Happy Hacking8

干净的信息流推送工具,偏向安全圈的点点滴滴,为安全研究人员每日发现优质内容。

每日更新
时间节点
2021-09-21 23:59:18知识星球
php 反序列化的一个trick #PHP# php 反序列化的一个trick,通常在进行序列化时,以下面的代码为例 class test {     var $test;     function ...
2021-09-21 23:59:17知识星球
分享一篇关于如何自学新东西的文章。 我花了30分钟去读了这个英文原文,感觉对自己蛮多共鸣的,慢慢找回一些曾经的模样。 分为5步1点。 1.制作计划,先通过查找主题的相关资料,确定学习大纲和学习顺序 。 2.给予充分的学习时间。如果你觉得学一个知识点需要2天,那你可以去花双倍时间去学习它,这是一个学习常态。这个点对我启发蛮大。 3.找到自己学习风格。通过去实践,比如查看视频、文章、新手教程等多种学习方式进行学习,看看自己最适合哪一种或多种。 4.批判的态度对待学习资源,网上很多...
2021-09-21 23:22:17Software Integrity Blog
Learn how to set up continuous assurance with Code Dx to improve code quality and security at the speed of DevOps.
The post Integrating static analysis tools with build servers for continuous assurance appeared first on Software Integrity Blog.
2021-09-21 23:20:45Security Boulevard
Aujourd’hui, les réseaux évoluent vers une plus grande agilité et des capacités dynamiques pour prendre en charge les exigences de mise en réseau avancées et les processus critiques de l’entreprise. De ce fait, l’infrastructure informatique s’étend également aux environnements sans …
The post Rationalisation des opérations de réseau grâce aux solutions de gestion de réseau appeared first on ManageEngine Blog.
The post Rationalisation des opérations de réseau grâce aux solutions de gestion de réseau appeared first on Security Boulevard.
2021-09-21 23:20:45Security Boulevard
Your home network is your gateway to the internet. Every day it connects multiple devices including your family laptops, tablets, and phones to the internet. In addition, your home network connects to IoT devices such as smart home devices, fitness trackers, and voice assistants like Alexa. While useful in our everyday life providing extraordinary benefits, […]
The post NG Firewall for Home Use first appeared on Untangle.
The post NG Firewall for Home Use appeared first on Security Boulevard.
2021-09-21 23:20:45Security Boulevard
The September Apple Event is one of the most important events for any IT admin because it is preceded by the Apple Worldwide Developers Conference. It witnesses the release of new hardware like the iPhone and, more importantly for enterprises, …
The post Gearing up your IT ecosystem for the Apple WWDC21 updates appeared first on ManageEngine Blog.
The post Gearing up your IT ecosystem for the Apple WWDC21 updates appeared first on Security Boulevard.
2021-09-21 23:20:45Security Boulevard
This week Avast CTO Michal Pechoucek dropped in to talk with Alteryx CTO Derek Knudsen on the  “Modern CTO” podcast. Throughout the 55-minute episode, Derek and Michal discuss the proper role of AI in cybersecurity, the way to decrease the cost of online freedom for all, and why it’s important to keep users invested in their cybersecurity health. But to begin, Derek asks Michal to talk about his start in the field.
The post “Modern CTO” Features Avast’s Michal Pechoucek | Avast appeared first on Security Boulevard.
2021-09-21 23:20:36Microsoft Security Blog
With over 100 available phishing templates that mimic known brands and services, the BulletProofLink operation is responsible for many of the phishing campaigns that impact enterprises today. We are sharing these findings so the broader community can build on them and use them to enhance email filtering rules as well as threat detection technologies like sandboxes to better catch these threats.
The post Catching the big fish: Analyzing a large-scale phishing-as-a-service operation appeared first on Microsoft Security Blog.
2021-09-21 23:20:36GitHub Security Lab | Research
During an audit of Apache Dubbo v2.7.8 source code, I found multiple vulnerabilities enabling attackers to compromise and run arbitrary system commands on both Dubbo consumers and providers. I’ve been planning a blog post for awhile (and was encouraged by all the Twitter feedback), but it was delayed when I found four new RCEs that I reported to the Apache Dubbo project - I wanted to make sure they had ample time to remediate them.
