UTF-8 Overlong Encoding导致的安全问题
「代码审计」知识星球中@1ue 发表了一篇有趣的文章《探索Java反序列化绕WAF新姿势》,深入研究了一下其中的原理,我发现这是一个对我来说很“新”,但实际上年纪已经很大的Trick。
0x01 UTF-8编码原理UTF-8是现在最流行的编码方式,它可以将unicode码表里的所有字符,用某种计算方式转换成长度是1到4位字节的字符。
参考这个表格,我们就可以很轻松地将unicode码转换成...
Aggregator
Cyber security governance: the role of the board
2 years 3 months ago
As cyber threats evolve, boards must remain vigilant in cyber security governance.
「深蓝洞察」2023 年度最名不副实的高危漏洞
2 years 3 months ago
深蓝洞察年度安全报告第四篇
星阑科技上榜《CCSIP 2023中国网络安全行业全景册》多个细分领域
2 years 3 months ago
萤火V2.13功能更新快报
2 years 3 months ago
星阑科技上榜《CCSIP 2023中国网络安全行业全景册》多个细分领域
2 years 3 months ago
萤火V2.13功能更新快报
2 years 3 months ago
星阑科技上榜《CCSIP 2023中国网络安全行业全景册》多个细分领域
2 years 3 months ago
萤火V2.13功能更新快报
2 years 3 months ago
星阑科技上榜《CCSIP 2023中国网络安全行业全景册》多个细分领域
2 years 3 months ago
萤火V2.13功能更新快报
2 years 3 months ago
星阑科技上榜《CCSIP 2023中国网络安全行业全景册》多个细分领域
2 years 3 months ago
萤火V2.13功能更新快报
2 years 3 months ago
星阑科技上榜《CCSIP 2023中国网络安全行业全景册》多个细分领域
2 years 3 months ago
萤火V2.13功能更新快报
2 years 3 months ago
星阑科技上榜《CCSIP 2023中国网络安全行业全景册》多个细分领域
2 years 3 months ago
萤火V2.13功能更新快报
2 years 3 months ago
星阑科技上榜《CCSIP 2023中国网络安全行业全景册》多个细分领域
2 years 3 months ago
萤火V2.13功能更新快报
2 years 3 months ago
Google Gemini: Planting Instructions For Delayed Automatic Tool Invocation
2 years 3 months ago
Last November, while testing Google Bard (now called Gemini) for vulnerabilities, I had a couple of interesting observations when it comes to automatic tool invocation.
Confused Deputy - Automatic Tool InvocationFirst, what do I mean by this… “automatic tool invocation”…
Consider the following scenario: An attacker sends a malicious email to a user containing instructions to call an external tool. Google named these tools Extensions.
When the user analyzes the email with an LLM, it interprets the instructions and calls the external tool, leading to a kind of request forgery or maybe better called automatic tool invocation.