Aggregator

Ahmed申请网络安全职位失败，因简历只列工具而无实际成果和影响。建议展示问题解决能力和成果而非工具列表。

一位网络安全专家通过工具和技术手段发现并利用目标网站的GraphQL端点漏洞进行攻击的过程描述。

文章描述了一位网络安全爱好者在摄入大量咖啡因后，利用工具链（如subfinder、amass、httpx和gau）对目标域名进行网络资产测绘和GraphQL端点探测的过程。

文章介绍了限流机制的作用及其常见实现方式，包括固定窗口计数器、滑动窗口日志、令牌桶算法等，并强调了正确实施限流对系统稳定性和安全性的重要性。

限流机制通过控制客户端在特定时间内的请求频率来保障应用稳定性和安全性。常见的实现方式包括固定窗口计数器、滑动窗口日志、令牌桶算法等。正确实施需精细控制阈值并具备适应性响应能力以应对不同使用场景。

Nmap是一款免费开源的网络映射工具，广泛应用于网络安全领域。它支持主机发现、端口扫描、服务枚举及漏洞检测等功能，并通过强大的NSE脚本引擎实现自动化探测。适用于Linux、Windows和macOS平台的Nmap是渗透测试人员、网络管理员及安全专家的重要工具。

Nmap是一款免费开源的网络探索与安全审计工具，支持主机发现、端口扫描、服务枚举及漏洞检测。其强大的Nmap Scripting Engine（NSE）助力漏洞探测。适用于Linux、Windows和macOS，深受网络安全专家、渗透测试人员及系统管理员青睐。

AI训练中可传递隐藏个性：2025年研究显示，"教师"AI能将偏见、恶意等特性隐秘地传递给"学生"模型，即使去除显式内容。看似无害的数据可能引发危险行为，常规过滤无法检测此风险。

OWASP组织的FinBot CTF挑战展示了如何通过精心设计的提示绕过AI安全措施，批准欺诈性发票。参与者需利用紧急情况或高层授权等手段操控AI决策流程。该挑战分为简单、中级和困难三个难度级别。

研究人员在漏洞赏金活动中发现了一种水平权限提升漏洞，通过替换用户ID访问其他用户账户并重置其密码。

研究人员在漏洞赏金活动中发现了一个水平权限提升漏洞，通过替换用户ID成功访问其他用户账户并重置密码。文章详细介绍了其侦察过程和漏洞利用步骤。

Web应用防火墙（WAF）作为网络安全的重要防线，通过部署在网络、云或主机端拦截常见攻击如SQL注入和XSS。尽管其规则能有效识别威胁并阻止恶意请求，但经验丰富的攻击者仍可能绕过防护机制。这种安全措施的局限性也为寻找高价值漏洞提供了机会。

Web应用防火墙（WAF）作为网站的安全屏障，通过过滤流量和阻止常见攻击如SQL注入和XSS来保护 web 应用程序。尽管 WAF 可以基于规则检测威胁并拦截恶意请求，但其并非无懈可击，经验丰富的渗透测试人员和红队成员仍可能绕过其防护。WAF 可以部署为网络型、云型或主机型，并且一些高回报的安全漏洞可能隐藏在 WAF 规则之后。

文章介绍了Google爬虫获取的信息和分类的Dorks技巧及其用途，包括OSINT和漏洞赏金，并提供示例供直接使用。

2025 Let's GoSSIP 软件安全暑期学校活动全指南！

A vulnerability was found in AcademySoftwareFoundation openexr up to 3.3.2 and classified as problematic. This issue affects some unknown processing of the component EXR File Parser. The manipulation leads to out-of-bounds read. The identification of this vulnerability is CVE-2025-48072. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in AcademySoftwareFoundation openexr up to 3.3.2. It has been classified as problematic. Affected is an unknown function of the component EXR File Parser. The manipulation leads to null pointer dereference. This vulnerability is traded as CVE-2025-48073. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in AcademySoftwareFoundation openexr up to 3.3.2. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component EXR File Parser. The manipulation leads to heap-based buffer overflow. This vulnerability is known as CVE-2025-48071. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, has been found in WP Import Export Lite Plugin up to 3.9.29 on WordPress. This issue affects the function wpie_parse_upload_data. The manipulation leads to unrestricted upload. The identification of this vulnerability is CVE-2025-5061. The attack may be initiated remotely. There is no exploit available.

A vulnerability has been found in IBM Engineering Lifecycle Optimization 7.0.2/7.0.3 and classified as critical. Affected by this vulnerability is an unknown functionality of the component URI Validator. The manipulation leads to improper neutralization of encoded uri schemes in a web page. This vulnerability is known as CVE-2024-52890. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.