每日安全动态推送(12-8)
2023-12-8 11:43:53 Author: mp.weixin.qq.com(查看原文) 阅读量:6 收藏

Tencent Security Xuanwu Lab Daily News

• Critical misconfiguration in Firebase — Bug bounty:
https://medium.com/@facu.tha/critical-misconfiguration-in-firebase-e682ec4239d6

   ・ 本文介绍了作者发现的Firebase严重配置错误,通过披露新的漏洞信息和提供漏洞利用示例,展示了对漏洞的利用过程。 – SecTodayBot

• Blind OS Command Injection via Activation Request!!:
https://medium.com/@theUnixe/blind-os-command-injection-via-activation-request-2ea51185a18

   ・ 介绍了一种发现Blind OS命令注入漏洞的经历,并提供了详细的漏洞分析和利用演示。作者分享了如何通过Burp Collaborator或监听器来检测Blind OS命令注入漏洞。 – SecTodayBot

• Exploiting SSRF Vulnerability to Gain Unauthorized Access to AWS Data:
https://medium.com/@theUnixe/exploiting-ssrf-vulnerability-to-gain-unauthorized-access-to-aws-data-619afef4e974

   ・ 通过有效利用SSRF漏洞,成功绕过安全协议并利用iFrame加载了AWS数据。文章介绍了SSRF漏洞的详细分析、利用方法以及针对性的应对措施,是对SSRF漏洞利用的深入探讨。  – SecTodayBot

• Image upload leads to Mass Account Takeover & PII leak:
https://medium.com/@mares.viktor/leaking-plaintext-credentials-by-uploading-an-image-ec11d64fbd63

   ・ 介绍了通过上传图片导致客户数据泄露的新漏洞,详细分析了对漏洞进行测试的步骤和潜在的利用方式,是针对图片上传相关的新测试方法的讨论。 – SecTodayBot

• Proxyshell-Scanner:
https://github.com/cyberheartmi9/Proxyshell-Scanner

   ・ 介绍了由orange tsai在Pwn2Own中发现的影响Microsoft Exchange Server的Proxyshell RCE漏洞,并介绍了针对该漏洞的新扫描工具Proxyshell-Scanner。 – SecTodayBot

• PDF Upload Leading to Stored XSS:
https://medium.com/@katmaca2014/pdf-upload-leading-to-stored-xss-f712326705ee

   ・ 通过Python脚本创建恶意PDF文件以利用存储型XSS漏洞,揭示了PDF文件中潜在的安全风险。 – SecTodayBot

• Fuzzing APIs:
https://hackysterio.medium.com/fuzzing-apis-73d9f5cdf156

   ・ API Fuzzing是一个自动化的测试方法,目的是识别未知的错误和缺陷。本文介绍了使用API Fuzzing来发现API的漏洞,提到了安全工具BurpSuite和Postman,并讨论了API版本之间的差异。  – SecTodayBot

• The Importance of Burp Suite History Analysis to Bypass 403 Error:
https://redfishiaven.medium.com/the-importance-of-burp-suite-history-analysis-to-bypass-403-error-973aa642a8a3

   ・ 介绍了使用Burp Suite进行历史分析以绕过403错误的重要性,作者通过详细分析发现了一种绕过403错误的新方法,强调了结合Burp Suite的历史分析来发现漏洞。 – SecTodayBot

• Javascript Analysis to SQL injection:
https://melguerdawi.medium.com/javascript-analysis-to-sql-injection-ca763f9c4c4e

   ・ 通过分析JavaScript代码发现SQL注入漏洞,强调了通过代码分析查找漏洞的新方法。  – SecTodayBot

* 查看或搜索历史推送内容请访问:
https://sec.today

* 新浪微博账号:腾讯玄武实验室
https://weibo.com/xuanwulab


文章来源: https://mp.weixin.qq.com/s?__biz=MzA5NDYyNDI0MA==&mid=2651959454&idx=1&sn=cdd591b12e02f9710df0e2ed9901d4c1&chksm=8baed001bcd95917c99e3e51ad6eef12a5030da3ea710433e85ce79ae7f3ac79b755097be18a&scene=58&subscene=0#rd
如有侵权请联系:admin#unsafe.sh