello</h1>” instead of my name. Woooha!! It was an HTML injection!!!
But wait!!!! As there is a chance for HTML injection, then there is a chance for XS
2021-09-21 01:20:40Bug Bounty in InfoSec Write-up
Hello, it’s Mano Prasanth here,
Photo by Alexander Shatov on Unsplash
This write-up is about a simple Rate-limiting bug which I found on Instagram.
This is my first bug report at Instagram. As a noob bug hunter, I tried various hunting methods to find a bug in Facebook. First, I started with Authentication and moved further into other types. But it seemed everything was secure with authentication, to my knowledge :/ (Anyway nothing is completely secure).
Before this report, I was hunting in the Bugcrowd, but unfortunately my previous reports were duplicated. Then I started to hunt private programs and got some valid bugs. Then thought of finding bugs in GAFAM and decided to hunt for Facebook’s acquisitions.
This isn’t a severe bug but rather a low-level bug that has the potential to get rid of your enemies in Instagram Lol.
This bug allowed anyone on Instagram to report a user unlimited number of times (Abuse risk). If you try to do it manually, you might end up frustrated or wasting a day. Generally, most of
2021-09-21 01:20:20Security Boulevard
This is a follow-on column to my May 10, 2021 BlogInfoSec post “Will Full Autonomy Ever Be Realized?” It is prompted in part by the recent decision by the NHTSA (National Highway Transportation Safety Administration) to investigate a number of crashes that occurred when Tesla’s Autopilot system was active, specifically when it failed to recognize […]

The post The Demise of Self-Driving Cars as Such appeared first on Security Boulevard.
2021-09-21 01:20:20Security Boulevard
Today's ransomware actors are operating to devastating effect as evidenced by the Colonial Pipeline and JBS attacks, showing that a successful attack can disrupt any business.
The post Webinar: Inside the REvil Ransomware – Pick Your Path appeared first on Security Boulevard.
2021-09-21 01:20:20Security Boulevard
In a research report published earlier this year, Gartner described how to implement API discovery as a way to improve API Management and Security. With the understanding that you cannot protect what you cannot see, most security professionals would fully agree that the first step in building a successful API management and security program is […]
The post Top 5 API Discovery Insights for Security Teams appeared first on Cequence.
The post Top 5 API Discovery Insights for Security Teams appeared first on Security Boulevard.
2021-09-21 01:20:20Security Boulevard
Jack Rhysider's show Darknet Diaries is the most popular cybersecurity podcast around - and one of the most successful tech podcasts in the US in general. We spoke with Jack about the origins of Darknet Diaries, his heroes and role models, and the effect the show’s success has had on his personal life - which you might be surprised to discover wasn’t always 100% positive - check it out...
The post Malicious Life Podcast: Jack Rhysider and the Darknet Diaries appeared first on Security Boulevard.
2021-09-21 01:20:20Security Boulevard
There is so much proof now that Tesla is not intelligent, doesn’t learn, and is a scam based on short-cuts… it should come as no surprise they’re defining “good driver” with almost no data. “If driving behavior is good for 7 days, beta access will be granted.” (The company began selling insurance in its home … Continue reading Tesla Defines “Good Driver” Based on 7 Days Out of 730 →
The post Tesla Defines “Good Driver” Based on 7 Days Out of 730 appeared first on Security Boulevard.
2021-09-21 01:20:20Security Boulevard
If there’s one thing i learned in my early philosophy classes, it’s the difference between illusion and reality is a desire to achieve meaningful change in others’ lives. Illusion is for those who can’t stand a notion of doing service that benefits society, which is why it’s odd to see people pitch it as a … Continue reading VR Guide: How to Tell if You Prefer Reality to Illusion →
The post VR Guide: How to Tell if You Prefer Reality to Illusion appeared first on Security Boulevard.
2021-09-21 01:20:20Security Boulevard
How to integrate security into the SDLC successfully
The world has an insecure software problem, which is why 84% of cyber attacks focus on the application layer. Two major factors have contributed to the writing of insecure code — cumbersome security analysis tools and a strong drive to reach the market quickly. For things to improve, developers need better code analysis tools make implementing security into the software development lifecycle (SDLC) much easier. Fortunately, adding AppSec to the SDLC has become simpler through innovations in static application security testing (SAST) and intelligent software composition analysis (SCA).
Understanding the SDLC
Non-developers may not understand why writing secure code is difficult for companies. A cursory overview of the SDLC should clarify why security is often neglected in favor of other concerns. The ways an SDLC is structured can vary between organizations, but the basic components are planning/requirements, design, implementation, testing/verification, and
2021-09-21 01:20:20Security Boulevard
Our thanks to DEFCON for publishing their tremendous DEFCON Conference Cloud Village videos on the groups' YouTube channel.
Permalink
The post DEF CON 29 Cloud Village – Alexandre Sieira’s ‘Attack Vectors For APIs With AWS API Gateway Lambda Auth’ appeared first on Security Boulevard.
