#BurpHacksForBounties - Day 22/30
🤓🤓 Create your own Burp Extender Plugin in 3 tweets with Java.
Thank you Burp Suite for making it easy
#infosec #appsec #burp @BurpSuiteGuide #bugbountytips #bugbountytip #security
🤓🤓 Create your own Burp Extender Plugin in 3 tweets with Java.
Thank you Burp Suite for making it easy
#infosec #appsec #burp @BurpSuiteGuide #bugbountytips #bugbountytip #security
This media is not supported in your browser
VIEW IN TELEGRAM
#BurpHacksForBounties - Day 24/30
This is an amazing writeup which talks about using plugin in Burp that ease the journey for catching IDORs.
Writeup link: https://infosecwriteups.com/leveraging-burp-suite-extension-for-finding-idor-insecure-direct-object-reference-2653f9b89fd4
By
@dhanush
#infosec #appsec #bugbountytips #bugbountytip #bugbounty #security
This is an amazing writeup which talks about using plugin in Burp that ease the journey for catching IDORs.
Writeup link: https://infosecwriteups.com/leveraging-burp-suite-extension-for-finding-idor-insecure-direct-object-reference-2653f9b89fd4
By
@dhanush
#infosec #appsec #bugbountytips #bugbountytip #bugbounty #security
#BurpHacksForBounties - Day 25/30
Optimizing Burp Suite for better performance, these 4 simple steps and you would notice a big difference in performance.
#infosec #appsec #burp #security #bugbountytips #bugbounty
Optimizing Burp Suite for better performance, these 4 simple steps and you would notice a big difference in performance.
#infosec #appsec #burp #security #bugbountytips #bugbounty
#BurpHacksForBounties - Day 26/30
Красное сердцеUnderstand the different intruder attack types in Burp Suite
With visualizations at code level for better understanding.
Code level understanding in follow up thread 👇
#infosec #appsec #security #cybersecurity #bugbounty #bugbountytips
Красное сердцеUnderstand the different intruder attack types in Burp Suite
With visualizations at code level for better understanding.
Code level understanding in follow up thread 👇
#infosec #appsec #security #cybersecurity #bugbounty #bugbountytips
#BurpHacksForBounties - 27/30
See all different intruder attack types of Burp Suite as codes
- Sniper
- Battering RAM
- Cluster Bomb
- PitchFork
#infosec #appsec #bugbounty #bugbountytips #security #burp
See all different intruder attack types of Burp Suite as codes
- Sniper
- Battering RAM
- Cluster Bomb
- PitchFork
#infosec #appsec #bugbounty #bugbountytips #security #burp
This media is not supported in your browser
VIEW IN TELEGRAM
#BurpHacksForBounties - Day 28/30 - Super CSRF POC Generator Hack.
CSRF POC generator is only available in Burp Suite pro, but not anymore.
Use this -> https://github.com/merttasci/csrf-poc-generator by @mertistaken
#infosec #burp #appsec #security #bugbountytips #bugbountytip #cybersecurity
CSRF POC generator is only available in Burp Suite pro, but not anymore.
Use this -> https://github.com/merttasci/csrf-poc-generator by @mertistaken
#infosec #burp #appsec #security #bugbountytips #bugbountytip #cybersecurity
Kubernetes Hardening Guidance
The NSA and CISA have published today a Kubernetes security-hardening guide
https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF
#kubernetes #hardening #security
The NSA and CISA have published today a Kubernetes security-hardening guide
https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF
#kubernetes #hardening #security
KubiScan
KubiScan helps cluster administrators identify permissions that attackers could potentially exploit to compromise the clusters. This can be especially helpful on large environments where there are lots of permissions that can be challenging to track. KubiScan gathers information about risky roles\clusterroles, rolebindings\clusterrolebindings, users and pods, automating traditional manual processes and giving administrators the visibility they need to reduce risk.
https://github.com/cyberark/KubiScan
#kubernetes #rbac #scan #security #tools
KubiScan helps cluster administrators identify permissions that attackers could potentially exploit to compromise the clusters. This can be especially helpful on large environments where there are lots of permissions that can be challenging to track. KubiScan gathers information about risky roles\clusterroles, rolebindings\clusterrolebindings, users and pods, automating traditional manual processes and giving administrators the visibility they need to reduce risk.
https://github.com/cyberark/KubiScan
#kubernetes #rbac #scan #security #tools
GitHub
GitHub - cyberark/KubiScan: A tool to scan Kubernetes cluster for risky permissions
A tool to scan Kubernetes cluster for risky permissions - cyberark/KubiScan
Hunting for Persistence in Linux
# https://pberba.github.io/security/2021/11/22/linux-threat-hunting-for-persistence-sysmon-auditd-webshell/
# https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/
#blueteam #redteam #DFIR #security
# https://pberba.github.io/security/2021/11/22/linux-threat-hunting-for-persistence-sysmon-auditd-webshell/
# https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/
#blueteam #redteam #DFIR #security
pepe berba
Hunting for Persistence in Linux (Part 1): Auditd, Sysmon, Osquery (and Webshells)
An introduction to monitoring and logging in linux to look for persistence.
