"A trio of Perl modules are potentially vulnerable to a serious upstream security flaw in Net::Netmask, a Perl distribution used to parse, manipulate, and lookup IP network blocks. The affected CPAN modules include Net-CIDR-Lite, used to merge IPv4 or IPv6 CIDR addresses; Net-IPAddress-Util, a version-agnostic IP address representation; and Data-Validate-IP, an IPv4 and IPv6 validator..." Full article: https://portswigger.net/daily-swig/serious-netmask-vulnerability-found-to-affect-three-perl-ip-modules

"The coronavirus-induced lockdowns experienced by much of the world over winter has done little to scupper researchers’ desire to tinker and create. In fact, the past three months saw the release of a variety of new hacking tools to make the lives of penetration testers, bug bounty hunters, and infosec hobbyists that little bit easier." Full article: https://portswigger.net/daily-swig/latest-web-hacking-tools-q1-2021

"Security researchers have harnessed the novel ‘H2C smuggling’ technique to achieve authentication, routing, and WAF bypasses on a number of leading cloud platforms. The attack’s first in-the-wild scalps included routing and WAF bypasses in Microsoft Azure, and an authentication bypass in Cloudflare Access, although Google Cloud Platform emerged unscathed. The technique’s architects, from security firm... Continue Reading →

"A security researcher has detailed how they were able to exploit GDPR laws to leak sensitive personal information from the systems put in place to protect it. Full-time bug bounty hunter Hx01 detailed how they were able to gain access to personally identifiable information (PII) stored by various organizations including Fortune 500 companies. The General Data Protection Regulation (GDPR) was introduced... Continue Reading →

"A security researcher has been awarded a $55,000 bug bounty after they chained a pair of vulnerabilities in an unnamed third-party application to achieve server-side request forgery (SSRF) and compromise Facebook’s internal network." Full article: https://portswigger.net/daily-swig/facebook-awards-55k-bug-bounty-for-third-party-vulnerabilities-that-could-compromise-its-internal-network

"Maliciously constructed Wireshark packet capture files might be used to distribute malware, providing recipients can be tricked into double clicking file URL fields. Variants of the same attack could potentially be thrown against users of the popular network security tool, widely used by security analysts and penetration testers, whether they use Windows or Xubuntu Linux-based systems." Full article:... Continue Reading →

"Critical vulnerabilities in LocalStack, a popular framework for building cloud applications, can be chained to remotely take over locally-run LocalStack instances, security researchers claim. Researchers from Sonarsource have documented how they combined cross-site scripting (XSS) and server-side request forgery (SSRF) vulnerabilities to achieve OS command injection against the open source Python application." The rest of the article: https://portswigger.net/daily-swig/localstack-zero-day-vulnerabilities-chained-to-achieve-remote-takeover-of-local-instances

 "A newly launched regex-scanning tool has been used by its architects to unearth multiple regular expression denial-of-service (ReDoS) vulnerabilities in popular NPM, Python, and Ruby dependencies. Released yesterday (March 11), Regexploit extracts regular expressions and scans them for widespread security weaknesses that, if exploited, can “bring a server to its knees”, said Doyensec researcher Ben Caller in... Continue Reading →