Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware

Simple bash script to test your WAF or other devices against Log...

The Bug Report - December 2021 Edition

The Bug Report - December 2021 By Philippe Laulheret · January 19, 2022 Your Cybersecurity Comic Relief Why am I here? If you’re reading these words, CONGRATULATIONS! You’ve made it to 2022! And even better, you found your way to ATR’s monthly security digest where we discuss our favorite...

The Bug Report - December 2021 Edition

The Bug Report - December 2021 By Philippe Laulheret · January 19, 2022 Your Cybersecurity Comic Relief Why am I here? If you’re reading these words, CONGRATULATIONS! You’ve made it to 2022! And even better, you found your way to ATR’s monthly security digest where we discuss our favorite...

Exploit for Improper Input Validation in Siemens 6Bk1602-0Aa12-0Tp0_Firmware

This is a Java project for a web application that uses the Log4j library. The project is a practice environment for testing and learning about the Log4j vulnerability CVE-2021-44228. The project includes a Maven project settings file, a Java class file, and a Log4j configuration file. The Log4j...

PCI Penetration Test – Everything You Need to Know

Introduction For any association that cycles, stores or sends charge card information, entrance testing has been a commitment since 2013. That is the point at which the consistence necessities set up by the Payment Card Industry Security Standards Council PCI SSC were refreshed to mirror the...

Exploit for Incorrect Authorization in Apache Druid

CVE-2021-36749 Apache Druid LoadData arbitrary file reading...

Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware

CVE-2021-44228-Test-Server A small server for verifing if a gi...

STEWS - A Security Tool For Enumerating WebSockets

STEWS is a tool suite for security testing of WebSockets This research was first presented at OWASP Global AppSec US 2021 Features STEWS provides the ability to: Discover : find WebSockets endpoints on the web by testing a list of domains Fingerprint : determine what WebSockets server is running ...

OWASP Top 10 Deep Dive: Identification and Authentication Failures

In the 2021 edition of the OWASP top 10 list, Broken Authentication was changed to Identification and Authentication Failures. This term bundles in a number of existing items like cryptography failures, session fixation, default login credentials, and brute-forcing access. Additionally, this...

ThreatBox - A Standard And Controlled Linux Based Attack Platform

ThreatBox is a standard and controlled Linux based attack platform. I've used a version of this for years. It started as a collection of scripts, lived as a rolling virtual machine, existed as code to build a Linux ISO, and has now been converted to a set of ansible playbooks. Why Ansible? Why no...

ChopChop - ChopChop Is A CLI To Help Developers Scanning Endpoints And Identifying Exposition Of Sensitive Services/Files/Folders

ChopChop is a command-line tool for dynamic application security testing on web applications, initially written by the Michelin CERT. Its goal is to scan several endpoints and identify exposition of services/files/folders through the webroot. Checks/Signatures are declared in a config file by...

Exploit for Path Traversal in Vmware Cloud_Foundation

CVE-2021-22005 VMware vCenter Server arbitrary file upload...

Exploit for Expression Language Injection in Atlassian Confluence_Data_Center

CVE-2021-26084 Confluence remote code execution RCE...

LazyCSRF - A More Useful CSRF PoC Generator

LazyCSRF is a more useful CSRF PoC generator that runs on Burp Suite. Motivation Burp Suite is an intercepting HTTP Proxy, and it is the defacto tool for performing web application security testing. The feature of Burp Suite that I like the most is Generate CSRF PoC. However, this does not suppor...

PayloadsAllTheThings

It is an offensive tool for Web Application Security and Pentest/CTF. This repository contains a list of useful payloads and bypass techniques for web application security and penetration testing/CTF. The payloads are likely used to exploit vulnerabilities and bypass security measures. Not...

jexboss

This is an offensive tool for Java Deserialization Vulnerabilities. The tool is called JexBoss and is used to verify and exploit vulnerabilities in JBoss Application Server and other Java platforms, frameworks, and applications. The tool is written in Python and has a command-line interface. It c...

Practical tips on how to use application security testing and testing standards

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest Voice of the Community blog series post, Microsoft Product Marketing Manager Natalia Godyla talks with Daniel Cuthbert, Global Head of Security...

Practical tips on how to use application security testing and testing standards

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest Voice of the Community blog series post, Microsoft Product Marketing Manager Natalia Godyla talks with Daniel Cuthbert, Global Head of Security...

XssHunter-Express 授权问题漏洞

XssHunter-Express is used to test and find blind XSS. XssHunter-Express suffers from an Authorization Problem vulnerability that stems from a lack of proper validation of client-side data by the WEB application. An attacker can exploit this vulnerability to execute client-side code...

Linux Implementation of Cobalt Strike Beacon Targeting Organizations Worldwide

Researchers on Monday took the wraps off a newly discovered Linux and Windows re-implementation of Cobalt Strike Beacon that's actively set its sights on government, telecommunications, information technology, and financial institutions in the wild. The as-yet undetected version of the penetratio...