CVE-2016-9061

A previously installed malicious Android application which defines a specific signature-level permissions used by Firefox can access API keys meant for Firefox only. Note: This issue only affects Firefox for Android. Other versions and operating systems are unaffected. This vulnerability affects...

CVE-2016-9061

A previously installed malicious Android application which defines a specific signature-level permissions used by Firefox can access API keys meant for Firefox only. Note: This issue only affects Firefox for Android. Other versions and operating systems are unaffected. This vulnerability affects...

CVE-2016-9061

A previously installed malicious Android application which defines a specific signature-level permissions used by Firefox can access API keys meant for Firefox only. Note: This issue only affects Firefox for Android. Other versions and operating systems are unaffected. This vulnerability affects...

CVE-2016-9061

A previously installed malicious Android application which defines a specific signature-level permissions used by Firefox can access API keys meant for Firefox only. Note: This issue only affects Firefox for Android. Other versions and operating systems are unaffected. This vulnerability affects...

CVE-2016-9061

CVE-2016-9061 affects Firefox for Android, where a previously installed malicious Android app can exploit a signature-level permission to access API keys meant for Firefox. The issue is limited to Firefox for Android; other platforms are unaffected and Firefox versions prior to 50 are affected. T...

Omnibus - Open Source Intelligence Collection, Research, And Artifact Management

An Omnibus is defined as a volume containing several novels or other items previously published separately and that is exactly what the InQuest Omnibus project intends to be for Open Source Intelligence collection, research, and artifact management. By providing an easy to use interactive command...

Hijacking Philips Hue

We were filming a smart home hacking piece on the 5th May this year. Like most home users, the Wi-Fi PSK wasn’t strong enough, so we cracked it and joined the network. The user had a Philips Hue lighting system. None of us here had looked at Hue before - we made an assumption after the previous...

Nagios XI Chained Remote Code Execution

This module exploits a few different vulnerabilities in Nagios XI 5.2.6-5.4.12 to gain remote root access. The steps are: 1. Issue a POST request to /nagiosql/admin/settings.php which sets the database user to root. 2. SQLi on /nagiosql/admin/helpedit.php allows us to enumerate API keys. 3. The...

ODIN - Tool For Automating Penetration Testing Tasks

ODIN is made possible through the help, input, and work provided by others. Therefore, this project is entirely open source and available to all to use/modify. All this developer did was assemble the tools, convert some of them to Python 3, and stitch them together into an all-in-one toolkit. Wha...

StaCoAn - Crossplatform tool which aids developers, bugbounty hunters and ethical hackers performing static code analysis on mobile applications

StaCoAn is a crossplatform tool which aids developers, bugbounty hunters and ethical hackers performing static code analysis on mobile applications. This tool will look for interesting lines in the code which can contain: Hardcoded credentials API keys URL's of API's Decryption keys Major coding...

Automating Penetration Testing Tasks: ODIN

ODIN Observe, Detect, and Investigate Networks is a Python tool for automating intelligence gathering, testing and reporting. ODIN is still in active development. ODIN is designed to be run on Linux. About 90% of it will absolutely work on Windows or MacOS with Python 3 and a copy of urlcrazy, bu...

SpiderFoot 2.12 - Automates OSINT to find out everything possible about your target

SpiderFoot is a reconnaissance tool that automatically queries over 100 public data sources OSINT to gather intelligence on IP addresses, domain names, e-mail addresses, names and more. You simply specify the target you want to investigate, pick which modules to enable and then SpiderFoot will...

PoT - Phishing On Twitter

Generate tweet automatically like him/her How it works? 1- Collect data from target's twitter account 2- Find target's friend and copy her/him account 3- Generate tweet automatically with markov chain algorithm and send it Installation git clone https://github.com/omergunal/PoT cd PoT pip3 instal...

Open Source Static Code Analyser: StaCoAn

StaCoAn is a crossplatform tool which aids developers, bugbounty hunters and ethical hackers performing static code analysis on mobile applications. This tool will look for interesting lines in the code which can contain: Hardcoded credentials API keys URL’s of API’s Decryption keys Major coding...

CVE-2016-6813

Apache CloudStack 4.1 to 4.8.1.0 and 4.9.0.0 contain an API call designed to allow a user to register for the developer API. If a malicious user is able to determine the ID of another non-"root" CloudStack user, the malicious user may be able to reset the API keys for the other user, in turn...

Twebit - Bitcoin Analysis in Twitter With Machine Learning

Bitcoin analysis with machine learning. How it works? 1- Get tweets from twitter. 2- Filter tweets. 3- Tweet classification with naive bayes algorithm Positive,negative and neut. Installation git clone https://github.com/omergunal/twebit cd twebit pip3 install -r requirements.txt Update your api...

Reposcanner - Python Script To Scan Git Repos For Interesting Strings

Reposcanner is a python script to search through the commit history of Git repositories looking for interesting strings such as API keys, inspires by truffleHog. Installation The python Git module is required python-git on Debian. Usage ./reposcanner -r Options: optional arguments: -h, --help sho...

Unauthorized API Access

solidus is vulnerable to unauthorized API access attacks. The vulnerability exists as API keys were not validated for critical endpoints such as the Api::Orderscreate endpoint...

Recurly gem Server-Side Request Forgery in Resource#find method

The Recurly Client Ruby Library before 2.0.13, 2.1.11, 2.2.5, 2.3.10, 2.4.11, 2.5.4, 2.6.3, 2.7.8, 2.8.2, 2.9.2, 2.10.4, 2.11.3 is vulnerable to a Server-Side Request Forgery vulnerability in the Resourcefind method that could result in compromise of API keys or other critical resources...

GHSA-X27V-X225-GQ8G Recurly gem Server-Side Request Forgery in Resource#find method

The Recurly Client Ruby Library before 2.0.13, 2.1.11, 2.2.5, 2.3.10, 2.4.11, 2.5.4, 2.6.3, 2.7.8, 2.8.2, 2.9.2, 2.10.4, 2.11.3 is vulnerable to a Server-Side Request Forgery vulnerability in the Resourcefind method that could result in compromise of API keys or other critical resources...