227 matches found
Brazil's Biggest Cosmetic Brand Natura Exposes Personal Details of Its Users
Brazil's biggest cosmetics company Natura accidentally left hundreds of gigabytes of its customers' personal and payment-related information publicly accessible online that could have been accessed by anyone without authentication. SafetyDetective researcher Anurag Sen last month discovered two...
S3Reverse - The Format Of Various S3 Buckets Is Convert In One Format
The format of various s3 buckets is convert in one format. for bugbounty and security testing. Install $ go get -u github.com/hahwul/s3reverse Usage Input options Basic Usage 8""""8 eeee 8"""8 8"""" 88 8 8"""" 8"""8 8""""8 8"""" 8 8 8 8 8 88 8 8 8 8 8 8 8eeeee 8 8eee8e 8eeee 88 e8 8eeee 8eee8e...
44M Digital Wallet Items Exposed in Key Ring Cloud Misconfig
Key Ring, creator of a digital wallet app used by 14 million people across North America, has exposed 44 million IDs, charge cards, loyalty cards, gift cards and membership cards to the open internet, researchers say. The Key Ring app allows users to upload scans and photos of various physical...
AWSGen.py - Generates Permutations, Alterations And Mutations Of AWS S3 Buckets Names
AWSGen.py is a simple tool for generates permutations, alterations and mutations of AWS S3 Buckets Names. Download AWSGen.py...
The Ultimate Security Budget Excel Template
Sound security budget planning and execution are essential for the CIO’s/CISO’s success. Now, for the first time, The Ultimate Security Budget Plan & Track Excel template download here provides security executives a clear and intuitive tool to keep track of planned vs. actual spend, ensuring that...
AWS Report - Tool For Analyzing Amazon Resources
AWS Report is a tool for analyzing amazon resources. Features Search iam users based on creation date Search buckets public Search security group with inbound rule for 0.0.0.0/0 Search elastic ip dissociated Search volumes available Search AMIs with permission public Search internet gateways...
PayloadsAllTheThings
This is an offensive tool repository for Web Application Security and Pentest/CTF. It contains a list of useful payloads and bypass techniques for various web application vulnerabilities. The repository includes tools and scripts for exploiting vulnerabilities such as CRLF injection, CSRF...
Virus Bulletin 2019: Magecart Infestations Saturate the Web
LONDON — Magecart, the digital card-skimming collective, is now so ubiquitous that its infrastructure is flooding the internet. In a paper presented at Virus Bulletin 2019 this week in London, Jordan Herman and Yonathan Klijnsma of RiskIQ said that there are now 573 known C2 domains for the group...
A week in security (September 9 – 15)
Last week on the Labs blog, we looked at free VPN offerings, how malware can hinder vital emergency services, and explored how the Heartbleed vulnerability is still causing problems. We also talked about a large FTC settlement involving Google, and how to keep an eye out for leaky AWS buckets...
Slurp - S3 Bucket Enumerator
Blackbox/whitebox S3 bucket enumerator Overview Credit to all the vendor packages that made this tool possible. This is a security tool; it's meant for pen-testers and security professionals to perform audits of s3 buckets. Features Scan via domains; you can target a single domain or a list of...
Magecart Hackers Infect 17,000 Sites Through Misconfigured Amazon S3 Buckets
Magecart strikes again! Cybersecurity researchers have identified yet another supply-chain attack carried out by payment card hackers against more than 17,000 web domains, which also include websites in the top 2,000 of Alexa rankings. Since Magecart is neither a single group nor a specific malwa...
Amazon Web Services S3 instance enumeration
Provided AWS credentials, this module will call the authenticated API of Amazon Web Services to list all S3 buckets associated with the account This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'aws-sdk-s3' clas...
2.3B Files Exposed in a Year: A New Record for Misconfigs
The last 12 months has seen the exposure of a record 2.3 billion files across cloud databases and online shares, according to an analysis released on Thursday. A report from Digital Shadows’ Photon Research Team, Too Much Information: The Sequel, assessed the scale of inadvertent global data...
Moderate: Red Hat Security Advisory: Red Hat Ceph Storage 2.5 security and bug fix update
An update for ceph and grafana is now available for Red Hat Ceph Storage 2.5 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is...
AWS Slurp Github Takeover
Slurp is a tool used by information security professionals to enumerate AWS S3 buckets. Slurp takes a domain name example.com or wordlist as input and cycles through likely S3 bucket names example.s3.amazonaws.com looking for any world-read/writeable buckets. S3 buckets are a great find for...
Google Android P is officially called Android 9 Pie
If you have bet on Peppermint, Pancake or Pastry for "P" in the next version of Google's mobile operating system, sorry guys you lose because Android P stands for Android Pie. Yes, the next version of sugary snack-themed Android and the successor to Android Oreo will now be known as Android 9.0 P...
A week in security (July 16 – July 22)
Last week on Labs, we looked at a Magniber expansion, explored open source vulnerabilities, and checked out the boons and drawbacks of smart assistants. We also continued our ad blocking article extravaganza, gave a whistlestop tour of third-party problems, and published our Q2 Cybercrime tactics...
AWS Pwn - A Collection Of AWS Penetration Testing Junk
This is a collection of horribly written scripts for performing various tasks related to penetration testing AWS. Please don't be sad if it doesn't work for you. It might be that AWS has changed since a given tool was written or it might be that the code sux. Either way, please feel free to...
S3Scanner - Scan For Open S3 Buckets And Dump
A quick and dirty script to find unsecured S3 buckets and dump their contents. Using The tool has 2 parts: 1 - s3finder.py This script takes a list of domain names and checks if they're hosted on Amazon S3. Found S3 domains are output to file with their corresponding region in format...
Bucket Stream - Find interesting Amazon S3 Buckets by watching certificate transparency logs
Find interestingAmazon S3 Buckets by watching certificate transparency logs. This tool simply listens to various certificate transparency logs via certstream and attempts to find public S3 buckets from permutations of the certificates domain name. Some quick tips if you use S3 buckets: 1. Randomi...