OSS-Fuzz - Continuous Fuzzing Of Open Source Software

Fuzz testing is a well-known technique for uncovering programming errors in software. Many of these detectable errors, like buffer overflow, can have serious security implications. Google has found thousands of security vulnerabilities and stability bugs by deploying guided in-process fuzzing of...

CVE-2017-18876

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can test for the existence of an arbitrary file...

CVE-2017-18876

CVE-2017-18876 affects Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 where local file storage enables a path traversal-like check to determine existence of arbitrary files. Impact is information disclosure via local storage under file storage usage; exploitation requires access via the affecte...

K8tools

It is an offensive tool for web application exploitation. The repository, K8tools, contains a collection of tools for various purposes, including internal penetration, privilege escalation, remote overflow, vulnerability exploitation, scanning, password cracking, and anti-kill tools. The primary...

My Adventures Hacking the iParcelBox

ARCHIVED STORY My Adventures Hacking the iParcelBox By Sam Quinn · June 18, 2020 In 2019, McAfee Advanced Threat Research ATR disclosed a vulnerability in a product called BoxLock. Sometime after this, the CEO of iParcelBox, a U.K. company, reached out to us and offered to send a few of their...

vulhub

This repository is an open-source collection of pre-built vulnerable docker environments. It is an offensive tool for vulnerability research and testing. The target product/service or framework is not explicitly stated, but it appears to be a collection of vulnerable environments for various...

Fsociety - A Modular Penetration Testing Framework

Install pip install fsociety Update pip install --upgrade fsociety Usage usage: fsociety -h -i -s A Penetration Testing Framework optional arguments: -h, --help show this help message and exit -i, --info gets fsociety info -s, --suggest suggest a tool Develop git clone...

vulhub

It is an open-source collection of pre-built vulnerable docker environments. The primary vulnerability class/vector is not explicitly stated, but the project includes various vulnerable environments, such as Flask SSTI, Apache Parsing Vulnerability, and Jenkins RCE. The probable entry points are...

'Lamphone' Hack Uses Lightbulb Vibrations to Eavesdrop on Homes

Researchers have discovered a novel way to spy on conversations that are happening in houses from almost a hundred feet away. The hack stems simply from a lightbulb hanging in the home. The hack, dubbed “lamphone,” is performed by analyzing the tiny vibrations of a hanging lightbulb, which are...

vulhub

This repository is an open-source collection of pre-built vulnerable docker environments, known as Vulhub. It is an offensive tool for testing and training purposes, specifically designed for vulnerability research and penetration testing. The target product/service or framework is various, as it...

SecGen

This is a Ruby application called SecGen, which generates vulnerable virtual machines for security penetration testing. The application uses Vagrant, Puppet, and Ruby to create randomly vulnerable virtual machines based on a scenario specification. The scenario can specify constraints and...

GHSA-3GW4-M5W7-V89C Uncontrolled Resource Consumption in Indy Node

Summary Indy Node has a bug in TAA handling code. The current primary can be crashed with a malformed transaction from a client, which leads to a view change. Repeated rapid view changes have the potential of bringing down the network. Discovery On May 18, Evernym's monitoring of Sovrin StagingNe...

vulhub

It is an offensive tool for web application security training. The repository contains a collection of pre-built vulnerable environments based on Docker-Compose, allowing users to easily set up and test various web application vulnerabilities. The tool is designed for security training and...

metasploit-framework

This is the Metasploit Framework repository, a widely used penetration testing tool. The framework is written in Ruby and provides a comprehensive set of modules for exploiting vulnerabilities, conducting social engineering attacks, and gathering information about targets. The repository contains...

Fedora: Security Advisory for dnsperf (FEDORA-2020-f9dcd4e9d5)

The remote host is missing an update for the Copyright C 2020 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

PRET

The repository michaelxiaxc/PRET is a Printer Exploitation Toolkit that allows users to test the security of their printers. The tool connects to a device via network or USB and exploits the features of a given printer language, currently supporting PostScript, PJL, and PCL. The main idea of PRET...

Using DAST to Expand DevOps Security Coverage

The state of application security is constantly evolving with changing web architectures and approaches. These changes are making security teams employ a wider range of techniques and toolsets to find vulnerabilities within their applications. Web and mobile applications each present their own...

[SECURITY] Fedora 31 Update: dnsperf-2.3.4-1.fc31

This is dnsperf, a collection of DNS server performance testing tools. For more information, see the dnsperf1 and resperf1 man pages...

New Skill Testing Platform For 6 Most In-Demand Cybersecurity Jobs

Building a security team is a necessity for organizations of all industries and sizes. It makes selecting the right person for the job a critical task in which testing candidates' domain knowledge is a core component of the hiring process. A common practice is for each organization to put togethe...

h1-ctf: [H1-2006 2020] The Story of Making Bounty Hunters Happy

Disclaimer: I will try to make this post a fun read, given that whoever triagges will be probably going through similar write-ups again and again. The beginning: Being away from HackerOne over a month had made me rusty. Although the call to arms for Mr. Mickos and the community could not be left...