You must login to view this content
You must login to view this content
You must login to view this content
Leading a Security Operations Center has never been more challenging. SOC managers today juggle expanding attack surfaces, remote workforces, cloud migrations, and an explosion of security tools. All while trying to keep pace with increasingly automated attacks. Every day feels like a mix of firefighting and long-term planning that never fully materializes. Under this pressure, it’s easy to […]
The post #1 Gap in Your SOCs Is Probably Not What You Think appeared first on Cyber Security News.
You must login to view this content
Widely used code formatting sites JSONFormatter and CodeBeautify are exposing sensitive credentials, API keys, private keys, configuration files and other secrets, watchTowr researchers discovered. The findings JSONFormatter and CodeBeautify are free, web-based tools/services used by developers to make messy code easily readable, to validate it, or convert it. Users can also save the output code, so they can share it with others. (If you use JSON Formatter without logging in and save the output, it … More →
The post Popular code formatting sites are exposing credentials and other secrets appeared first on Help Net Security.
Session4A: IoT Security
Authors, Creators & Presenters: Hangtian Liu (Information Engineering University), Lei Zheng (Institute for Network Sciences and Cyberspace (INSC), Tsinghua University), Shuitao Gan (Laboratory for Advanced Computing and Intelligence Engineering), Chao Zhang (Institute for Network Sciences and Cyberspace (INSC), Tsinghua University), Zicong Gao (Information Engineering University), Hongqi Zhang (Henan Key Laboratory of Information Security), Yishun Zeng (Institute for Network Sciences and Cyberspace (INSC), Tsinghua University), Zhiyuan Jiang (National University of Defense Technology), Jiahai Yang (Institute for Network Sciences and Cyberspace (INSC), Tsinghua University)
PAPER
EAGLEYE: Exposing Hidden Web Interfaces in IoT Devices via Routing Analysis [https://www.ndss-symposium.org/wp-con...](https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbEEzMmJxSkNwUUhDUkMteHZraTQ1blZ5Sk0zUXxBQ3Jtc0tuZldzQXZxQXJaOGt0VDU2RGNPdGVSbnMzcWxiTVZ1UmJsTzcyaUlCTFdvbmhoWnZRdWQ0UlJiUEs4ekR1UXNCNF9KQmp4UGxKOG5kMHdBdHBiaWh6ckxFaGphY0JVRDZDQ21jUWcyREx2Qy1XVTJqWQ&q=https%3A%2F%2Fwww.ndss-symposium.org%2Fwp-content%2Fuploads%2F2025-399-paper.pdf&v=qXDD2iiIeCg) Hidden web interfaces, i.e., undisclosed access channels in IoT devices, introduce great security risks and have resulted in severe attacks in recent years. However, the definition of such threats is vague, and few solutions are able to discover them. Due to their hidden nature, traditional bug detection solutions (e.g., taint analysis, fuzzing) are hard to detect them. In this paper, we present a novel solution EAGLEYE to automatically expose hidden web interfaces in IoT devices. By analyzing input requests to public interfaces, we first identify routing tokens within the requests, i.e., those values (e.g., actions or file names) that are referenced and used as index by the firmware code (routing mechanism) to find associated handler functions. Then, we utilize modern large language models to analyze the contexts of such routing tokens and deduce their common pattern, and then infer other candidate values (e.g., other actions or file names) of these tokens. Lastly, we perform a hidden-interface directed black-box fuzzing, which mutates the routing tokens in input requests with these candidate values as the high-quality dictionary. We have implemented a prototype of EAGLEYE and evaluated it on 13 different commercial IoT devices. EAGLEYE successfully found 79 hidden interfaces, 25X more than the state-of-the-art (SOTA) solution IoTScope. Among them, we further discovered 29 unknown vulnerabilities including backdoor, XSS (cross-site scripting), command injection, and information leakage, and have received 7 CVEs.
ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.
Our thanks to the Network and Distributed System Security (NDSS) Symposium for publishing their Creators, Authors and Presenter’s superb NDSS Symposium 2025 Conference content on the Organizations' YouTube Channel.
The post NDSS 2025 – EAGLEYE: Exposing Hidden Web Interfaces In loT Devices Via Routing Analysis appeared first on Security Boulevard.
The post Life in the Swimlane with Pauline Bacot, Senior Product Marketing Manager appeared first on AI Security Automation.
The post Life in the Swimlane with Pauline Bacot, Senior Product Marketing Manager appeared first on Security Boulevard.
Competitive testing is a business-critical function for financial institutions seeking the ideal solutions provider to help optimize their risk management strategies. Don’t get seduced by inflated test results or flowery marketing claims, however. Selecting the right risk solutions could be one of the most important tasks your business ever undertakes – and one of the..
The post Don’t Use a Ruler to Measure Wind Speed: Establishing a Standard for Competitive Solutions Testing appeared first on Security Boulevard.