Aggregator

之前说好的评选星球2021的TOP 10文章榜单，拖了几个月属实拖延症了，终于这个榜单在五一前尘埃落定了。经

WAF Attacks have been increasing dramatically over the last 9 months. These attacks cut across industries, geos and customers. Growth has largely been driven by Local File Inclusion (lfi) attacks, which took the lead from SQL Injection attacks in early 2021 before just taking off in the fall.

Less Victims of Ransomware are Paying, even as Cybercriminals Shift from Big Game to Big Shame Hunting

Talking about secure networks is like talking about safe pools. A pool is just a body of water, and if it has enough water to swim in, then it has more than enough water to drown in. A pool is inherently unsafe. We, therefore, take care in how we use a pool: We don?t swim alone; we don?t run around the pool; we don?t dive in the shallow end; and we don?t swim less than 15 minutes after eating. (Is that 15-minute rule still a thing?) These pool-safety policies ensure that our use of the pool is as safe as possible, but they do not make the pool safe in and of itself.

团队打胜仗、GROW模型、BIC模型；让优秀的员工举一反三。“自己长出来”。

Java安全之velocity 模板注入 前言 水篇文，简单记录整理一些杂乱无章的东西。 velocity 语法 #表示符 "#"用来标识Velocity的脚本语句，包括#set、#if 、#else、#end、#foreach、#end、#iinclude、#parse、#macro等； 如: #

Java安全之freemarker 模板注入 freemarker 简述 FreeMarker 是一款 模板引擎： 即一种基于模板和要改变的数据， 并用来生成输出文本(HTML网页，电子邮件，配置文件，源代码等)的通用工具。 它不是面向最终用户的，而是一个Java类库，是一款程序员可以嵌入他们所开发

Java安全之Thymeleaf 模板注入分析 前言 沉下心学习点东西 Spring mvc解析流程 Spring配置DispatcherServlet进行前端控制器拦截请求，流程来到 org.springframework.web.servlet.DispatcherServlet#doServi

ByteCodeDL这个名字是从CodeQL演化的，ByteCode对应Code，DL对应QL，是一款声明式静态分析工具。

本文首发原作者在CIS 2021的演讲PPT，重点介绍了软件供应链在应用研发过程引入的风险，业界的SCA理念，以及美团安全实际建设过程中遇到的问题和指标体系。

本文首发原作者在CIS 2021的演讲PPT，重点介绍了软件供应链在应用研发过程引入的风险，业界的SCA理念，以及美团安全实际建设过程中遇到的问题和指标体系。

Today, technology is infused into nearly everything we do. The data behind personalized recommendations, connected devices, and wearables has changed how we engage with the world around us ? whether we?re driving to a new destination, purchasing from a new retailer, or monitoring our health.

前几天AK了个腾讯的T-Star高校挑战赛，题目比较偏向Misc和Web，这里记录一下解题过程。

It?s all too common that IT security tools and practices come at the cost of productivity. Even physical security has this trade-off. There would be no rush to arrive at the airport an hour early if it weren?t for the extensive security measures that flying entails. As a result of this trade-off, our concern often isn?t if we can increase security in our networks ? rather, it?s if the increased security is worth the impact on the business.

Summary A critical flaw in Atlassian's Jira software that could be used to bypass authentication has been identified. Atlassian has issued an advisory detailing the versions vulnerable to the exploit. Threat Type Vulnerability Overview Be advised that X-Force Incident Command is tracking the disclosure of an authentication bypass vulnerability in Jira's web authentication framework, Seraph. Tracked as CVE-2022-0540 , the vulnerability scores a 9.9 CVSS score. A specially crafted HTTP request sent to vulnera