Mail.ru: Открытая панель

Non-production dashboad with random testing data was available on tarantool.org subdomain...

LightBulb Framework - Tools For Auditing WAFS

LightBulb is an open source python framework for auditing web application firewalls and filters. Synopsis The framework consists of two main algorithms: GOFA : An active learning algorithm that infers symbolic representations of automata in the standard membership/equivalence query model. Active...

RHEL 6 : rubygem-openshift-origin-node (RHSA-2014:0764)

An updated rubygem-openshift-origin-node package that fixes one security issue and several bugs is now available for Red Hat OpenShift Enterprise 2.1.1. The Red Hat Security Response Team has rated this update as having Critical security impact. A Common Vulnerability Scoring System CVSS base...

Why I’m Ecstatic About the MITRE ATT&CK Results

Yesterday, MITRE published the results of its first public evaluation of endpoint detection & response EDR vendors based on its increasingly-popular ATT&CK framework. The ATT&CK evaluations are a new approach to EDR testing - open, sophisticated, rigorous, and reflective of the real world. We...

Parrot Security 4.4 - Security GNU/Linux Distribution Designed with Cloud Pentesting and IoT Security in Mind

Parrot 4.4 is now available for download. This release provides security and stability updates and is the starting point for the plan to develop an LTS edition of Parrot. Parrot 4.4 Development Goals The Parrot 4.4 development process involved the ideas of many people in the community, and the go...

FAST or Burp or both?

By @aLLy , Wallarm Research Hello guys, time to talk details about Wallarm FAST Framework for Application Security Testing. It’s a new automatic web vulnerability scanning and fuzzing detection tool by Wallarm Inc. It is well suited for security researchers in enterprise Red Teams as well as for...

CVE-2018-16857

Samba from version 4.9.0 and before version 4.9.3 that have AD DC configurations watching for bad passwords to restrict brute forcing of passwords in a window of more than 3 minutes may not watch for bad passwords at all. The primary risk from this issue is with regards to domains that have been...

Why Malwarebytes decided to participate in AV testing

Starting this month, Malwarebytes began participating in the antivirus software for Windows comparison test performed by AV-test.org. This is uncharted territory for us, as we have refrained from participating in these types of tests since our inception. Although recent testing results show...

TIDoS-Framework v1.7 - The Offensive Manual Web Application Penetration Testing Framework

TIDoS Framework is a comprehensive web-app audit framework. let's keep this simple Highlights :- The main highlights of this framework is: TIDoS Framework now boasts of a century+ of modules. A complete versatile framework to cover up everything from Reconnaissance to Vulnerability Analysis. Has ...

Get the message: Your shopper data is trying to tell you something

This article originally appeared in Internet Retailer As we head into the thick of the holiday shopping season, web teams must make sure the path from discovery to purchase is as easy and painless as possible. Knowing where potential fail points are ahead of time makes it easier to prepare, while...

SUSE SLED12 / SLES12 Security Update : libgcrypt (SUSE-SU-2018:2452-2)

This update for libgcrypt fixes the following issues : The following security vulnerability was addressed : CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures bsc1097410. The following other issues were fixed: Extended the fipsdrv dsa-sign and dsa-verify...

Mail.ru: benchmark metrics available at 5.61.239.154

Benchmark data for 3rd party product was available from outside. Benchmarking was performed using generated data in isolated testing evironment, so no actual data or production information was leaked...

testing-expo.com XSS vulnerability

Open Bug Bounty ID: OBB-702478 Description| Value ---|--- Affected Website:| testing-expo.com Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| hidden until disclosure Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| hidden...

More on Threat Hunting

Earlier this week hellor00t asked via Twitter: Where would you place your security researchers/hunt team? I replied: For me, "hunt" is just a form of detection. I don't see the need to build a "hunt" team. IR teams detect intruders using two major modes: matching and hunting. Junior people spend...

SUSE-SU-2018:2452-2 Security update for libgcrypt

This update for libgcrypt fixes the following issues: The following security vulnerability was addressed: - CVE-2018-0495: Mitigate a novel side-channel attack by enabling blinding for ECDSA signatures bsc1097410. The following other issues were fixed: - Extended the fipsdrv dsa-sign and dsa-veri...

ZIP File Raider - Burp Extension For ZIP File Payload Testing

ZIP File Raider is a Burp Suite extension for attacking web application with ZIP file upload functionality. You can easily inject Burp Scanner/Repeater payloads in ZIP content of the HTTP requests which is not feasible by default. This extension helps to automate the extraction and compression...

How Just Opening A Site In Safari Could Have Hacked Your Apple macOS

Earlier this week Dropbox team unveiled details of three critical vulnerabilities in Apple macOS operating system, which altogether could allow a remote attacker to execute malicious code on a targeted Mac computer just by convincing a victim into visiting a malicious web page. The reported...

com.amazon.emr:hive2-shims (>=5.0.0 <=5.6.0), com.boozallen.aissemble:extensions-data-delivery-spark (>=1.13.0-rc6 <=2.0.0) +59 more potentially affected by CVE-2018-1315 via org.apache.hive:hive-exec (>=2.1.0 <=2.3.2)

org.apache.hive:hive-exec MAVEN version =2.1.0, =5.0.0, =1.13.0-rc6, =1.13.0-rc6, =1.13.0-rc6, =1.13.0-rc6, =1.13.0-rc6, =4.1.2-RELEASE, =4.0.0-preview22.0.1, =5.6.0, =4.1.0, =4.0.00.31.1-prerelease6, =4.0.0, =4.1.0, =4.2.0 and more Source cves: CVE-2018-1315 Source advisory: OSV:GHSA-P639-XXV5-J...

WebOfisi E-Ticaret V4 - urun SQL Injection

WebOfisi E-Ticaret V4 - urun SQL Injection Exploit Title: WebOfisi E-Ticaret V4 - 'urun' SQL Injection Date: 2018-11-21 Exploit Author: Özkan Mustafa Akkuş AkkuS Contact: https://pentest.com.tr Vendor Homepage: https://www.web-ofisi.com Software Demo: http://demobul.net/eticaretv4/ Software Link:...

WebOfisi E-Ticaret 4 SQL Injection

Exploit Title: WebOfisi E-Ticaret V4 - 'urun' SQL Injection Date: 2018-11-21 Exploit Author: Azkan Mustafa AkkuA AkkuS Contact: https://pentest.com.tr Vendor Homepage: https://www.web-ofisi.com Software Demo: http://demobul.net/eticaretv4/ Software Link:...