Aggregator

安全专家在大规模侦察中发现隐藏于OAuth授权流程后的GraphQL端点，并利用工具识别出可疑子域名auth-api.target.com。

一位安全测试人员通过银行门户网站的“导出到Excel”功能发现了远程代码执行漏洞，利用旧版Apache POI库（CVE-2021–27568）构造恶意Excel文件，成功获得服务器root权限并获得$200奖励。

作者通过银行门户网站的“导出到Excel”功能发现了一个远程代码执行漏洞。利用该功能生成恶意Excel文件后，成功获得了服务器的root权限，并因此获得了200美元的奖励。

Shopify的Multipass功能存在潜在权限提升漏洞，安全研究员ngalog提交报告至HackerOne漏洞赏金计划。文章解释了权限提升的概念、漏洞发现过程及检测方法，并提供安全建议。

安全研究员ngalog向Shopify的漏洞赏金计划提交报告，指出其Multipass功能存在潜在权限提升漏洞。文章解释了权限提升的概念及其重要性，并详细分析了该漏洞的发现过程及检测方法。

DIY情报系统及时发现未知恶意软件窃取 payroll 数据, 自动化工具快速响应, 有效弥补商业威胁源不足, 基于网络论坛、GitHub 漏洞等多源数据构建情报体系。

文章描述了一次渗透测试经历,作者通过Google dorks搜索意外发现目标网站公开暴露的JWT密钥,最终成功利用该漏洞获取敏感信息。

作者在漏洞赏金平台上寻找目标时使用Google dorks搜索，在尝试查找Atlassian仪表盘时意外发现了一个包含与目标相关文本的仪表盘。

文章介绍通过Google Dorking技术查找漏洞的方法，包括登录面板、Swagger-UI XSS、.git文件和管理员令牌等，并成功获取赏金。

文章描述了通过简单的Google Dorking技术发现客户交易数据的问题，并分享了作者在漏洞挖掘中的经验与技巧。

通过nmap扫描目标IP 10.10.11.58发现开放端口22和80。使用git-dumper提取git仓库内容获取数据库凭证。利用Backdrop CMS RCE漏洞获取www-data用户shell。通过用户枚举和bee工具提升权限至root，最终获取root.txt。

ZFS用户过去遵循“存储池容量不超过80%”的规则以避免性能下降和碎片化问题。随着现代ZFS的优化和大容量硬盘的普及，部分资深用户认为这一规则已过时，并建议根据工作负载留5-10%的空闲空间即可。

文章强调服务和目录枚举在网络安全中的重要性，并介绍如何通过Nmap、Masscan和Dirsearch等工具发现隐藏的攻击面，如未受保护的管理面板和配置错误的API。

Explore federated identity management using OpenID Connect for secure enterprise single sign-on. Learn about benefits, implementation, and how it enhances security and user experience.

The post Federated Identity Management using OpenID Connect appeared first on Security Boulevard.

文章介绍了Federated Identity Management (FIM)的概念及其在现代身份管理中的应用。通过OpenID Connect (OIDC)实现跨系统身份验证与授权，提升用户体验与安全性。

A vulnerability, which was classified as problematic, was found in Linux Kernel up to 6.12.1. Affected is the function _free of the component thermal. The manipulation leads to improper initialization. This vulnerability is traded as CVE-2024-56676. Access to the local network is required for this attack. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Linux Kernel up to 5.19.1. It has been declared as critical. Affected by this vulnerability is the function SG_FLAG_DIRECT_IO of the component iSCSI Driver. The manipulation leads to buffer overflow. This vulnerability is known as CVE-2022-50215. The attack can only be done within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Google Chrome. It has been classified as problematic. Affected is an unknown function of the component Omnibox. The manipulation leads to clickjacking. This vulnerability is traded as CVE-2025-8582. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Google Chrome. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component Permissions. The manipulation leads to improper restriction of rendered ui layers. This vulnerability is known as CVE-2025-8583. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

文章介绍了三种可视化Keras模型的方法：Netron、visualkeras和TensorBoard。Netron简单直观，适合已训练模型；visualkeras通过Python包提供图形视图；TensorBoard需额外设置但功能强大。