https://portswigger.net/daily-swig/latest-web-hacking-tools-q4-2021
Latest web hacking tools – Q4 2021
Behind the Great Firewall: Chinese cyber-espionage adapts to post-Covid world with stealthier attacks
"China’s long-established cyber-threat groups have been building up a huge arsenal of resources, comprising both publicly available and customized tools, and diversifying their repertoire amid the coronavirus pandemic. Threat intelligence experts quizzed by The Daily Swig said that Chinese state-sponsored attackers are at the forefront of developing new or novel hacking techniques." Full article: https://portswigger.net/daily-swig/behind-the-great-firewall-chinese-cyber-espionage-adapts-to-post-covid-world-with-stealthier-attacks
Serious Netmask vulnerability found to affect three Perl IP modules
"A trio of Perl modules are potentially vulnerable to a serious upstream security flaw in Net::Netmask, a Perl distribution used to parse, manipulate, and lookup IP network blocks. The affected CPAN modules include Net-CIDR-Lite, used to merge IPv4 or IPv6 CIDR addresses; Net-IPAddress-Util, a version-agnostic IP address representation; and Data-Validate-IP, an IPv4 and IPv6 validator..." Full article: https://portswigger.net/daily-swig/serious-netmask-vulnerability-found-to-affect-three-perl-ip-modules
Latest web hacking tools – Q1 2021
"The coronavirus-induced lockdowns experienced by much of the world over winter has done little to scupper researchers’ desire to tinker and create. In fact, the past three months saw the release of a variety of new hacking tools to make the lives of penetration testers, bug bounty hunters, and infosec hobbyists that little bit easier." Full article: https://portswigger.net/daily-swig/latest-web-hacking-tools-q1-2021
H2C smuggling proves effective against Azure, Cloudflare Access, and more
"Security researchers have harnessed the novel ‘H2C smuggling’ technique to achieve authentication, routing, and WAF bypasses on a number of leading cloud platforms. The attack’s first in-the-wild scalps included routing and WAF bypasses in Microsoft Azure, and an authentication bypass in Cloudflare Access, although Google Cloud Platform emerged unscathed. The technique’s architects, from security firm... Continue Reading →
Isn’t it ironic: Exploiting GDPR laws to gain access to personal data
"A security researcher has detailed how they were able to exploit GDPR laws to leak sensitive personal information from the systems put in place to protect it. Full-time bug bounty hunter Hx01 detailed how they were able to gain access to personally identifiable information (PII) stored by various organizations including Fortune 500 companies. The General Data Protection Regulation (GDPR) was introduced... Continue Reading →
Facebook awards $55k bug bounty for third-party vulnerabilities that could compromise its internal network
"A security researcher has been awarded a $55,000 bug bounty after they chained a pair of vulnerabilities in an unnamed third-party application to achieve server-side request forgery (SSRF) and compromise Facebook’s internal network." Full article: https://portswigger.net/daily-swig/facebook-awards-55k-bug-bounty-for-third-party-vulnerabilities-that-could-compromise-its-internal-network
Space jam: Researchers and satellite start-ups meet to discuss celestial cybersecurity
"Satellite operators can no longer ignore cyber risks when designing new satellites or support systems, delegates to the first European event dedicated to satellite cybersecurity heard last week. The Cysat ’21 conference brought together ethical hackers and security researchers with space start-ups and decision-makers from the space industry." Full article: https://portswigger.net/daily-swig/space-jam-researchers-and-satellite-start-ups-meet-to-discuss-celestial-cybersecurity-nbsp
Unclassified and Secure: A Defense Industrial Base Cyber Protection Program for Unclassified Defense Networks
From the Report: "The defense industrial base (DIB) is under attack. Foreign actors are stealing large amounts of sensitive data, trade secrets, and intellectual property every day from DIB firms — contributing to the erosion of the DIB and potentially harming U.S. military capabilities and future U.S. military operations. The U.S. Department of Defense (DoD)... Continue Reading →
Pwning the pen tester: Malicious Wireshark packet capture file risk revealed
"Maliciously constructed Wireshark packet capture files might be used to distribute malware, providing recipients can be tricked into double clicking file URL fields. Variants of the same attack could potentially be thrown against users of the popular network security tool, widely used by security analysts and penetration testers, whether they use Windows or Xubuntu Linux-based systems." Full article:... Continue Reading →
Dystopian Times 