Broken like Hijacking earned me $150
断链劫持指攻击者利用网站失效链接(如过期域名、停用社交媒体账号)获取控制权,用于篡改网站内容、钓鱼攻击或注入恶意脚本。检测时可点击链接查看是否返回404错误。
Aggregator
SQL for Bug Bounty Hunters 2.0
5 months ago
作者Swetha分享了自己进入开发、道德黑客和漏洞赏金领域的经历,并强调深入理解SQL的重要性。
AspGoat: The First Intentionally Vulnerable modern ASP.NET Core App for OWASP Top 10
5 months ago
AspGoat 是一个基于 ASP.NET Core 的故意漏洞 Web 应用程序,旨在帮助开发者、安全研究员和赏金猎人提升技能。它包含 OWASP Top 10 及其他漏洞的练习,并支持 Docker 快速部署。
Web Cache Poisoning via Fat GET Requests: Exploiting Cache Key Flaws
5 months ago
文章探讨了包含消息体的GET请求如何导致Web缓存中毒。攻击者利用服务器对这类请求的处理漏洞,在缓存中注入恶意内容,引发跨站脚本(XSS)和基于缓存的攻击。
When Support Portals Bite Back: DOM-XSS in a Helpcenter
5 months ago
一位安全研究人员在浏览Freshdesk支持页面时发现了一个DOM-XSS漏洞。通过查看页面源代码,他发现一个脚本直接将API返回的tunnel.host和tunnel.ip拼接到DOM中,存在XSS风险。虽然未造成实际损害,但成功触发了alert(document.domain)。
Employees keep feeding AI tools secrets they can’t take back
5 months ago
Employees are putting sensitive data into public AI tools, and many organizations don’t have the controls to stop it. A new report from Kiteworks finds that most companies are missing basic safeguards to manage this data. Security control maturity pyramid (Source: Kiteworks) Organizations lack employee AI safeguards Only 17% of companies have technology in place to block or scan uploads to public AI tools. The other 83% depend on training sessions, email warnings, or guidelines. … More →
The post Employees keep feeding AI tools secrets they can’t take back appeared first on Help Net Security.
Anamarija Pogorelec
HTTP/2 научился убивать серверы одним кадром. Microsoft объяснила феномен MadeYouReset
5 months ago
Microsoft починила уязвимость 2025 года ещё в 2023-м...просто потому, что могла.
Qualys Confirms Cyberattack Campaign Targeting Salesforce via Salesloft and Drift
5 months ago
Qualys has confirmed that it was recently impacted by a cybersecurity campaign targeting Salesloft and Drift, two third-party SaaS platforms that integrate with Salesforce. The company emphasized that customer data and its own production environments on the Qualys Cloud Platform remain fully secure, with no disruption to operations or services. The incident, which is described […]
The post Qualys Confirms Cyberattack Campaign Targeting Salesforce via Salesloft and Drift appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
Divya
This is the obvious answer. And why it’s so easy to hack Wi-Fi router
5 months ago
一个开放的黑客社区,旨在帮助新手成长为资深地下技能专家,提供问答学习平台,并邀请加入Discord群组进行交流。
お知らせ:国内における脆弱性関連情報を取り扱う全ての皆様へ</br>– 情報セキュリティ早期警戒パートナーシップガイドラインに則した対応に関するお願い –
5 months ago
A “Catastrophic” Flaw in Burger King’s Parent Company Exposed
5 months ago
Two security researchers, operating under the pseudonyms BobDaHacker and BobTheShoplifter, have claimed to uncover “catastrophic” vulnerabilities in the
The post A “Catastrophic” Flaw in Burger King’s Parent Company Exposed appeared first on Penetration Testing Tools.
ddos
Critical SAP S/4HANA Flaw Exposes Systems to Full Compromise
5 months ago
A critical vulnerability, CVE-2025-42957, has been identified in SAP S/4HANA, carrying a near-maximum CVSS score of 9.9. The
The post Critical SAP S/4HANA Flaw Exposes Systems to Full Compromise appeared first on Penetration Testing Tools.
ddos
Apple Issues Urgent Patch for Zero-Click Image Flaw
5 months ago
On August 20, Apple released an unscheduled security update for all major platforms—iOS, iPadOS, macOS, and others. The
The post Apple Issues Urgent Patch for Zero-Click Image Flaw appeared first on Penetration Testing Tools.
ddos
持续1个月的降智才被发现 Claude修复影响3.5和4系列模型的降智问题
5 months ago
Claude AI 在 8 月 5 日至 9 月 4 日间出现降智问题,影响多个模型版本。尽管开发者早在 8 月就已反馈问题,但 Anthropic 直到上周才开始调查并修复。公司否认故意限制性能,并表示感谢社区帮助解决问题。然而用户对修复延迟及未提供补偿表示不满。
Are we headed for an AI culture war?
5 months ago
In this Help Net Security video, Matt Fangman, Field CTO at SailPoint, discusses whether an AI culture war is inevitable. He explores the rise of AI agents as a new identity type, the need for guardrails and human supervision, and how organizations can balance innovation, compliance, and trust as AI reshapes the workplace. Learn more: Agentic AI coding assistant helped attacker breach, extort 17 distinct organizations AI Security Map: Linking AI vulnerabilities to real-world impact … More →
The post Are we headed for an AI culture war? appeared first on Help Net Security.
Help Net Security
Размером с пылинку, прыгает на полтора метра. Знакомьтесь, робот на пузырьковой тяге.
5 months ago
Роботы-джамперы размером с крупинку готовятся штурмовать болезни.
CSS Injection Can Now Steal Data with Just One Line of Code
5 months ago
PortSwigger researcher Gareth Hayes has unveiled a novel technique for stealing data directly from HTML attributes using inline
The post CSS Injection Can Now Steal Data with Just One Line of Code appeared first on Penetration Testing Tools.
ddos
Thermoptic: The New HTTP Proxy That Makes Your Traffic Vanish
5 months ago
Security researcher Matthew Bryant has introduced a new tool called Thermoptic—an HTTP proxy that disguises network requests as
The post Thermoptic: The New HTTP Proxy That Makes Your Traffic Vanish appeared first on Penetration Testing Tools.
ddos
Anatomy of a Cyberattack: Inside the Campaign Against Kazakhstan’s Energy Sector
5 months ago
The Seqrite Labs APT-Team has uncovered a new campaign targeting Kazakhstan’s energy sector. Tracked since April 2025, the
The post Anatomy of a Cyberattack: Inside the Campaign Against Kazakhstan’s Energy Sector appeared first on Penetration Testing Tools.
ddos
Why the FTC’s Accusations Against Gmail’s Spam Filter Are Misguided
5 months ago
Andrew Ferguson, Chairman of the U.S. Federal Trade Commission (FTC), sent a letter to Google CEO Sundar Pichai
The post Why the FTC’s Accusations Against Gmail’s Spam Filter Are Misguided appeared first on Penetration Testing Tools.
ddos