zayooko

KeePwn: automate KeePass discovery and secret extraction securityonline.info/keepwn-automat…

New Atomic macOS Malware Steals Keychain Passwords and Crypto Wallets thehackernews.com/2023/04/new-at…

"I'm the cybersecurity director at NSA and you could absolutely craft a phishing message that would get me to click a link. You’ve got to design your architecture to assume the humans are humans and bad things will happen." @RGB_Lights AMEN

5 CSRF exploitation techniques 🧵👇

Needle (CVE-2023-0179) exploit This repository contains the exploit for my recently discovered vulnerability in the nftables subsystem that was assigned CVE-2023-0179 github.com/H4K6/CVE-2023-…

🚨This unauthorized RCE bug (CVE-2023-21554) in the "forgotten" MSMQ service may have big impact. If you’re a Windows admin, you need to check your environments ASAP (you may have unawarely enabled the service). twitter.com/_CPResearch_/s…

We found a new zero-day (CVE-2023-28252) in Microsoft Windows used in Nokoyawa ransomware attacks securelist.com/nokoyawa-ranso…

Attacking Kubernetes — Part 1 infosecwriteups.com/attacking-kube…

OpenAI (LLM) Integration is coming to @pdnuclei using DSL that can be used in the template input/output context. Here is a basic example of analyzing the response header, but it could be anything! unknown patterns/secrets; it's a matter of how creative you can be with your query to explore the power of LLM. Used prompt with DSL extractor in the shared template - llm_prompt("what tech this server is using? return idk if you dont know" + header) Let me know what you think or have any other interesting use cases or ideas to utilize LLM / prompts for security? #hackwithautomation #openai #LLM

echo xxx.com | alterx | httpx -nc -t 300 -p 80,443,8080,8443,8090,9090 -silent | nuclei -rl 300 -bs 35 -c 30 -mhe 10 -ni -t /root/nuclei-templates/ -stats -silent -severity critical,medium,high,low -es info

If you've ever had to deal with angry family members because you accidentally got blocked by a WAF then listen up! 🚨 ⚠️ Detect if a url is behind a WAF before testing it with the WAF-detect template! Find it here 👉 github.com/projectdiscove…

El grupo Ransom House responde y confirma el ataque #DDoS realizado por los Mossos. Amenaza con publicar mas datos en breve sobre pacientes con enfermedades infecciosas. Via @_bettercyber_

The final results of the Blockchain Hacking Techniques of 2022 are in! After a year of increased participation, as well as novel attack vectors leading to over $3.7B in losses, this initiative aims to provide critical insights into the ongoing challenges facing blockchain security. Ultimately, the collective efforts of the community can help to ensure the safety and stability of Web3 projects in the future. Read the final results below 👇 blog.openzeppelin.com/final-results-…

I made a writeup on #Magniber #ransomware (from 2022) demonstrating the capabilities of the latest #TinyTracer: hshrzd.wordpress.com/2023/03/30/mag…

Hackers Used Spyware Made In Spain To Target Users In The UAE packetstormsecurity.com/news/view/3447…

What resource has helped you the most in learning bug bounties?

A list of lists for hackers 👇 📝 Nahamsec github.com/nahamsec/Resou… 📝 Codingo codingo.com/search 📝 InfosecWriteups infosecwriteups.com 📝 S0cm0nkey’s Security Reference Guide - s0cm0nkey.gitbook.io/s0cm0nkeys-sec…

Sometimes when developers configure CORS origin whitelists, they accidentally allow connections from unwanted origins and potentially facilitate data transfer to malicious origins! Let's look at the most common mistakes developers make when setting up CORS policies 👇

Nueva Vulnerabilidad en Azure Active Directory 😱: Ataque BingBang 💥 Compromete Bing y Datos Personales de Usuarios 👥 Wiz Research 🔍 @wiz_io han descubierto un nuevo vector de ataque en Azure Active Directory 😰 que deja expuestas aplicaciones mal configuradas a accesos no autorizados 🚫. Esta vulnerabilidad afecta aproximadamente al 25% de las aplicaciones multi-tenant 📊. Entre las aplicaciones vulnerables de Microsoft, se encuentra un sistema de gestión de contenidos (CMS) que controla Bing.com 🌐, lo que permite modificar resultados de búsqueda 🔍 y lanzar ataques XSS 💣 de alto impacto en los usuarios de Bing, poniendo en riesgo datos personales como correos electrónicos de Outlook 📧 y documentos de SharePoint 🧵👇

👋 I just released "JSpector" : a simple Burp Suite extension to passively crawl JS files and display the results (URLs & endpoints) in the "Issues" tab of each target. I needed something simple to do this, and now that it's done, I'm sharing i!🤗 ➡ You can download it here: github.com/hisxo/JSpector #BugBounty