Aggregator

Last November, while testing Google Bard (now called Gemini) for vulnerabilities, I had a couple of interesting observations when it comes to automatic tool invocation.

Confused Deputy - Automatic Tool Invocation

First, what do I mean by this… “automatic tool invocation”…

Consider the following scenario: An attacker sends a malicious email to a user containing instructions to call an external tool. Google named these tools Extensions.

When the user analyzes the email with an LLM, it interprets the instructions and calls the external tool, leading to a kind of request forgery or maybe better called automatic tool invocation.

一篇文章了解珂兰寺

Summary At approximately 0330 eastern time in the United States, over 70 thousand AT&T users reported interruptions in their mobile, internet, and home phone services. There outage is not currently being attributed any any cyber attacks. Threat Type Critical Infrastructure Outage Overview AT&T is currently investigating a network outage affecting over 70 thousand of their customers. The outage reportedly began at about 0330 eastern time. Initial reports claimed that this outage also affected T-Mobile and

一篇文章了解珂兰寺

Unsuspecting users beware, IP grabbers do not ask for your permission.

Spring Boot的开源渗透框架，主要用作扫描Spring Boot的敏感信息泄露端点，并可以直接测试Spring的相关高危漏洞。

这种技巧我这辈子都用不上，是不是在一些不太合法的需求中用得着啊

深蓝洞察年度安全报告第三篇

近期，我们捕获到了SideWinder针对不丹、缅甸、尼泊尔的攻击样本，这类样本主要是通过宏文档释放Nim语言编译的攻击载荷，这类载荷在响尾蛇历史攻击者中很少见。鉴于此情况，本文重点披露响尾蛇组织使用的这类组件。

屏幕另一端的人严肃地提出了第一个问题：“2022 年 x 月 x 日，你在 x 点 x 分 x 秒你打开了 xx 文档，你先是快速滑动页面，之后在 xx 位置停 […]