Pwn2Own赛事为攻破WhatsApp目标提供高达百万美元奖金
环境异常 当前环境异常,完成验证后即可继续访问。 去验证
Aggregator
What is Same origin policy ? Why you should know about SOP ?
4 months 3 weeks ago
同源策略(SOP)是浏览器的安全机制,限制不同网站脚本间的交互。它通过协议、域名和端口判断资源是否来自同一来源。若来源不同,则禁止脚本访问或操作其他网站的数据和资源。
HTTP Cookies
4 months 3 weeks ago
文章介绍了HTTP协议中的Cookies机制及其作用。Cookies是元数据,用于跟踪无状态的HTTP会话。网站通过Set-Cookie头在浏览器中设置Cookies,并在后续请求中包含这些信息以识别用户。文章详细解释了Cookie的属性(如Domain、Path、Secure)及其生命周期管理,并通过示例演示了如何设置和使用HttpOnly标志以增强安全性。
致敬八一建军节 | RC2赋能大礼包 • 奉上!
4 months 3 weeks ago
环境异常 当前环境异常,完成验证后即可继续访问。 去验证
致敬八一建军节 | RC2赋能大礼包 • 奉上!
4 months 3 weeks ago
面向军警单位的安全保密专项大礼包来了~
Red Teaming the Cloud: Exploiting Misconfigurations in Azure, GCP, and AWS
4 months 3 weeks ago
文章探讨了云基础设施安全中的关键挑战,包括身份管理、访问控制和资源配置中的配置错误。Azure、GCP和AWS平台均面临潜在攻击风险,如过度权限角色、公开存储容器及暴露的服务主体凭证。红队可利用这些漏洞进行权限提升、数据外泄或持久化访问。防御措施包括强化IAM策略、监控日志及使用安全工具。
From Innocent Messages to Total Takeover: How I Hacked a Professional Network!
4 months 3 weeks ago
Let me take you on an exciting journey of how I uncovered a massive security flaw in a professional
From Innocent Messages to Total Takeover: How I Hacked a Professional Network!
4 months 3 weeks ago
作者发现了一个类似LinkedIn的专业社交平台的重大安全漏洞。通过利用聊天功能中的XSS漏洞,他成功接管了目标账户,并最终公开披露该漏洞以引起重视。
Hack The Box Academy Writeup — PASSWORD ATTACKS — Writing Custom Wordlists and Rules
4 months 3 weeks ago
文章介绍了一种利用OSINT(公开来源情报)和工具(如CeWL和Hashcat)生成定制密码列表的方法,用于解决Hack The Box模块中的密码攻击练习。通过收集目标个人信息、生成初始词典、组合扩展和应用规则变换,最终创建符合密码策略的候选列表,并使用Hashcat尝试破解目标哈希值。
Phishing via Swagger UI — Exploiting Misconfigurations for Fun & Bounties
4 months 3 weeks ago
Swagger UI 是一个用于可视化和交互 API 端点的开源工具,但暴露或配置不当可能导致安全风险如 XSS 和 HTML 注入。常见问题包括缺乏访问控制和输入验证。使用 Subfinder 收集子域名有助于发现潜在漏洞。
Phishing via Swagger UI — Exploiting Misconfigurations for Fun & Bounties
4 months 3 weeks ago
Swagger UI 是一个帮助开发者与API交互的工具。暴露或配置不当可能导致安全漏洞如XSS和注入。常见问题包括缺乏访问控制和输入清理。使用Subfinder收集子域名有助于发现潜在风险。
I Dropped Out to Learn Cybersecurity (Without a Degree) — And Landed Paid Work
4 months 3 weeks ago
Here’s My 3-Year Self-Taught JourneyThis is my Journey my story about what i did in these past years
I Dropped Out to Learn Cybersecurity (Without a Degree) — And Landed Paid Work
4 months 3 weeks ago
三年前,作者因对技术的热爱而辍学,并通过自学成为网络安全专家。尽管面临家人和朋友的质疑,他凭借毅力和努力,在网络安全领域取得了显著成就,并通过写作和研究进一步发展了自己的事业。
CSRF in Disguise: How a Tracking Pixel Let Me Steal User Actions Like a Spy
4 months 3 weeks ago
一位安全研究人员利用1x1像素图像和CSRF配置错误发现并报告了一个安全漏洞。通过工具进行信息收集和漏洞挖掘后,负责任地披露了该问题。
CSRF in Disguise: How a Tracking Pixel Let Me Steal User Actions Like a Spy
4 months 3 weeks ago
文章描述了一位安全研究人员通过使用工具抓取目标网站的端点,并利用CSRF配置错误成功发起攻击的过程,展示了负责任漏洞披露的重要性。
Stored DOM XSS: A Hidden Threat in Blog Comments
4 months 3 weeks ago
How a simple blog comment can hijack your web app. Stored DOM XSS combines the danger of persistent
Stored DOM XSS: A Hidden Threat in Blog Comments
4 months 3 weeks ago
Stored DOM XSS是一种通过博客评论等持久输入存储恶意脚本,在客户端静默执行的攻击方式,可能导致严重安全风险。
CVE-2025-1506 | xpeedstudio Wp Social Login and Register Social Counter Plugin Setting counter_access_key_setup cross-site request forgery
4 months 3 weeks ago
A vulnerability was found in xpeedstudio Wp Social Login and Register Social Counter Plugin up to 3.1.0 on WordPress. It has been rated as problematic. This issue affects the function counter_access_key_setup of the component Setting Handler. The manipulation leads to cross-site request forgery.
The identification of this vulnerability is CVE-2025-1506. The attack may be initiated remotely. There is no exploit available.
vuldb.com
CVE-2025-29357 | Tenda RX3 16.03.13.11_multi_TDE01 Packet /goform/SetPptpServerCfg startIp/endIp denial of service
4 months 3 weeks ago
A vulnerability classified as problematic was found in Tenda RX3 16.03.13.11_multi_TDE01. Affected by this vulnerability is an unknown functionality of the file /goform/SetPptpServerCfg of the component Packet Handler. The manipulation of the argument startIp/endIp leads to denial of service.
This vulnerability is known as CVE-2025-29357. The attack can be launched remotely. There is no exploit available.
vuldb.com
CVE-2024-9418 | transformeroptimus superagi up to 0.0.14 API Endpoint /api/users/get/{id} insufficiently protected credentials
4 months 3 weeks ago
A vulnerability, which was classified as problematic, was found in transformeroptimus superagi up to 0.0.14. Affected is an unknown function of the file /api/users/get/{id} of the component API Endpoint. The manipulation leads to insufficiently protected credentials.
This vulnerability is traded as CVE-2024-9418. It is possible to launch the attack remotely. There is no exploit available.
vuldb.com