CodeQL is GitHub’s semantic code analysis engine that lets you query code as though it were data, allowing you to find variants of a given vulnerability pattern. In this blog post, I’ll summarize the process I used to find these vulnerabilities and how I used CodeQL, not as an automated scanner to find occurrences of a specific vulnerability pattern, but rather as an audit oracle which helped me answer questions about the codebase as I was exploring it. This is not a blog post about performing variant analysis or writing a query to detect the issues I previously found through manua
2021-09-21 23:18:39Fuzzing Labs
Introduction to JavaScript Fuzzing 1. JavaScript Fuzzing of npm/nodejs/code (omggif) using jsfuzz In this course, I will fuzz a JavaScript npm/nodejs library (omggif) in order to find uncaught JavaScript exceptions. I will explain how to create a fuzzing harness for this target, run the fuzzer (jsfuzz), handle expected exceptions, analyze a crash and create a...
2021-09-21 23:18:29daily-swig
2021-09-21 23:17:54hackone最新公开漏洞
影响厂商:Moneybird 奖励: 危险等级:low
更改公司名称的 https://moneybird.com/user/accountant_company/edit
2021-09-21 23:17:54hackone最新公开漏洞
影响厂商:Moneybird 奖励: 危险等级:low
在 OAuth 中通过 POST 请求打开重定向
2021-09-21 22:35:09知识星球
2021-09-21 21:59:16T00ls论坛
2021-09-21 21:20:40Security Boulevard
A sometimes discussed trivia point about secrets sharing is how during the Cold War the CIA might have trained agents to message using variations of shoe lacing. A “Recognition Signals” instructional manual allegedly was distributed in 1953 by a magician named John Mulholland (MKUltra Subproject Number 4, as reproduced by The Official CIA Manual of … Continue reading How to braid hair (“corn rows”) for secret messaging →
The post How to braid hair (“corn rows”) for secret messaging appeared first on Security Boulevard.
2021-09-21 21:20:39Security Boulevard
The title of this blog post is from our 2013 RSA Conference panel presentation on the ethics and business of “hack back”, a stage we shared with CrowdStrike and Trend Micro. It was based on 2012 presentations we had been giving to explain an ethical business model for hack back, based on setting international precedent … Continue reading Is it Whack to Hack Back a Persistent Attack? →
The post Is it Whack to Hack Back a Persistent Attack? appeared first on Security Boulevard.
2021-09-21 21:19:15GuidePoint Security
Introduction In many instances, threat actors are paying just as much attention to public vulnerability disclosures as […]
2021-09-21 21:18:26daily-swig
Customer data impacted by security incident
2021-09-21 20:19:04T00ls论坛
2021-09-21 19:38:5252破解论坛
2021-09-21 19:26:08知识星球
2021-09-21 19:20:30Sploitus.com Exploits RSS Feed
2021-09-21 19:20:26Security Boulevard
In a world where DevOps is oiling the wheels of accelerated software development, it’s hardly surprising that automation, code re-use and third-party libraries are integral parts of our high-speed app development cycle. But what happens when the pace of development outstrips security? Or when the tools that help you go faster become vulnerabilities themselves? For […]
The post How to mitigate security vulnerabilities automatically with RASP appeared first on Blog.
The post How to mitigate security vulnerabilities automatically with RASP appeared first on Security Boulevard.
2021-09-21 19:20:26Security Boulevard
With new technological advancements coming to light every day, the supply and demand for IoT devices has increased significantly. Humans have started relying on these devices for even the most basic everyday functions. In fact, as per a study conducted by IDC, 4 out of 5 people check their phones within 15 minutes of waking […]
The post Cyber Threats Haunting IoT Devices in 2021 appeared first on Kratikal Blogs.
The post Cyber Threats Haunting IoT Devices in 2021 appeared first on Security Boulevard.
2021-09-21 19:20:26Security Boulevard
Welcome to the Ask Chloé column on Security Boulevard! Each week, Chloé provides answers to readers’ questions to help guide them as they navigate the technology industry. This week, Chloé addresses a reader’s fear that burnout will continue to be an issue long after the pandemic finally recedes.   Dear Chloé, Do you think burnout will still be..
The post Ask Chloé: Preventing Future Burnout appeared first on Security Boulevard.
2021-09-21 19:20:25Security Boulevard
Letting people go is never a pleasant or easy task for anyone. A recent court case underscores the importance of businesses ensuring that they have an effective — and fast — process for ensuring that network access for employees being let go is in place. The purpose of this process is to protect against any damage from newly-former employees who are disgruntled at being dismissed.
The post Importance of Access Revocation for SMBs | Avast appeared first on Security Boulevard.
