Aggregator

2021年12月10日，阿里云安全团队发现 Apache Log4j 2.15.0-rc1 版本存在漏洞绕过.

12月9日，网上爆出Apache Log4j2 远程代码执行漏洞，目前漏洞PoC已在网上公开，影响严重。

一個稱得上優秀的框架，必備的要素之一可以通過某種約定的格式讀取到所運行環境中的配置信息。本文中我們就來感受下

One aspect of resilience on the internet is that things ? notably servers and resources ? move around. Sometimes moves are legitimate, such as when a popular site evolves from hosting their own website to moving to a cloud provider to using a CDN to handle the ever-increasing traffic. Sometimes the moves are not legitimate, such as when an attacker pretends to be an ecommerce or banking site and steals a user?s credentials upon login. How can the end user tell the difference between legitimate and not-so-legitimate moves?

What a year 2021 has been. Even as the world continues to re-open to various degrees, we?re still feeling the impact from 2020?s move to an almost completely virtual world. Many large companies are shifting to a hybrid model, mixing the ability to work from home with working in the office. Some are even offering their employees the opportunity to work remotely indefinitely. There is no denying that the way we work, bank, play, and relax has been impacted by COVID-19. Shouting ?pivot? may have shot into popular culture in the TV show Friends, but it?s a rallying cry that?s been revived in the 2020s by businesses, individuals, and criminals alike.

Wedia makes it possible for some of the world?s biggest companies to effectively manage, customize, and deliver their marketing assets. Akamai is delighted that this fantastic brand has chosen us to deliver a rich and engaging web experience for its customers while also ensuring the highest level of security for the great array of multimedia assets stored on their platform by a number of Fortune 500 companies.

这个漏洞这几天大家提得也比较多，我就有了对此做一下漏洞分析的念头

我们正处在万物互联的人工智能时代，大数据驱动的人工智能推动着各个行业快速发展，但是事实上在大多数行业中，数据是以孤岛的形式存在的，联邦学习技术，能够在数据孤岛之间架设桥梁，成为在满足数据安全下解决数据孤岛的一个可行方案。

你好的时候，我不用在你身边。

整理了一下grafana的最新未授权读取的东西，任何你想要的都在这里

2021年12月6日，国外安全研究人员披露Grafana中某些接口在提供静态文件时，攻击者通过构造恶意请求，可造成目录遍历，读取系统上的文件。

2021年12月7日，阿里云应急响应中心监测到 CVE-2021-43798 Grafana 任意文件读取漏

我们正生活在一个「Any application that can be written in JavaScript, will eventually be written in JavaScript」的时代。作为一门兼具动态性和简单性的语言，JavaScript 已经占领了客户端、服务端，甚至在机器学习中也占据一席之地；不可避免的，异步执行也逐渐成为这门语言不可缺少的一部分。...

For over a decade, the Internet Corporation for Assigned Names and Numbers (ICANN) and its multi-stakeholder community have engaged in an extended dialogue on the topic of DNS abuse, and the need to define, measure and mitigate DNS-related security threats. With increasing global reliance on the internet and DNS for communication, connectivity and commerce, the […]

The post Ongoing Community Work to Mitigate Domain Name System Security Threats appeared first on Verisign Blog.

| 漏洞研究 | 红队工具 | 红队文章 |

IOS PAC实现详解

本文以安全行业工作特点为例，系统化思考安全运营的本质，重点从项目角度介绍从事这类工作的基本功。

调试 Electron、CEF 等应用

最近这段时间一直用业余时间努力写书，进度很慢，但就已完成的章节来说自己很满意，也在这个过程里将知识点好好的梳