Pen Testing Cryptographic Implementations: Where Secrets Slip
文章探讨了渗透测试中对加密实现的评估重点,指出常见的问题如硬编码密钥、密钥管理不当、算法误用及缺乏随机性等,并强调测试应关注加密是否正确、安全及有效保护数据。
Aggregator
How GRC Must Evolve in the Age of Agentic AI and Generative AI
8 months 2 weeks ago
一位审查人员在云部署中发现合规管理已从传统Excel清单转向代码化、自动化管理。基础设施通过GitHub存储库中的"合规即代码"实现自动化规则和实时 enforcement, 风险和合规要求嵌入代码库并通过CI/CD pipeline执行, 传统纸质文档被取代, 合规管理融入开发流程.
Bug Bounty Methodology for Finding Bugs Easily
8 months 2 weeks ago
文章介绍了漏洞赏金计划及其相关工具和平台,帮助用户高效发现高影响力漏洞。
Bug Bounty Methodology for Finding Bugs Easily
8 months 2 weeks ago
文章介绍了漏洞赏金计划及其参与方式,推荐了常用平台如HackerOne和Bugcrowd,并建议准备工具如Burp Suite、ZAP Proxy等以提高漏洞挖掘效率。
Flipper Zero Dark Web Firmware Cracks Rolling Code Security in Modern Cars
8 months 2 weeks ago
Security researchers have discovered alarming new firmware for the popular Flipper Zero device that can completely bypass the rolling code security systems protecting millions of modern vehicles. The breakthrough attack, demonstrated by YouTube channel Talking Sasquatch, represents a significant escalation in automotive cybersecurity threats, requiring only a single intercepted signal to compromise a vehicle’s entire […]
The post Flipper Zero Dark Web Firmware Cracks Rolling Code Security in Modern Cars appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
Divya
ECScape: The Amazon ECS Vulnerability That Lets Attackers Steal AWS Credentials from Neighboring…
8 months 2 weeks ago
ECScape是一种新发现的亚马逊ECS漏洞,允许恶意容器窃取同一EC2实例上其他容器的IAM凭证,从而实现权限提升或横向攻击。
Wireless Hacking: From Aircrack-ng to WPA3
8 months 2 weeks ago
在咖啡店连接“Guest_Network”后,黑客通过无线网络漏洞劫持了我的笔记本电脑,在3-6分钟内窃取了我的银行密码并转走资金。这一事件揭示了公共Wi-Fi的安全隐患及RC4加密算法的脆弱性。
Attack Surface: Exploiting Misconfigured Container Registries
8 months 2 weeks ago
作者展示了如何通过搜索和测试未认证容器仓库的漏洞,利用配置错误获取访问权限并详细说明了攻击步骤及其潜在影响。
Robots Secret | Bugcrowd CTF 2025
8 months 2 weeks ago
作者分享了参与Bugcrowd BlackHat CTF 2025的经历,并介绍了如何通过攻击不同类别的靶机(如Web、密码学等)寻找隐藏的flag。文章还提到他将发布漏洞狩猎的详细报告,并建议新手阅读他的文章以了解CTF的基本概念和参与方式。
Exploiting XSS to Bypass CSRF Defenses: Change Victim’s Email
8 months 2 weeks ago
文章探讨如何利用存储型XSS漏洞绕过CSRF防御机制,执行未经授权的操作。通过PortSwigger实验室中的博客评论漏洞案例,展示了攻击者如何利用恶意脚本窃取用户会话或篡改账户信息。文章强调安全责任和道德使用的重要性。
Exploiting XSS to Bypass CSRF Defenses: Change Victim’s Email
8 months 2 weeks ago
文章探讨了如何利用存储型XSS漏洞绕过CSRF防御机制,执行未经授权的操作。通过PortSwigger实验室中的实际案例,展示了攻击者如何在博客评论区植入恶意代码,进而控制用户账户。文章强调技术仅用于教育和道德目的。
How I Bypassed a Strict WAF Using SQL Injection Tricks
8 months 2 weeks ago
研究人员通过手动测试发现Cloudflare隐藏的SQL注入漏洞。输入单引号导致搜索结果消失且无错误提示,自动化工具未能检测到异常。HTTP响应显示SQL查询失败,揭示潜在漏洞。
How I Bypassed a Strict WAF Using SQL Injection Tricks
8 months 2 weeks ago
一位安全研究人员通过手动测试发现了一个隐藏在Cloudflare严格WAF背后的SQL注入漏洞。在测试API端点时,输入单引号导致结果消失且无错误提示,进一步测试显示HTTP响应异常。这种静默失败表明潜在漏洞存在,而自动化工具可能无法检测到此类问题。
“Day 5: SSRF — How I Hacked AWS Keys & Stole $15,000 in Cloud Credits”
8 months 2 weeks ago
三个月前发现SaaS公司API中的低严重性SSRF漏洞,通过内部端口扫描逐步获取AWS访问权限,窃取凭证并获得1.5万美元云信用额度,详细披露攻击链及代码片段。
“Day 5: SSRF — How I Hacked AWS Keys & Stole $15,000 in Cloud Credits”
