Remote Code Execution with Spring Boot 3.4.0 Properties

https://snyk.io/articles/remote-code-execution-with-spring-boot-3-4-0-properties/

[RSS] Reverse engineering the Sega Channel game image file format

https://www.infochunk.com/schannel/index.html

Malimite is an iOS decompiler designed to help researchers analyze and decode IPA files https://github.com/LaurieWired/Malimite

Intel launched the Pentium processor in 1993. Unfortunately, dividing sometimes gave a slightly wrong answer, the famous FDIV bug. Replacing the faulty chips cost Intel $475 million. I reverse-engineered the circuitry and can explain the bug. 1/9

Writing down (and searching through) every UUID · eieio.games
https://eieio.games/blog/writing-down-every-uuid/

/via @filippo

#frombsky

@h2onolan I'm pretty sure it's ownership. See also how Kaspy got banned while CrowdStrike not.

Breaking the most popular #Web Application Firewalls (#waf) in the market

https://nzt-48.org/breaking-the-most-popular-wafs

[RSS] Trying to Exploit My Old Android Device, take 2 (CVE-2020-0401, PackageManagerService)

https://pwner.gg/blog/Android%27s-CVE-2020-0401

"Good Red Team comes on slow. The first month is all waiting, then halfway through the second month you start cursing the service provider who burned you, because nothing is happening. And then... ZANG!" - Hunter CISO Thompson

I'll just leave this here for the real programmers.

Forward thinking was just the thing that made Multics what it is today.

— Erik Quanstrom

Santa brought new a blog post!

Handling Arbitrarily Nested Structures with #BurpSuite

https://blog.silentsignal.eu/2024/12/06/custom-decoder-for-burp/

The competition compromises your C2 infrastructure and operator workstations.

"a longstanding campaign orchestrated by the Russian-based threat actor known as 'Secret Blizzard' (also referred to as Turla). This group has successfully infiltrated 33 separate command-and-control (C2) nodes used by Pakistani-based actor, 'Storm-0156.'"

https://blog.lumen.com/snowblind-the-invisible-hand-of-secret-blizzard/

@bagder @swapgs I highly recommend clicking through the demo at https://www.hackerone.com/hai-your-hackerone-ai-copilot

It's really really bad, even for the low bar of AI slop. It recommends using `X-XSS-Protection` (which is not a thing anymore), claims that calling `dangerouslySetInnerHTML` breaks the principle of least privilege, and then in a report about an SQL dump being publicly available it explains said dump by describing how a CREATE TABLE works without even catching on the fact that it's an export of the database in SQL format.

If the demo they present this with is so hilariously bad, I can only imagine what the real product is like.

@pentagrid @garethheyes TOTP tag -> galaxy brain <3

[RSS] URL File NTLM Hash Disclosure Vulnerability (0day) - and Free Micropatches for it

https://blog.0patch.com/2024/12/url-file-ntlm-hash-disclosure.html

Pentagrid published two #Hackvertor tags for #EAN13 (also Swiss AHV numbers) and #TOTP for #2FA. These tags are available via the Hackvertor Tag Store by @garethheyes. Our blog post explains what these tags do and how they can be used. https://www.pentagrid.ch/en/blog/hackervertor-ean13-and-totp-tags-for-web-application-penetration-testing-with-burp/ #pentest #OWASP

#VSCode support for writing #Ghidra plugins! And it includes debugging from VSCode!

I am SO EXCITED! Thank you Ghidra team! 💜💜💜

https://github.com/NationalSecurityAgency/ghidra/commit/478d3e6331803ee3c4adda98a9a97e0acab7e242

#ReverseEngineering #GhidraExtensions

The IBM Hyper Text Editing System console from 1969 https://commons.wikimedia.org/wiki/File:HES_IBM_2250_Console_grlloyd_Oct1969.png

Cyberpunk when?
(Now. Right now)