GraphQL Vulnerabilities and Common Attacks: Seen in the Wild

In our previous blog, we provided an overview of GraphQL security, along with details and examples of common attacks. Building on that foundation, this blog will take a closer look at real-world examples of GraphQL attacks that have recently occurred. We will explore the methods used by attackers...

REST-Attacker - Designed As A Proof-Of-Concept For The Feasibility Of Testing Generic Real-World REST Implementations

REST-Attacker is an automated penetration testing framework for APIs following the REST architecture style. The tool's focus is on streamlining the analysis of generic REST API implementations by completely automating the testing process - including test generation, access control handling, and...

openSUSE Security Update : java-1_8_0-openjdk (openSUSE-2020-2083)

This update for java-180-openjdk fixes the following issues : - Fix regression '8250861: Crash in MinINode::IdealPhaseGVN, bool', introduced in October 2020 CPU. - Update to version jdk8u272 icedtea 3.17.0 July 2020 CPU, bsc1174157, and October 2020 CPU, bsc1177943 - New features + JDK-8245468: A...

Microsoft Windows Kernel Security Feature Bypass (CVE-2020-1241)

A security bypass vulnerability exists in Microsoft Windows. Successful exploitation of this vulnerability would allow remote attackers to bypass security tests and protocols on the affected system...

Nullscan - A Modular Framework Designed To Chain And Automate Security Tests

A modular framework designed to chain and automate security tests. It parses target definitions from the command line and runs corresponding modules and their nullscan-tools afterwards. It can also take hosts and start nmap first in order to perform a basic portscan and run the modules afterwards...

Corsy v1.0 - CORS Misconfiguration Scanner

Corsy is a lightweight program that scans for all known misconfigurations in CORS implementations. Requirements Corsy only works with Python 3 and has the following depencies: tld requests To install these dependencies, navigate to Corsy directory and execute pip3 install -r requirements.txt Usag...

Microsoft Windows Security Feature Bypass (CVE-2019-0732)

A security bypass vulnerability exists in Microsoft Windows. Successful exploitation of this vulnerability would allow remote attackers to bypass security tests and protocols on the affected system...

Adobe Acrobat and Reader Security bypass (APSB18-41: CVE-2018-16044)

A security bypass vulnerability exists in Adobe Acrobat and Reader. Successful exploitation of this vulnerability would allow remote attackers to bypass security tests and protocols on the affected system...

Network and Web Pentest Framework: Jok3r

Jok3r is a Python3 CLI application which is aimed at helping penetration testers for network infrastructure and web black-box security tests. Its main goal is to save time on everything that can be automated during network/web pentest in order to enjoy more time on more interesting and challengin...

Microsoft JScript Security Feature Bypass (CVE-2018-8417)

A security bypass vulnerability exists in Microsoft Windows. Successful exploitation of this vulnerability would allow remote attackers to bypass security tests and protocols on the affected system...

Microsoft Device Guard Code Integrity Policy Security Feature Bypass (CVE-2018-8492)

A security bypass vulnerability exists in Microsoft Device Guard. Successful exploitation of this vulnerability would allow remote attackers to bypass security tests and protocols on the affected system...

Adobe Flash Player Security bypass (APSB18-25: CVE-2018-12825)

A security bypass vulnerability exists in Adobe Flash Player. Successful exploitation of this vulnerability would allow remote attackers to bypass security tests and protocols on the affected system...

LocalTapiola: XSS on 3rd party service Localtapiola is using

Basic report information Summary: Localtapiola is using careers.fi service to job applicants at http://www.lahitapiola.fi/tietoa-lahitapiolasta/toihin-meille/avoimet-tyopaikat/haemme-juuri-nyt Description: XSS on 3rd party careers.fi job service which may lead loss of personal data for the...

Android Package Inspector: Inspeckage

Inspeckage is a tool developed to offer dynamic analysis of Android applications. By applying hooks to functions of the Android API, Inspeckage will help you understand what an Android application is doing at runtime. Inspeckage will let you interact with some elements of the app, such as...

FaceDancer 21 - New Universal Case for PenTests

Document Title: =============== FaceDancer 21 - New Universal Case for PenTests References: =========== https://www.vulnerability-lab.com/getcontent.php?id=1960 STL Files Download: https://www.vulnerability-lab.com/resources/documents/FaceDancer2-STL-Files.rar Vulnerability Magazine:...

Why You Should Enroll In Cyber Security Awareness Training

When it comes to cyber security, even big organizations lack the basic knowledge of how to protect company’s data from the outside. Everyday businesses are facing the threat of phishing, ransomware, data breaches and malware attacks that not only results in millions of dollars losses, but also...

Netsparker v3.5 - Web Application Security Scanner

Netsparker Web Application Security Scanner can find and report web application vulnerabilities such as SQL Injection and Cross-site Scripting XSS and security issues on all web applications and websites regardless of the platform and the technology they are built on. Netsparker is very easy to u...

Multiple Antivirus Products RAR Parser MZ Character Sequence Security Bypass - Ver2 (CVE-2012-1443)

A security bypass vulnerability has been reported in multiple antivirus products. An attacker could exploit this vulnerability via a RAR file with an initial MZ character sequence. Successful exploitation of this vulnerability would allow remote attackers to bypass security tests and protocols on...

[Nsdtool] Toolset of scripts used to detect netgear switches in local networks

Nsdtool is a toolset of scripts used to detect netgear switches in local networks. The tool contains some extra features like bruteforce and setting a new password. Netgear has its own protocol called NSDP Netgear Switch Discovery Protocol, which is implemented to support security tests on the...

SEC Consult SA-20130308-0 :: Multiple critical vulnerabilities in GroundWork Monitor Enterprise (part 1)

SEC Consult Vulnerability Lab Security Advisory 20130308-0 ======================================================================= title: Multiple critical vulnerabilities part 1 product: GroundWork Monitor Enterprise vulnerable version: 6.7.0 fixed version: none - optional technical bulletin...