2021-09-21 01:20:19Security Boulevard
SushiSwap's MISO cryptocurrency platform suffered a $3 million theft resulting from a software supply-chain attack, as I reported on Friday.
The post $3 Million Cryptocurrency Heist Stemmed from a Malicious GitHub Commit appeared first on Security Boulevard.
2021-09-21 01:20:18SecWiki News
针对互联网资源供应商们的DNS投毒攻击研究 by ourren

更多最新文章,请访问SecWiki
2021-09-21 01:20:16Files ≈ Packet Storm
Apple Security Advisory 2021-09-13-1 - iOS 14.8 and iPadOS 14.8 addresses code execution, integer overflow, and use-after-free vulnerabilities.
2021-09-21 01:20:16Files ≈ Packet Storm
Apple Security Advisory 2021-09-13-2 - watchOS 7.6.2 addresses code execution and integer overflow vulnerabilities.
2021-09-21 01:20:16Files ≈ Packet Storm
Apple Security Advisory 2021-09-13-3 - macOS Big Sur 11.6 addresses code execution, integer overflow, and use-after-free vulnerabilities.
2021-09-21 01:20:16Files ≈ Packet Storm
Apple Security Advisory 2021-09-13-4 - Security Update 2021-005 Catalina addresses code execution and integer overflow vulnerabilities.
2021-09-21 01:20:16Files ≈ Packet Storm
Positive Technologies Maxpatrol 8 and Xspider appears to suffer from a denial of service vulnerability.
2021-09-21 01:20:16Files ≈ Packet Storm
WordPress version 5.7 suffers from a Media Library XML external entity injection vulnerability.
2021-09-21 01:20:16Files ≈ Packet Storm
Church Management System version 1.0 remote shell upload exploit.
2021-09-21 01:20:15Files ≈ Packet Storm
Online Food Ordering System version 2.0 remote shell upload exploit.
2021-09-21 01:20:15Files ≈ Packet Storm
Apple Security Advisory 2021-09-13-5 - Safari 14.1.2 addresses code execution and use-after-free vulnerabilities.
2021-09-21 01:20:15Files ≈ Packet Storm
ZeroPeril Ltd has discovered two issues inside the amdpsp.sys (v4.13.0.0) kernel driver module that ships with the AMD Chipset Drivers package for multiple AMD chipsets. The first issue is an information disclosure type security vulnerability and the second is a memory leak type bug due to insufficient releasing of all associated allocated resources upon request. The researchers have verified both in the latest Revision Number (2.13.27.501) of the package that was released the 4th of February 2021.
2021-09-21 01:20:15Files ≈ Packet Storm
Budget and Expense Tracker System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.
2021-09-21 01:20:15Files ≈ Packet Storm
litefuzz is a multi-platform fuzzer for poking at userland binaries and servers.
2021-09-21 01:20:15Files ≈ Packet Storm
Church Management System version 1.0 suffers from a remote SQL injection vulnerability. Original discovery of SQL injection in this version is attributed to Murat Demirci in July of 2021.
2021-09-21 01:20:15Files ≈ Packet Storm
This is a custom firmware written for the Proxmark3 device. It extends the currently available firmware.
2021-09-21 01:20:15Files ≈ Packet Storm
T-Soft E-Commerce version 4 suffers from a cross site request forgery vulnerability.
2021-09-21 01:20:15Files ≈ Packet Storm
BSides SF is soliciting papers and presentations for the 2022 annual BSidesSF conference. It will be located at City View at the Metreon in downtown San Francisco February 5th through the 6th, 2022.
2021-09-21 01:20:15Files ≈ Packet Storm
This article discusses the CVE-2021-40444 vulnerability and an alternative path that reduces the lines of JS code to trigger the issue and does not require CAB archives.
2021-09-21 01:20:14Microsoft Security Blog
As human-operated ransomware is on the rise, Microsoft’s Detection and Response Team (DART) shares how they investigate these attacks and what to consider when faced with a similar event in your organization.
The post A guide to combatting human-operated ransomware: Part 1 appeared first on Microsoft Security Blog.
2021-09-21 01:20:14Files ≈ Packet Storm
Red Hat Security Advisory 2021-3559-01 - Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Issues addressed include a code execution vulnerability.
2021-09-21 01:18:21daily-swig
Vulnerability has now been addressed in the Microsoft Teams add-on
2021-09-21 01:18:20daily-swig
Connected devices such as fitness trackers also obliged to follow tougher privacy rules
2021-09-20 23:21:47Software Integrity Blog
Building an effective application security program for your organization begins with establishing policies and processes.
The post How to cyber security: Butter knives and light sabers appeared first on Software Integrity Blog.
