NodeBB prototype pollution flaw could lead to account takeover
‘Not a prototype pollution vulnerability as you might normally understand it’ NodeBB, a Node.js platform for creating forum applications, has patched a prototype pollution vulnerability…
Category: PortSwigger
JSON syntax hack allowed SQL injection payloads to be smuggled past WAFs
John Leyden 09 December 2022 at 13:17 UTC Updated: 15 December 2022 at 17:06 UTC Five vendors act to thwart generic hack Security researchers have…
ChatGPT bid for bogus bug bounty is thwarted
Improving large language models offer ‘just one more way to attack code, and one more way to defend code’ A supposed security researcher has tried…
Black Hat Europe 2022: Hacking tools showcased at annual security conference
Aids and techniques demonstrated at this year’s arsenal track Tools to enable the work of security researchers, pen testers, and bug bounty hunters were demonstrated…
Cloud flaws brought to the fore as bug bounty vulnerabilities hit 65k in 2022 – HackerOne
Impact of cloud migration and shift to remote work evident in new report Bug bounty hunters are increasingly unearthing cloud-based vulnerabilities as organizations undergo ‘digital…
Akamai WAF bypassed via Spring Boot to trigger RCE
Charlie Osborne 14 December 2022 at 12:01 UTC Updated: 19 December 2022 at 09:53 UTC Akamai issued an update to resolve the flaw several months…
Critical IP spoofing bug patched in Cacti
‘Not that hard to execute if attacker has access to a monitoring platform running Cacti’ A dangerous bug in Cacti, the RRDTool frontend and performance/fault…
Deserialized web security roundup – Fortinet, Citrix bugs; another Uber breach; hacking NFTs at Black Hat
John Leyden 16 December 2022 at 17:43 UTC Updated: 19 December 2022 at 14:19 UTC Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and…
Safeurl HTTP library brings SSRF protection to Go applications
Prizes offered to anyone who can bypass the library and capture the flag A new open source library designed to thwart server-side request forgery (SSRF)…
Akamai wrestles with AWS S3 web cache poisoning bug
Definitive solution is ‘non-trivial’ since behavior arises from customers processing non-RFC compliant requests A vulnerability in how Akamai retrieves Amazon Web Services (AWS) S3 resources…
How to become a penetration tester: Part 2 – ‘Mr Hacking’ John Jackson on the virtue of ‘endless curiosity’
Marine Corps engineer-turned offensive security expert offers careers advice and his best and worst experiences John Jackson has been working in cybersecurity for less than…
Password theft bug chain patched in Passwordstate credential manager
Flaws could be combined to grab passwords in cleartext Vulnerabilities in enterprise password manager Passwordstate that could be combined to exfiltrate stored credentials have been…