Virtual Machine Automation (vm-automation) repository released

Rapid7 just released a new public repo called vm-automation. The vm-automation repository is a Python library that encapsulates existing methodologies for virtual machine and hypervisor automation and provides a platform-agnostic Python API. Currently, only ESXi and VMWare workstation are...

Zomato: Length extension attack leading to HTML injection

At the profile setting page where I can set my personal website I found this url: https://www.zomato.com/redirect?u=xxx&t=yyy Where xxx is the url that we can control and yyy is the hash. Through out blackbox testing I find out that if md5somescret + url == t then the redirect is allowed. This is...

Introducing InsightAppSec: Cloud-powered Application Security Testing

Rapid7 announces today the launch of InsightAppSec, the newest product to be delivered on the Insight platform. InsightAppSec combines the power and accuracy of Rapid7s industry-leading and proven Dynamic Application Security Testing DAST engine with the quick deployment, scalability, and...

Just a Few Seats Left at the Coalfire Adaptive Pen Testing Training at Black Hat!

Black Hat is just around the corner, and Coalfire is gearing up for the best Adaptive Penetration Testing Training yet! Weve adapted the Adaptive Penetration Test Training course with new instructors, enriched content, and new labs to provide the richest training to date. The revised training now...

Oracle E-Business Suite Flaw Allows Downloads of Documents

Oracle admins have more than 300 patches to contend with today, but one that should be considered a top priority is a bug in the E-Business Suite of business applications that could allow an attacker to download data without the need for authentication. The vulnerability, CVE-2017-10244, was...

SET v7.7 - The Social-Engineer Toolkit “Blackout”

The Social-Engineer Toolkit SET was created and written by the founder of TrustedSec. It is an open-source Python-driven tool aimed at penetration testing around Social-Engineering. SET has been presented at large-scale conferences including Blackhat, DerbyCon, Defcon, and ShmooCon. With over two...

CVE-2017-10603

The CVE describes an XML injection vulnerability in Junos OS CLI that can be exploited by a locally authenticated user to elevate privileges and execute commands as root. The issue stems from improper handling/validation of XML content received by the CLI, enabling arbitrary command execution wit...

[SECURITY] Fedora 24 Update: dnsperf-2.1.0.0-3.fc24

This is dnsperf, a collection of DNS server performance testing tools. For more information, see the dnsperf1 and resperf1 man pages...

Lynis 2.5.2 - Security Auditing Tool for Unix/Linux Systems

We are excited to announce this major release of auditing tool Lynis. Several big changes have been made to core functions of Lynis. These changes are the next of simplification improvements we made. There is a risk of breaking your existing configuration. Lynis is an open source security auditin...

RaidenHTTPD 2.0.44 User-Agent Cross Site Scripting

Exploit Title: RaidenHTTPD 2.0.44 - User-Agent - HTML Injection & Cross-site scripting Exploit Author: sultan albalawi :@bofheaded :https://hackinguyz.blogspot.com/ exploit User-Agent HTTP header : For remote testing use http-live -There is no need to use the script alertdocument.cookiewxo3i...

A week in security (July 03 – July 09)

Last week, we released our second quarter Cybercrime Tactics & Techniques report, where we revealed that ransomware outbreaks were dominant during this quarter. You can read the full report on the post below: Report: Second quarter dominated by ransomware outbreaks Our researchers continue to sha...

Static Versus Dynamic Data Masking

Most participants in the trench warfare of IT security agree that the best way to protect data is to apply a layered approach to security. Data masking is a security and privacy enhancing technology recommended by industry analysts as a must-have data protection layer. While terminology varies...

Concrete CMS: Stored XSS in Private Messages 'Reply' allows to execute malicious JavaScript against any user while replying to the message which contains payload

Intro "Back to the Crayons" Type of issue: Core CMS issue Level of severity: External Attack Vector Concrete5 version: 8.2.0 RC2 rev. 32c9daf352645d4fafedb7b956e7f2de4e153ab3 July 8th Summary There is Stored XSS vulnerability in Private Messages 'Reply' feature, when original message is quoted in...

[SECURITY] Fedora 25 Update: jetty-test-helper-3.1-3.fc25

Unit Testing Support for Jetty common classes for some unit tests...

Linux/x86 - Reverse TCP Shellcode (67 bytes)

/ Tiny Shell Reverse TCP Shellcode - C Language Linux/x86 Written in 2013 by Geyslan G. Bem, Hacking bits http://hackingbits.com email protected This source is licensed under the Creative Commons Attribution-ShareAlike 3.0 Brazil License. To view a copy of this license, visit...

Using the CTS for vulnerability detection and principles of analysis-vulnerability warning-the black bar safety net

1. CTS to run the process 1.1 download compile Android CTS source code, By git clone https://android.googlesource.com/platform/cts -b xxxxxxx can download the cts and compile,or you can download the complete Android source code is compiled, the compiled source code is then compiled CTS,the comman...

Using the CTS for vulnerability detection and principles of analysis-vulnerability warning-the black bar safety net

360 Vulpecker team Membership 360 Information Security Department, committed to the Android application and the system-layer vulnerability discovery as well as other Android security research. We passed on the CTS frame of the research, the preparation of a vulnerability detection aspect of the...

sylkie - IPv6 address spoofing with the Neighbor Discovery Protocol

A command line tool and library for testing networks for common address spoofing security vulnerabilities in IPv6 networks using the Neighbor Discovery Protocol. Getting Started Note: This project is still in the early phases of development. If you run into any problems, please consider submittin...

testing.dpsk12.org XSS vulnerability

Vulnerable URL: http://testing.dpsk12.org/fusioncharts/spf/default.asp?chart=1"...

Getting the Most Value Out of Your Phishing Program

Are your phishing tests worth the money you are spending on them? Please dont misinterpret that as suggesting you shouldnt be testing your users. To the contrary, I think you should be testing all your users executives of all ranks included on a regular basis. What I mean by that question is; are...