2021-09-20 23:21:12Bug Bounty in InfoSec Write-up
Exploiting the vulnerability in NASA
The title may confuse you a little bit because I know, you’re not expecting NASA. But I promise if you follow me without skipping a single line I’ll make my point perfect 😉. If you understand the logic you can forget about the myths. The concept is simple, No one can sanitize million lines of code without a vulnerability even if they’re master tech Giants, because they’re human beings 😊. First of all, I’m not directing to an illegal path & the intention behind this article is to prove everything is vulnerable in most cases we’re not aware of that. So let’s start,
Before a month I penetrate NASA’s domain just because of curiosity & as a result, I found a subdomain .jpl, I hope it’s quite famous. Into the into is my classy step, & I succeed to find .aviris in .jpl domain. So I’m little more closer. By going through the source code I found another direction.
a new directory (alt_locator)
locator implies A place’s absolute location on Earth. This information is enough for gene
2021-09-20 23:20:29Sploitus.com Exploits RSS Feed
2021-09-20 23:20:28Sploitus.com Exploits RSS Feed
2021-09-20 23:20:28Sploitus.com Exploits RSS Feed
2021-09-20 23:20:28Sploitus.com Exploits RSS Feed
2021-09-20 23:20:28Sploitus.com Exploits RSS Feed
2021-09-20 23:20:28Sploitus.com Exploits RSS Feed
2021-09-20 23:18:21daily-swig
Abuse of flaw could give attackers greater access to devices even than its owner
2021-09-20 21:20:45Exploit-DB.com RSS Feed
T-Soft E-Commerce 4 - change 'admin credentials' Cross-Site Request Forgery (CSRF)
2021-09-20 21:20:45Exploit-DB.com RSS Feed
Church Management System 1.0 - 'search' SQL Injection (Unauthenticated)
2021-09-20 21:20:45Exploit-DB.com RSS Feed
WordPress 5.7 - 'Media Library' XML External Entity Injection (XXE) (Authenticated)
2021-09-20 21:20:45Exploit-DB.com RSS Feed
Online Food Ordering System 2.0 - Remote Code Execution (RCE) (Unauthenticated)
2021-09-20 21:20:45Exploit-DB.com RSS Feed
Church Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
2021-09-20 21:20:45Exploit-DB.com RSS Feed
Budget and Expense Tracker System 1.0 - Authenticated Bypass
2021-09-20 21:18:20daily-swig
Vulnerability has now been addressed in the Microsoft Teams add-on
2021-09-20 19:18:19daily-swig
Disclosure comes two years after privacy-busting flaw was discovered
2021-09-20 17:20:10Security Boulevard
It will be one year since NIST released their final version of SP800-53 Revision 5 on September 23, 2020.  As a quick reminder SP800-53 is the document issued by NIST that specifies the Security and Privacy Controls that need to be used by agencies of the Federal government.
The post NIST SP800-53 Revision 5, One Year Later appeared first on K2io.
The post NIST SP800-53 Revision 5, One Year Later appeared first on Security Boulevard.
2021-09-20 17:20:10Security Boulevard
The month of September is designated “National Insider Threat Awareness Month,” and based on the number of cybersecurity incidents that involve employees, perhaps every month should be insider threat awareness month. Insider Risk Summit This week at the Insider Risk Summit, industry experts shared their thoughts on how to mitigate insider risks with discussions about..
The post Perceptions of Insider Risk 2021 appeared first on Security Boulevard.
2021-09-20 15:20:06Security Boulevard
Cybersecurity has become a critical concern in every business sector nowadays due to organizations’ growing dependency on technologies. Research by Immersive Lab reported that in 2019 there were more than 20,000 new vulnerabilities. Not only that, TechRepublic reported that global companies experienced a 148% spike in ransomware attacks after COVID-19 hit the world. So, for […]… Read More
The post Everything You Need to Know about Cyber Crisis Tabletop Exercises appeared first on The State of Security.
The post Everything You Need to Know about Cyber Crisis Tabletop Exercises appeared first on Security Boulevard.
2021-09-20 15:20:06Security Boulevard
In 2021, there are two words that can send a cold chill down the spine of any Cybersecurity professional and business leader; Phishing and Ransomware. Research carried out by the Data Analytics and training company CybSafe, identified that 22% of all cyber incidents reported in the first quarter of 2021 were ransomware attacks. According to […]… Read More
The post The Digital Pandemic – Ransomware appeared first on The State of Security.
The post The Digital Pandemic – Ransomware appeared first on Security Boulevard.
2021-09-20 15:20:06Security Boulevard
Cybercriminals attacked with gusto in the first half of 2021 and attacks show no signs of slowing down. In just the first half of the year, malicious actors exploited dangerous vulnerabilities across different types of devices and operating systems, leading to major attacks that shut down fuel networks and extracted millions from enterprises. These were..
The post Ransomware Attacks Growing More Sophisticated appeared first on Security Boulevard.
2021-09-20 15:20:06Security Boulevard
September 2021 marks the third year of National Insider Threat Awareness Month (NITAM), which, according to the NITAM website, aims to help prevent “exploitation of authorized access to cause harm to an organization or its resources.” The acting director of the National Counterintelligence and Security Center, Michael J. Orlando, recently recognized this month of data..
The post Protecting Data From Insider Threats appeared first on Security Boulevard.