2021-09-21 19:18:26daily-swig
Compromise of employee mailboxes may have exposed sensitive medical data
2021-09-21 17:20:39Exploit-DB.com RSS Feed
Budget and Expense Tracker System 1.0 - Remote Code Execution (RCE) (Unauthenticated)
2021-09-21 17:20:38Exploit-DB.com RSS Feed
WebsiteBaker 2.13.0 - Remote Code Execution (RCE) (Authenticated)
2021-09-21 17:20:38Exploit-DB.com RSS Feed
Yenkee Hornet Gaming Mouse - 'GM312Fltr.sys' Denial-Of-Service (PoC)
2021-09-21 17:20:17Sploitus.com Exploits RSS Feed
2021-09-21 17:20:17Sploitus.com Exploits RSS Feed
2021-09-21 17:20:17Sploitus.com Exploits RSS Feed
2021-09-21 17:20:17Sploitus.com Exploits RSS Feed
2021-09-21 17:20:17Sploitus.com Exploits RSS Feed
2021-09-21 17:20:14Security Boulevard
Hello week four of National Insider Threat Awareness month! This week we’re talking about insider...
The post Insider Threat Personas: Who is Responsible for Insider Attacks? appeared first on Gurucul.
The post Insider Threat Personas: Who is Responsible for Insider Attacks? appeared first on Security Boulevard.
2021-09-21 17:19:27Pentest Blog
A couple of days ago, I came up with news that Pardus will organize a report-bug contest. I love to contribute to open-source projects. So that was a pretty good chance to revisit one of my old friends, Pardus, and uncover security and/or privacy issues. What is Pardus ? Pardus is a Linux distribution developed with support from […]
2021-09-21 17:19:27Pentest Blog
LiderAhenk is an open source software system that enables centralized management, monitoring and control of systems and users on the corporate network. In this blog post, you will see how bad it can get when you have a critical security vulnerability on your centralized client management system. Architecture and Our Target LiderAhenk software has 2 […]
2021-09-21 17:19:20Comments on: Let’s Cook ‘Compl
TL;DR: A new WhitePaper released “https://insight.claranet.co.uk/cybersecurity/defense-against-client-side-attacks” to help attackers understand client-side attacks and for developers to understand how to mitigate them. In the modern era, the web exploitation world is obsessed with server-side attacks however the data now resides equally on server and client side. Developers focus on fixing server-side
Read more
The post WhitePaper Release: Defense against Client-Side Attacks appeared first on NotSoSecure.
2021-09-21 16:17:05知识星球
2021-09-21 15:35:07知识星球
中秋节快乐,一周总结9.13~9.19 和知识点 本周活跃星友前三是 @Posi0n  @shangzeng @Samaritan 一周知识 - GitHub - klezVirus/inceptor: Template-Driven AV/ED... - 一个免杀的框架,它的思想和工作流才应该是武器化应有的样子。 - php文件包含漏洞Getshell的不同姿势 - 安全客,安全资讯平台 - php文件包含利用的各种姿势,这篇总结的不错,可以收藏一下...
2021-09-21 15:22:32来自Freebuf
帮助广大研究/分析人员从捕捉到的数据包文件(pcap)中筛选出其中有价值或值得分析的流量数据。
2021-09-21 15:22:06远海的博客
复习半年准备迎接专升本考试了。各位师傅半年后见。
2021-09-21 15:20:23Sploitus.com Exploits RSS Feed
2021-09-21 15:20:23Security Boulevard
The supply chain is something most people take for granted—until something goes wrong. The pandemic highlighted just how quickly business can grind to a halt if the supply chain is disrupted. Organizations have found that edge computing makes the supply chain run more efficiently, but this move to the edge requires a new approach to..
The post Securing the Edge in the Supply Chain appeared first on Security Boulevard.
2021-09-21 15:20:22Security Boulevard
Ransomware is no longer just targeting low-hanging fruit, nor can good backups alone protect you. IT organizations need to create a multilayered defense that goes beyond cybersecurity to incorporate modern data management strategies, particularly for unstructured file data. Aside from the pandemic, ransomware has become one of the gravest threats to the global economy.  It..
The post Ransomware Defense: The File Data Factor appeared first on Security Boulevard.
2021-09-21 15:20:22Sploitus.com Exploits RSS Feed
2021-09-21 13:21:58来自Freebuf
McAfee 最近发现了一种新的 Android 恶意软件 Elibomi 针对印度纳税人展开攻击。该恶意软件伪装成报税应用程序,通过网络钓...
2021-09-21 13:20:52Bug Bounty in InfoSec Write-up
Subnetting — A Networking Concept
Hello Folks, Ayush this side, today I’m gonna tell you about an important concept of networking i.e Subnetting.
Before reading further , you should aware of some basic networking concepts like IP address, CIDR(/24,/16,/8), etc.
So without wasting time, let’s get started :)
https://medium.com/media/975851c6df4832089efab1cced9feb58/href
Now what is subnetting ?
