Kali Linux 2019.1 Released — Operating System For Hackers

Wohooo! Great news for hackers and penetration testers. Offensive Security has just released Kali Linux 2019.1, the first 2019 version of its Swiss army knife for cybersecurity professionals. The latest version of Kali Linux operating system includes kernel up to version 4.19.13 and patches for...

SSRFmap - Automatic SSRF Fuzzer And Exploitation Tool

SSRF are often used to leverage actions on other services, this framework aims to find and exploit these services easily. SSRFmap takes a Burp request file as input and a parameter to fuzz. Server Side Request Forgery or SSRF is a vulnerability in which an attacker forces a server to perform...

CDF - Crypto Differential Fuzzing

CDF is a tool to automatically test the correctness and security of cryptographic software. CDF can detect implementation errors, compliance failures, side-channel leaks, and so on. CDF implements a combination of unit tests with "differential fuzzing", an approach that compares the behavior of...

The vulnerability of the Oracle Application Testing Suite’s Load Testing for Web Apps component within the Oracle Enterprise Manager software platform allows a perpetrator to gain unauthorized access to protected information or cause service failures.

The vulnerability of the Oracle Application Testing Suite’s Load Testing for Web Apps component is related to insufficient access control. Exploiting this vulnerability could allow a malicious actor to gain unauthorized access to protected information or cause service failures using the HTTP...

[SECURITY] Fedora 28 Update: buildbot-1.8.1-1.fc28

The BuildBot is a system to automate the compile/test cycle required by most software projects to validate code changes. By automatically rebuilding and testing the tree each time something has changed, build problems are pinpointed quickly, before other developers are inconvenienced by the failu...

skia/api_mock_gpu_canvas: Heap-buffer-overflow in compute_pos_tan

Project: https://skia.googlesource.com/skia.git Detailed report: https://oss-fuzz.com/testcase?key=5667344397893632 Project: skia Fuzzer: libFuzzerskiaapimockgpucanvas Fuzz target binary: apimockgpucanvas Job Type: libfuzzerasanskia Platform Id: linux Crash Type: Heap-buffer-overflow READ 4 Crash...

Security Bulletin: Missing Secure HTTP Headers

Summary During internal penetration testing we identified that the IBM i2 Enterprise Insight Analysis application could be made more secure with the addition of some HTTP headers. Vulnerability Details CVEID: CVE-2018-1525 DESCRIPTION: IBM i2 Intelligent Analyis Platform could allow a remote...

Qualifying Encoders with Akamai

Introduction The encoder qualification program was created to improve the process for vendors that wish to align themselves with Akamai network specific requirements. It is also intended to , mitigate the risk of encoder issues before using in production. A formal process is being introduced to...

Burp HMAC header extensions, a how-to

I was recently on a test where the client’s API used a custom authentication scheme to add a SHA256 HMAC dynamically on each request, based on the URL, time, and message body. My normal go-to for API testing is Postman especially when your client is lovely enough to give you definitions you can...

Assess Vulnerabilities, Misconfigurations in AWS Golden AMI Pipelines

Today we’re starting a blog series focused on how to integrate Qualys solutions into DevSecOps for securing cloud infrastructures. In this initial post, we’ll discuss the importance of assessing vulnerabilities and misconfigurations on AWS pipelines. When developing golden Amazon Machine Images...

Security Testing Plugin for Maven & Gradle

Maven and Gradle Maven and Gradle are build automation and dependency management systems used primarily for Java projects. Their goals are to provide a uniform build system and to simplify the build process altogether. They are used for dependency management, testing, and building of simple to...

[SECURITY] Fedora 29 Update: python36-3.6.8-3.fc29

Python 3.6 package for developers. This package exists to allow developers to test their code against an older version of Python. This is not a full Python stack and if you wish to run your applications with Python 3.6, see other distributions that support it, such as CentOS or RHEL with Software...

Hacker who reported flaw in Hungarian Telekom faces up to 8-years in prison

Many of you might have this question in your mind: "Is it illegal to test a website for vulnerability without permission from the owner?" Or… "Is it illegal to disclose a vulnerability publicly?" Well, the answer is YES, it's illegal most of the times and doing so could backfire even when you hav...

[SECURITY] Fedora 29 Update: docker-latest-1.13.1-40.git1185cfd.fc29

Docker is an open-source engine that automates the deployment of any application as a lightweight, portable, self-sufficient container that will run virtually anywhere. Docker containers can encapsulate any payload, and will run consistently on and between virtually any server. The same container...

[SECURITY] Fedora 28 Update: docker-1.13.1-63.git1185cfd.fc28

Docker is an open-source engine that automates the deployment of any application as a lightweight, portable, self-sufficient container that will run virtually anywhere. Docker containers can encapsulate any payload, and will run consistently on and between virtually any server. The same container...

The vulnerability of the Oracle Application Testing Suite’s Load Testing for Web Apps component within the Oracle Enterprise Manager software platform allows a malicious actor to gain unauthorized access to protected data or cause service failures.

The vulnerability of the Oracle Application Testing Suite’s Load Testing for Web Apps component is related to access control deficiencies. Exploiting this vulnerability could allow a malicious actor to gain unauthorized access to protected data or cause service failures using the HTTP protocol...

Oracle Application Testing Suite Detection (Windows SMB Login)

SMB login-based detection of Oracle Application Testing Suite. SPDX-FileCopyrightText: 2019 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Security Isn't Enough. Silicon Valley Needs 'Abusability' Testing

Former FTC chief technologist Ashkan Soltani argues it's time for Silicon Valley companies to formalize and test not just their products' security, but its "abusability."...

ADAPT - Tool That Performs Automated Penetration Testing For WebApps

ADAPT is a tool that performs Automated Dynamic Application Penetration Testing for web applications. It is designed to increase accuracy, speed, and confidence in penetration testing efforts. ADAPT automatically tests for multiple industry standard OWASP Top 10 vulnerabilities, and outputs...

FTW - Framework For Testing WAFs

This project was created by researchers from ModSecurity and Fastly to help provide rigorous tests for WAF rules. It uses the OWASP Core Ruleset V3 as a baseline to test rules on a WAF. Each rule from the ruleset is loaded into a YAML file that issues HTTP requests that will trigger these rules...