OWASP BLT 安全漏洞

OWASP BLT is an open-source gamified crowdsourcing platform for testing and disclosing vulnerabilities. Versions of OWASP BLT prior to 2.1.1 contained security vulnerabilities. These vulnerabilities were caused by a remote code execution issue in the.github/workflows/regenerate-migrations.yml...

crowdsourcing.anlux.lu Cross Site Scripting vulnerability OBB-3477215

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

From Bounty to Exploit: Observations About Cybercriminal Contests

From articles to hackathons, cybercriminals are resorting to crowdsourcing to find more ways to exploit systems. In this blog, we discuss our takeaways and summarize the results of these contests...

CrowdSec - An Open-Source Massively Multiplayer Firewall Able To Analyze Visitor Behavior And Provide An Adapted Response To All Kinds Of Attacks

CrowdSec is a free, modern & collaborative behavior detection engine, coupled with a global IP reputation network. It stacks on fail2ban's philosophy but is IPV6 compatible and 60x faster Go vs Python, uses Grok patterns to parse logs and YAML scenario to identify behaviors. CrowdSec is engineere...

Energize Your Incident Response and Vulnerability Management With Crowdsourced Automation Workflows

It’s no secret that most organizations need to dramatically improve their incident detection and response and vulnerability management VM programs. How many major security breaches could organizations avert if they could detect and address them at the start, when they’re still just minor incident...

Benefits of Building a Multi-prong Mousetrap for WAF Policies with ML

The reason behind buying a market-leading Web Application Firewall WAF is to protect your website and web applications from malicious attacks, plus complying with industry or regional data and privacy standards. In addition to the typical OWASP Top 10 vulnerabilities, WAFs need to address a litan...

FFEM: A Simple Device to Crowdsource Water Quality Data

Akamai has been a strong advocate for water conservation by supporting early-stage innovations. This World Water Monitoring Day September 18, we present the inspiring work of one of our innovators -- Foundation For Environmental Monitoring FFEM, based in Bangalore, India -- that is working on...

Code injection

An issue was discovered in Verint Impact 360 15.1. At wfo/control/signin, the login form can accept submissions from external websites. In conjunction with CVE-2019-12783, this can be used by attackers to "crowdsource" bruteforce login attempts on the target site, allowing them to guess and...

CVE-2019-12784

Verint Impact 360 15.1 (wfo/control/signin) has a login form that accepts submissions from external websites, enabling a possible cross-site flow that, together with CVE-2019-12783, could be used to crowdsource bruteforce login attempts against valid credentials without originating traffic from t...

XSS Vulnerability in KPPW Wizards System

KPPW-v3.3 crowdsourcing wiki system developed by Wuhan Kiker Information Technology Co., Ltd. is a set of large-scale platform system based on the laravel framework developed for project transactions, settlement. There is an XSS vulnerability in the KPPW system, which can be exploited to obtain...

Wi-Fi Hotspot Finder Spills 2 Million Passwords

More than 2 million passwords for Wi-Fi hotspots were leaked online by the Android app developer behind the mobile application called WiFi Finder. The passwords were part of an insecure database found by researchers at GDI Foundation. The Android app itself did not just help users find Wi-Fi...

How Imperva’s New Attack Crowdsourcing Secures Your Business’s Applications

Attacks on applications can be divided into two types: targeted attacks and “spray and pray” attacks. Targeted attacks require planning and usually include a reconnaissance phase, where attackers learn all they can about the target organization’s IT stack and application layers. Targeted...

Newsmaker Interview: Marten Mickos the Future of Bug Bounty

Since the launch of the Hack the Pentagon program in 2016, bug bounty programs have quickly grown in popularity. The program was bolstered by HackerOne, a bug bounty security crowdsourcing platform led by CEO Marten Mickos. “The numbers have exploded,” Mickos told Threatpost. “There’s a larger...

Bug Bounty Programs Turn Attention to Data Abuse

More companies – particularly social media firms – may follow Facebook’s footsteps in turning to bug bounty programs to scout out any data privacy abuse on their platforms, experts say. On the heels of Facebook’s Cambridge-Analytica scandal in March, the social media giant launched a “Data Abuse...

U.S. DoD Hopes To Stamp Out Threats With Bug Bounty Program

The U.S. Department of Defense is doubling down on routing out vulnerabilities in its massive government systems. On Monday, the DoD announced it was expanding its bug bounty program to include the agency’s massive Defense Travel System. The “Hack the DTS” program launched in partnership with bug...

New Techniques in Fake Reviews

Research paper: "Automated Crowdturfing Attacks and Defenses in Online Review Systems." Abstract: Malicious crowdsourcing forums are gaining traction as sources of spreading misinformation online, but are limited by the costs of hiring and managing human workers. In this paper, we identify a new...

Blackphone Bug Bounty Program Launches on Bugcrowd

During DEF CON in August, Twitter became the preferred medium for submitting bugs found in secure smartphone Blackphone, including one high-profile claim on the social network that the phone had been rooted. That wasn’t the final straw that led to today’s announcement of a bug bounty, rather it w...

Crowdsourcing a Tool for Application Vulnerability Research

Pulling in security help on a project has traditionally meant either hiring more full-time help, or bringing in an outside consultant. Enterprises and vendors alike, however, are starting to really go outside the perimeter these days and are taking advantage of crowdsourcing. Given the paranoia i...

Crowdsourcing to be Part of Phase Two of TrueCrypt Audit

TrueCrypt may yet get forked, but it won’t come at the hands of the Open Crypto Audit Project OCAP, which has a working plan to move forward with a cryptanalysis of the open source encryption software. OCAP is the brand name for the grassroots movement that arose out of the ashes of the Snowden...

HD Moore, Project Sonar Crowdsources Vulnerability Analysis

The state of embedded device security is poor, and there hasn’t been much in the way of discussion to the contrary. It’s well established that vendors skimp on security, selling for example, routers and other networking gear protected only by default passwords, or other critical devices engineere...