👍1
CloudSploit
CloudSploit's remediation guides are intended to be an open-source resource for improving cloud security. Many cloud IaaS providers like AWS, Azure, and Google Cloud have a shared responsibility model. They provide the physical and architectural security, along with tools to properly secure the services they offer, but it is up to the user to configure those settings properly.
https://github.com/aquasecurity/cloud-security-remediation-guides
#cloud #security #remediation #blueteam
CloudSploit's remediation guides are intended to be an open-source resource for improving cloud security. Many cloud IaaS providers like AWS, Azure, and Google Cloud have a shared responsibility model. They provide the physical and architectural security, along with tools to properly secure the services they offer, but it is up to the user to configure those settings properly.
https://github.com/aquasecurity/cloud-security-remediation-guides
#cloud #security #remediation #blueteam
GitHub
GitHub - aquasecurity/cloud-security-remediation-guides: Security Remediation Guides
Security Remediation Guides. Contribute to aquasecurity/cloud-security-remediation-guides development by creating an account on GitHub.
Arsenal of AWS Security Tools
List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc.
https://github.com/toniblyx/my-arsenal-of-aws-security-tools
#aws #security #benchmarks #blueteam
List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc.
https://github.com/toniblyx/my-arsenal-of-aws-security-tools
#aws #security #benchmarks #blueteam
GitHub
GitHub - toniblyx/my-arsenal-of-aws-security-tools: List of open source tools for AWS security: defensive, offensive, auditing…
List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc. - toniblyx/my-arsenal-of-aws-security-tools
AD Security Assessment
Active Directory Security Assessment script pulls important security facts from Active Directory and generates nicely viewable reports in HTML format by highlighting the spots that require attention. The script manipulates user data using facts collected with benchmark values.
https://github.com/gkm-automation/AD-Security-Assessment
#ad #security #assessment #ps1
Active Directory Security Assessment script pulls important security facts from Active Directory and generates nicely viewable reports in HTML format by highlighting the spots that require attention. The script manipulates user data using facts collected with benchmark values.
https://github.com/gkm-automation/AD-Security-Assessment
#ad #security #assessment #ps1
Container Security Checklist
Checklist for container security devsecops practices
https://github.com/krol3/container-security-checklist
#kubernetes #docker #security #cheatsheet #blueteam
Checklist for container security devsecops practices
https://github.com/krol3/container-security-checklist
#kubernetes #docker #security #cheatsheet #blueteam
GitHub
GitHub - krol3/container-security-checklist: Checklist for container security - devsecops practices
Checklist for container security - devsecops practices - krol3/container-security-checklist
Forwarded from internet-lab.ru
🔐 MULTIFACTOR — особенности 2FA
Существует неплохое решение для организации двухфакторной аутентификации в корпоративной среде под названием MULTIFACTOR. Входит в реестр российского ПО за номером 7046.
Это не реклама, поскольку сегодня буквально в двух словах мы расскажем про то как этот второй фактор можно обойти в некоторых очень частных случаях.
Бу-га-га.
#security #special
https://internet-lab.ru/multifactor_2fa_bug
Существует неплохое решение для организации двухфакторной аутентификации в корпоративной среде под названием MULTIFACTOR. Входит в реестр российского ПО за номером 7046.
Это не реклама, поскольку сегодня буквально в двух словах мы расскажем про то как этот второй фактор можно обойти в некоторых очень частных случаях.
Бу-га-га.
#security #special
https://internet-lab.ru/multifactor_2fa_bug
internet-lab.ru
MULTIFACTOR — особенности 2FA | internet-lab.ru
Существует неплохое решение для организации двухфакторной аутентификации в корпоративной среде под названием MULTIFACTOR.
👍5❤🔥3😁1
Forwarded from SHADOW:Group
На сайтах, где идентификация идет по Email и есть возможность войти через Microsoft OAuth есть риск захвата аккаунта.
Дело в том, что Azure не проверяет установленную в аккаунте почту, что позволяет вам указать почту жертвы и войти на уязвимый сайт через OAUTH от ее имени.
- Жертва регается на сайте через свою почту.
- Заходим в Azure AD и меняем свою почту на почту жертвы.
- Заходим на сайт через Microsoft OAuth и получаем доступ к аккаунту жертвы.
Видео PoC
#web #ato #oauth
Please open Telegram to view this post
VIEW IN TELEGRAM
YouTube
nOAuth | OAuth Implementation Flaw Affecting Azure AD OAuth Applications
nOAuth is an authentication implementation flaw that can affect Microsoft Azure AD multi-tenant OAuth applications. This demo video explains how the misconfiguration can lead to full account takeover and how to prevent it.
This blog on nOAuth has more details:…
This blog on nOAuth has more details:…
🔥7👍3❤1❤🔥1👎1