osirium

This is kinda funny tbh. Currently, eBay is running a very expensive BB program with one of the top BB platforms. The scope is very broad and basically, they are trying to cover all their exposed "stuff". Probably someone was able to toast them through one of their third-party acquisitions because eBay as a mother base platform is quite well scrutinised. I will check my account too just to see if anyone was able to add me more positive feedback :)

Thanks. However, the "Web hacking 101" book would be almost everything what you need to start into the BB world.

Using open-uri? Check your code - you're playing with fire! " Ruby’s OpenURI is an easy-to-use wrapper for net/http, net/https and net/ftp. As far as I know it’s the most popular way to read URL content, make a GET request or download a file. require "open-uri" internally patches Kernel.open leaving you one step away from remote code execution and reading local files! Here are some examples: open(params[:url]) is remote code execution for url=|ls Didn’t you know if it starts with a pipe Ruby executes it?! Ouch. " Source: https://sakurity.com/blog/2015/02/28/openuri.html

CVE-2017-14955: Win a Race Against Check_mk to Dump All Your Login Data " The authors of check_mk have fixed a quite interesting vulnerability, which I have recently reported to them, called CVE-2017-14955 (sorry no fancy name here) affecting the old stable version 1.2.8p25 and below of both check_mk and check_mk Enterprise. It’s basically about a Race Condition vulnerability affecting the login functionality, which in the end leads to the disclosure of authentication credentials to an unauthenticated user. " Source: https://www.rcesecurity.com/2017/10/cve-2017-14955-win-a-race-against-check-mk-to-dump-all-your-login-data/

Hi, Just curious if you were able to successfully use this tool. Gave it a couple of tries but from some whatever reasons didn't work as expected. Thanks.

Aside with this bug, with WP core 4.8.1 was an undisclosed XSS vector into the oembed default module but searching for details I got only silence on the tube.

" Extensible Stylesheet Language Transformations (XSLT) vulnerabilities can have serious consequences for the affected applications, often resulting in remote code execution. " Source: https://www.contextis.com/blog/xslt-server-side-injection-attacks

PENETRATION TESTING FLASH APPS (AKA “HOW TO CHEAT AT BLACKJACK”) " In this post, we will walk through detailed steps to intercept, review, modify, and replay flash-based web apps. For demonstration purposes, I’ve selected a blackjack-style card game. We will work to control what cards are dealt, as well as how a score is calculated. " Source: https://privsec.blog/penetration-testing-flash-apps-aka-how-to-cheat-at-blackjack/

How can I use CSS-in-JS securely? " CSS-in-JS is an exciting new technology that completely eliminates the need for CSS class names. It makes it possible to add styles directly to your components, using the full power of CSS. Unfortunately, it also promotes interpolation of unescaped props into that CSS, opening you up to injection attacks. And CSS injection attacks are a major security hazard. " Source: https://reactarmory.com/answers/how-can-i-use-css-in-js-securely

Advanced Flash Vulnerabilities in Youtube " ...Flash has been replaced by new javascript/html5 features. These features introduce complexity and new kind of vulnerabilities like bad CORS implementation, DOM XSSes triggered by postMessage or XHR requests, active mixed content… Learning from Flash mistakes can help design and implement more secure javascript applications. The new Youtube html5 Api is mostly a porting of the Youtube Flash Api to javascript, making it interesting to study. In fact, I was able to find XSSes in the Youtube html5 Api using my knowledge of the Flash Api. " Source: https://opnsec.com/2017/08/advanced-flash-vulnerabilities-in-youtube/

DeLux Edition: Getting root privileges on the eLux Thin Client OS Designed as a secure, streamlined environment for users to access applications such as a browser, Citrix and terminal services, the vendor describes eLux as: “… a hardware-independent operating system for cloud computing environments. It is based on a write protected file system and therefore secure against computer viruses and other malware without using special Antivirus Software. eLux® has been continuously developed and enhanced for more than 15 years." Source: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/delux-edition-getting-root-privileges-on-the-elux-thin-client-os/

Leveraging Duo Security’s Default Configuration to Bypass Two-Factor Authentication " Few things are more frustrating as an attacker than running up against widely implemented two-factor authentication (2FA). Even with valid credentials, without a valid two-factor authentication code or push acknowledgement, logging in to a protected service and abusing its capabilities or harvesting information isn’t possible. But what if instead of attacking the application, we first attacked how the two-factor authentication was implemented? In this blog post, we’ll discuss how one particular 2FA solution – by Duo Security – can have its default configuration leveraged to allow a log in without 2FA and how to mitigate against this tactic. " Source: https://appsecconsulting.com/blog/leveraging-duo-securitys-default-configuration-to-bypass-two-factor-authent

CVE-2017-6327: Symantec Messaging Gateway <= 10.6.3-2 unauthenticated root RCE " This is an advisory for CVE-2017-6327 which is an unauthenticated remote code execution flaw in the web interface of Symantec Messaging Gateway prior to and including version 10.6.3-2, which can be used to execute commands as root. Symantec Messaging Gateway, formerly known as Brightmail, is a linux-based anti-spam/security product for e-mail servers. It is deployed as a physical device or with ESX in close proximity to the servers it is designed to protect. " PS. The advisory says something regards a fully automated python file which can be used to p0wn vulnerable targets but probably won't be released for well-understood reasons. Source: http://seclists.org/fulldisclosure/2017/Aug/28

Summary: " SecGen creates vulnerable virtual machines so students can learn security penetration testing techniques. Boxes like Metasploitable2 are always the same, this project uses Vagrant, Puppet, and Ruby to quickly create randomly vulnerable virtual machines that can be used for learning or for hosting CTF events. " Source: https://github.com/cliffe/SecGen

G-Scout: OSS tool to assess the security of Google Cloud Platform (GCP) environment configurations " G-Scout is a tool to help assess the security of Google Cloud Platform (GCP) environment configurations. By leveraging the Google Cloud API, G-Scout automatically gathers a variety of configuration data and analyzes this data to determine security risks. It produces HTML output, which allows for convenient browsing of results. The audited data relates to: IAM roles Compute engine instances Storage buckets Firewall rules SQL and noSQL databases Service account keys G-Scout also allows users to create and customize rulesets simply by creating Python functions. " Source: https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2017/august/introducing-g-scout/