HotPlugin

@ellie_huxtable Mostly offensive security related collection from a while back, ill update soon with more gist.github.com/grahamhelton/d…

Needle in the haystack: LLMs for vulnerability research I've distilled my experience of sending thousands and thousands of prompts for using LLMs to discover vulnerabilities into a single write-up. These are the conclusions I came to.. (link in comment)

man I was reading some articles about sqli exploitation with WAF bypass and I found this crazy good article idk about u but I found it so impressive, professional pentesters owns BB hunters lets just say this vaadata.com/blog/exploitin…

A DNS takeover is not the same as a subdomain takeover.  DNS takeovers have become a popular but often misunderstood vulnerability.  In this blog, you will learn: ✅ The difference between a DNS and subdomain takeover: A subdomain takeover exploits a service a domain points to, while a DNS takeover gives the attacker full control over the DNS server itself, which is more severe. ✅ How to spot a vulnerable domain: Learn the two key criteria for detecting a DNS takeover, including looking for a SERVFAIL or REFUSED status and identifying a domain's authoritative nameservers. ✅ How to take control of a domain: The blog walks you through the process, from finding vulnerable DNS providers to the steps needed to claim a domain. ✅ Automated Detection: Discover how to use tools like Nuclei with specific templates to automate the detection of domains that are potentially vulnerable to a DNS takeover. Want to master DNS takeovers and learn how to defend against them? Read the full article for a complete guide.👇 projectdiscovery.io/blog/guide-to-…

Free Malware Analysis Course, covers malware concepts, malware analysis, and black-box reverse engineering techniques class.malware.re

Next.js Security Testing Guide for Bug Hunters and Pentesters deepstrike.io/blog/nextjs-se…

❌ Wrong: “Victim must install a malicious app” ✅ Right: “Any 3rd-party app can exploit it” Legit apps (e.g. Chrome) can be abused as gadgets, turning complex bugs into 1-click exploits. No excuse to leave it unfixed. ndevtk.github.io/writeups/2024/…

New video looking at some interesting printer vulnerabilities, found by @stephenfewer (@rapid7) 🖨 youtu.be/--SaQKmcyiU

REGEXSS: How .* Turned Into over $6k in Bounties Overly-greedy regex replacements can break HTML sanitisation & lead to XSS. Includes a live demo you can try exploiting it yourself! sec.stealthcopter.com/regexss #BugBounty #BugBountyTips #XSS #AppSec

A really cool writeup from @wiz_io, showing the potential impact of a successful SSRF vulnerability in cloud environments 🤩 In the next few days, I hope to share on my YouTube channel a web app with SSRF vulnerability that can also be exploited in IMDSv2 🔥 Btw, I reported that vulnerability to the vendor 😆 wiz.io/blog/imds-anom…

Dumping LSASS is old school. If an admin is connected on a server you are local admin on, just create a scheduled task asking for a certificate on his behalf, get the cert, get its privs. All automatized in the schtask_as module for NetExec 🥳🥳🥳

Read “Infrastructure as Code with AWS CloudFormation“ by me on Medium: hotplugin.medium.com/infrastructure…

Cloud security in a nutshell: goal is to decrease risk. In cloud it goes a bit like this: IAM - MFA all the things. If you can swing it with ops, pilot passwordless. Users will love it, I promise! Make sure everyone can't just escalate privileges when they're not admins Make sure devices are managed. If their not, MAM-WE is your friend Make sure data in transit and at rest is encrypted. If you're highly regulated and multi-GEO, I'll pray for you, because you have to consider data residency and traversal too. Validate logging is sufficient for the compliance frameworks and doesn't have creds in it. Validate DLP visibility and controls wherever the data flows and gets stored depending on the risk classification Don't allow deprecated Oauth Protocols like Implicit Grants with fragments, ROPC flows, and use Public Client Flows sparingly unless desktop apps on managed devices Use application proxy wherever possible to transition on-prem apps to Entra. Use SSO. Additional auth should only be required where high volumes of sensitive data resides Make sure you have policies and procedures for handling secrets and vaulting. You don't want them ending up in Teams, SharePoint, or Confluence xD For temporary apps, have a preplanned documented decommissioning process and date because they are going to require insane privileges to do their thing Nail down governance and backup/restore processes in the forefront Make sure there's EDR and AV on most devices (~95% or more) Make sure there's Defender for Office365, Teams ZAP, and Defender Cloud Apps with App Governance or another CASB If you don't have an SSPM, do CIS benchmark audits and just document stuff like 3rd party solutions and mitigating controls Make sure stuff has WAFs if you've got a publicly facing webapp and use things like application proxy to make login easy Make sure user apps require assignment and don't grant API privileges associated with administrative activities Every time you traverse a trust boundary, assess what controls are there to deal with tampering and access Label your data. Find out where the most sensitive stuff lives and add extra controls like specific label configurations (user assigned permission and no Export) Make sure stuff isn't publicly facing on accident. Avoid legacy protocols. Use private groups, teams, and sites wherever possible. It's never always possible. For accepted risks, create detections and playbooks. Temporal Reassessments for configuration drift and low-level documentation is you don't have drift monitoring solutions implemented. Let users do as much as possible. User experience is of the upmost importance. Pop-ups are no beuno.

Users who have Python installed on their PCs and use WhatsApp Desktop may be exposed to a security risk. A specially crafted .pyz (Python archive) file can be used to execute malicious code upon a single click, potentially compromising the system. A similar vulnerability was previously identified in Telegram Desktop and has since been remediated. At present, Meta does not recognize this behavior as a security issue, which may leave WhatsApp Desktop users at risk of exploitation.

Stop everything you’re doing! Phrack is out! 📰 phrack.org/issues/72 🔑 y4nush.com/posts/the-401-…
🎲 blog.doyensec.com/2025/08/19/tri… 💎 blog.trailofbits.com/2025/08/20/mar… 💻 gitlab-com.gitlab.io/gl-security/se… 🐍 @abcd_68700/cve-2025-50817-python-future-module-arbitrary-code-execution-via-unintended-import-of-test-py-f0818ea93cf4" target="_blank" rel="nofollow noopener">medium.com/@abcd_68700/cv…

Associate with people who improve you. Seneca tells us to “Associate only with those who will make a better man of you. Welcome those whom you yourself can improve.”

When a SSRF is enough: Full Docker Escape on Windows Docker Desktop (CVE-2025-9074) blog.qwertysecurity.com/Articles/blog3…

🛠️ GroupPolicyBackdoor - a python utility for Group Policy Objects (GPOs) manipulation and exploitation. ✅ GPO attack vectors can very often lead to impactful privilege escalation scenarios in Active Directory environments. github.com/synacktiv/Grou…

The 12th Annual Flare-On Challenge kicks off Sept 26 at 8PM EST! Reverse engineering pros, from Windows to Web3 (with a YARA twist), it's your time to shine. 🏆 Get ready → bit.ly/4ofb5g8 #FlareOn12

Some really nice research here from CyberJunkie: hackthebox.com/blog/windows-s…