8 months 2 weeks ago
三个月前发现一个低严重性的SSRF漏洞,从内部端口扫描升级为全面AWS访问、窃取凭证及获取1.5万美元云积分。作者详细揭示了攻击链并提供代码示例。
Third-party partners or ticking time bombs?
8 months 2 weeks ago
In this Help Net Security video, Ngaire Elizabeth Guzzetti, Technical Director Supply Chain at CyXcel, discusses why a third of U.S. organizations don’t trust third-party vendors to manage critical risks and what that means for supply chain security. She breaks down the root causes of this trust gap, including poor visibility, inadequate governance, and the growing complexity introduced by AI. Guzzetti also shares practical guidance for building more resilient vendor relationships through tiered oversight, continuous … More →
The post Third-party partners or ticking time bombs? appeared first on Help Net Security.
Help Net Security
CISA Issues Urgent Advisory to Address Microsoft Exchange Flaw
8 months 2 weeks ago
The Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive 25-02 on August 7, 2025, requiring federal agencies to immediately address a critical vulnerability in Microsoft Exchange hybrid configurations that could allow attackers to escalate from on-premises systems to cloud environments. Critical Security Vulnerability Discovered CISA has identified a post-authentication vulnerability designated CVE-2025-53786 affecting […]
The post CISA Issues Urgent Advisory to Address Microsoft Exchange Flaw appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
Divya
Retbleed Vulnerability Exploited to Access Any Process’s Memory on Newer CPUs
8 months 2 weeks ago
Security researchers have successfully demonstrated a sophisticated exploit of the Retbleed vulnerability, a critical CPU security flaw that allows attackers to read arbitrary memory from any process running on affected systems. The exploit, which builds upon research originally published by ETH Zürich in 2022, showcases how modern processor vulnerabilities continue to pose significant threats to system […]
The post Retbleed Vulnerability Exploited to Access Any Process’s Memory on Newer CPUs appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
Divya
Умная пыль: технология, которая может шпионить, даже когда вы спите и отключены от сети
8 months 2 weeks ago
Нам никуда не скрыться от невидимых сенсоров. Они повсюду.
CISA Releases Emergency Advisory Urges Feds to Patch Exchange Server Vulnerability by Monday
8 months 2 weeks ago
CISA has issued an emergency advisory directing all Federal Civilian Executive Branch agencies to mitigate a newly disclosed Microsoft Exchange urgently hybrid-joined vulnerability, tracked as CVE-2025-53786, by 9:00 AM EDT on Monday, August 11, 2025. The flaw enables attackers who have already gained administrative access to an on‑premises Exchange server to laterally move into connected […]
The post CISA Releases Emergency Advisory Urges Feds to Patch Exchange Server Vulnerability by Monday appeared first on Cyber Security News.
Guru Baran