Tencent Security Xuanwu Lab Daily News

• DOM Purify - untrusted Node bypass:
https://blog.slonser.info/posts/dompurify-node-type-confusion/

   ・ 介绍了DOMPurify库在处理HTML和XML节点时存在的潜在漏洞，探讨了触发意外行为的新方法 – SecTodayBot

• MIT researchers uncover ‘unpatchable’ flaw in Apple M1 chips | TechCrunch:
https://www.google.com/amp/s/techcrunch.com/2022/06/10/apple-m1-unpatchable-flaw/amp/

   ・ 苹果M1芯片存在无法修补的硬件漏洞，研究人员发现了一种名为'Pacman'的新型硬件攻击，可以绕过指针身份验证代码（PAC）的安全特性 – SecTodayBot

• RCE — Web Application Vulnerability: Jinja Template Injection:
https://medium.com/@hacking-lab/rce-web-application-vulnerability-jinja-template-injection-751f8e08c496

   ・ 介绍了 Jinja 模板注入漏洞在 Web 应用程序中的利用方法 – SecTodayBot

• Privileged Accounts and Token Privileges:
https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges

   ・ 重点讨论了令牌权限和特权账户在安全评估和攻击向量中的应用，特别提到了SeLoadDriverPrivilege的潜在危险 – SecTodayBot

• Dangling Pointer Detector:
https://chromium.googlesource.com/chromium/src/+/refs/heads/main/docs/dangling_ptr.md

   ・ Chrome实现了悬空指针检测器 – SecTodayBot

• BobTheSmuggler: Leverages HTML Smuggling Attack:
https://securityonline.info/bobthesmuggler-leverages-html-smuggling-attack/

   ・ 一种新的攻击技术HTML Smuggling Attack以及一个利用该技术的工具Bob the Smuggler。该工具可以将文件嵌入到HTML、PNG、GIF和SVG文件中，用于隐蔽数据。 – SecTodayBot

• DNS-Tunnel-Keylogger - Keylogging Server And Client That Uses DNS Tunneling/Exfiltration To Transmit Keystrokes:
https://www.kitploit.com/2024/03/dns-tunnel-keylogger-keylogging-server.html

   ・ 介绍了一种后渗透键盘记录器和使用DNS隧道传输键盘记录的客户端。介绍了使用DNS隧道进行数据外传的新方法和工具。 – SecTodayBot

• www.bleepingcomputer.com:
https://www.bleepingcomputer.com/news/security/unsaflok-flaw-can-let-hackers-unlock-millions-of-hotel-doors/

   ・ 披露了Saflok电子门锁中的新漏洞Unsaflok，允许黑客通过伪造钥匙卡轻易打开全球范围内13,000家酒店和住宅中部署的300万把门。 – SecTodayBot

• Your First Dive intothe IoT Research | Vitaly Kamluk:
https://kas.pr/3y9z

   ・ 涉及物联网研究和网络安全技术的交叉领域，可能包括物联网研究的方法 – SecTodayBot

• Introduction to CodeQL: Examples, Tools and CI Integration:
https://www.youtube.com/watch?v=rQRlnUQPXDw&t=22s

   ・ 介绍了CodeQL，这是一种语义代码分析引擎，用于发现代码中的安全漏洞。 – SecTodayBot

• Fake-SMS: How Deep Does the Rabbit Hole Really Go?:
https://medium.com/@aleksamajkic/17e25c42f986

   ・ 通过对混淆恶意软件代码的跟踪和分析，介绍了Fake-SMS项目，并讨论了代码混淆技术的方法 – SecTodayBot

* 查看或搜索历史推送内容请访问：
https://sec.today

* 新浪微博账号：腾讯玄武实验室
https://weibo.com/xuanwulab