Subnetting is nothing but dividing the network into different parts, suppose you have an network in your shop or company and you want to divide your network in 4 parts , so there we use subnetting.
Before moving into actual part you should know about below given cheatsheet, this will help you to convert ip into binary and binary into ip.If you are aware of IP address then you know an Ip addreess is splitted into 32 bits into 1s and 0s.
128 64 32 16 8 4 2 1 — Cheatsheet
Now let’s take an example suppose you have and IP 192.168.1.12 and it’s binary form is 11000000 10101000 00000001 00001100
How we did this , we did it wit
2021-09-21 13:20:52Bug Bounty in InfoSec Write-up
python logo enhanced by behance
A virtual environment as the name goes works as a virtual machine as well whereby the installed operating system is separate from the actual operating system. During updates and upgrades, it affects just the virtual machine and not the actual system. This concept works the same with a virtual environment whereby an isolated runtime environment helps a user or an application to install and upgrade python packages without messing with other application built with python on the system. Due to how python packages are stored on systems in different location for instance, most system packages are stored in a child directory of the path stored in sys.prefix.
For instance; In the creation of an application, app A may have a particular library with a different version whilst app B also has a different version lets say 2.0. In the cases of using these two applications, one might meet the requirement of a particular module and the other might not which tends to introduce the need for pyth
2021-09-21 13:20:52Bug Bounty in InfoSec Write-up
Hey all,
I’m a beginner in bug bounty hunting. Even though my bachelors was in electronics, I got fascinated with cyber security while reading about computer networks in my bachelors. As my interest grew, I got to know more about network security & web security by reading and practicing them. I was aware of bug bounties by reading articles related to them but at the start, I was not confident enough to find bugs if a target was given to me. I’m not attracted to the bounties which people post on social media and I always firmly believe that constant learning, perseverance and sharing whatever you’ve learnt matters in all walks of life. Imagine if google search was restricted only to the employees of google :P, we wouldn’t be here LOL.
After learning a bit, I thought to give it a try and after few attempts, I got a lot of N/As & duplicates. I was fuming to myself and I decided to enhance my skills properly and get back to it later. After some time, when I started to hunt for bugs again, I picked a site that was
2021-09-21 13:20:22Bug Bounty in InfoSec Write-up
Hey all,
I’m a beginner in bug bounty hunting. Even though my bachelors was in electronics, I got fascinated with cyber security while reading about computer networks in my bachelors. As my interest grew, I got to know more about network security & web security by reading and practicing them. I was aware of bug bounties by reading articles related to them but at the start, I was not confident enough to find bugs if a target was given to me. I’m not attracted to the bounties which people post on social media and I always firmly believe that constant learning, perseverance and sharing whatever you’ve learnt matters in all walks of life. Imagine if google search was restricted only to the employees of google :P, we wouldn’t be here LOL.
After learning a bit, I thought to give it a try and after few attempts, I got a lot of N/As & duplicates. I was fuming to myself and I decided to enhance my skills properly and get back to it later. After some time, when I started to hunt for bugs again, I picked a site that was
2021-09-21 13:20:06Security Boulevard
It happens all the time: Organizations get hacked because there isn't an obvious way for security researchers to let them know about security vulnerabilities or data leaks. Or maybe it isn't entirely clear who should get the report when remote access to an organization's internal network is being sold in the cybercrime underground.
In a bid to minimize these scenarios, a growing number of major companies are adopting "Security.txt," a proposed new Internet standard that helps organizations describe their vulnerability disclosure practices and preferences.
The post Does Your Organization Have a Security.txt File? appeared first on Security Boulevard.
2021-09-21 13:20:06Security Boulevard
The General Data Protection Regulation (GDPR) Act is a broad set of data privacy rules that define how an organization must handle and protect the personal data of citizens of the European Union (EU). The Regulation also outlines the way that organizations can report a data breach. Articles 33 and 34 outline the requirements for breach […]… Read More
The post How to Report a Data Breach per GDPR appeared first on The State of Security.
The post How to Report a Data Breach per GDPR appeared first on Security Boulevard.
2021-09-21 13:20:05Security Boulevard
Data breaches have reached a fever pitch over the last few years. The rapid frequency of successful attacks coupled with the rising costs to businesses has raised attention at the highest levels of global governments. In the past, breaches were relatively “localized,” that is, they affected the targeted company only. However, the newer attacks have disrupted […]… Read More
The post Cybersecurity Maturity Model Certification (CMMC) – A Model for Everyone appeared first on The State of Security.
The post Cybersecurity Maturity Model Certification (CMMC) – A Model for Everyone appeared first on Security Boulevard.