Welcome to the April edition of the ProjectDiscovery Community Newsletter. Spring is already in full swing, and with the season of new growth comes plenty of new updates from the PD team.
This month has seen exciting additions to Nuclei and its templates, as well as our first ever virtual live event, Hardly Strictly Security, where some of the most important minds in the field of cybersecurity gathered to not only give insightful talks, but interact with our community and answer burning questions.
We want to thank you all for showing your support for the event, for your enthusiasm and making the day such a huge success. We can’t wait to cook up something just as exciting for next year!
In the meantime though, we’ll continue to share all of the latest news and developments in vulnerability and cybersecurity technology with you, as well as highlighting contributions from our incredible community. And as always, don’t forget to join us on GitHub and Discord to share your thoughts and be part of the discussion!
This release introduces several bug fixes and new features, including SRV queries in DNS protocol, networkpolicy added to httpx probes, and support for user provided catalogs. Ongoing issues are now fixed, such as internal resolver override, jsonlinput format not working with fuzzing, and panic in template validation.
For this release, we gained valuable contributions from our community members: @tovask, @scottdharvey and @testwill. Thank you so much for your input on this release, and for bringing such incredible value to our tools.
April stats
8,625
Nuclei templates
+219
2,435
CVE templates
+39
713
Contributors
+13
Nuclei Templates’ most recent update includes some exciting contributions - 142 new templates were added in this release, along with 10 new CVEs, and the input of 6 first-time contributors.
In v9.8.5, we’ve newly added AWS cloud review templates. These templates can be used by either companies or pentesters, and will help to identify misconfigurations in the AWS cloud environment. Alongside this, by leveraging AWS code templates, security teams will now be able to write their own checks for identifying misconfigurations that are specific to particular workflows. As a result, they will be able to effectively identify and remediate potential security issues within AWS environments.
This release also introduces the concept of profiles, which allow users to run a specific set of templates tailored for a particular use case. If you’re looking to run AWS templates, you’ll now be able to find a profile named ‘aws-cloud-config’. Using that profile will allow you to run those templates!
Huge thanks to our contributors on this release - @carsonchan12345, @Salts, @d4ly, @f0xy.
Over on Medium, CyberOz shared a great exploration of the ways in which chain of rate limit bypass and weak token expiry can lead to an account takeover. Is it possible to bypass an IP block and work around a guessable password reset parameter?
Read the article
DoomerOutrun has built an awesome, fully detailed tutorial on setting up an Interactsh self-hosted server.
View the post
ashu_barot targeted a large organization while respecting policy and guidelines, and it paid off! Read more on how identifying a vulnerability in NASA’s systems led to them receiving a letter of appreciation from NASA’s own Information Security Officer.
View the post
The inaugural Hardly Strictly Security conference, held virtually on April 25th, was a resounding success. The event brought together cybersecurity experts, enthusiasts, and professionals from various backgrounds for a full day of insightful discussions and presentations.
Additionally, the conference featured interactive roundtable rooms hosted by ProjectDiscovery’s engineering and research teams, where participants could engage directly with experts on topics ranging from reconnaissance best practices to technical support.
If you missed the conference - don’t worry - all the presentations are available NOW on the ProjectDiscovery YouTube channel. And based on the fantastic turnout for our roundtables, we’ll be looking to schedule more smaller events like them soon. Stay tuned.
View on YouTube
Our diverse community spans members from full-time bug bounty hunters to Fortune 500 security engineers.