HAProxy CVE-2023-25725 sounds like it might be a Connection header exploit... just like #7 from the top 10 hacking techniques of 2022:
https://t.co/iVew83Zu9h
https://t.co/QNqQ3OT6Ez
Ep 130: Jason's Pen Test
@jhaddix has done hundreds of penetration tests in his career. He comes on the show today to tell us a few stories of things he's done.
https://t.co/ux3migBQkC
Employers that make penetration testers sign non-competes (e.g. no being a pentester for x years after you quit) or "no moonlighting" agreements (effectively blocking you from bug bounties) aren't worth working for, and they should really stop being so absurd.
I like it when I reported to the lead engineer about a SQLi in their system and he said, "it is intended functionality from the backend", lol sounds like one of my old university days when we use the "it's not a bug, it's a feature" answer. This job makes you laugh sometimes 🤣
CVE-2022-1388 is a critical vulnerability that needs immediate attention. Learn what we've observed in the wild and strategies for mitigation. https://t.co/w0s044AOJJ
"Abusing HTTP hop-by-hop request headers" by @nj_dav was nominated as a top web hacking technique back in 2019, and has just blossomed into an F5 BIG-IP unauth RCE!
https://t.co/8WYT6JNOhh
https://t.co/tdQzM1OG5L
https://t.co/ZPVrMVxDkr
(a LONG thread) 🧵
Inspired by @infosec_au & @hacker_ here's one of my fun hacker stories:
= The complete compromise of a password manager company =
Here's how I did it (so you can learn):
I was given the project to pentest a password manager company: *.redacted.com
(1/16)
Mandiant researchers have identified two new #malware — GRAMDOOR and STARWHALE — used by Iranian cyberespionage hackers; one of them uses the #Telegram API to remotely control its victims' devices.
Read details: https://t.co/GyDF2zAtZv
#infosec#hacking#cybersecurity
The OWASP Application Security Verification Standard (ASVS) 4.0.3 has been released. If you are following the older version, time to update your secure coding checklist, friends. I am honored to be working with this group and listed this time as a major contributor.
Ok so if you admin Office 365 and you click this "Wipe device" button. What happens? Do just emails get wiped, or does the whole phone get wiped? Photos, texts, apps, etc?
Apple has issued urgent #software patches for all of its devices to address a newly discovered and actively exploited zero-day #vulnerability tied to the NSO Group's #Pegasus Spyware.
https://t.co/HoZrA2pJnC
Users should update their #iPhone, iPad, Mac, and Apple Watch ASAP!
Update your #Google Chrome browser right away to protect against two new zero-day vulnerabilities currently being exploited in the wild by malicious actors.
Read: https://t.co/5MROsURJ9F
#infosec#cybersecurity#hacking
Vultur — a new #Android remote access trojan — uses smartphone's screen recording feature to spy on its victims and steal their banking credentials.
Details: https://t.co/fDXmqodvK4
#hacking#cybersecurity#mobilesecurity#infosec