Collaborate Disseminate
CVE-2020-27838 describes that Keycloak has an open endpoint where it’s possible to obtain client_secret information, as shown in the example below:
/auth/realms/{realm}/clients-registrations/default/{client_id}
Through other discussions, … Continue reading Analyzing impact of leaked client_secret in Authorization Code Flow in Keycloak (CVE-2020-27838)
I understand that a header like X-Powered-By can reveal details about the operating environment that can be used to find known vulnerabilities because you often get the language and compiler/interpreter/operating environment versions.
With… Continue reading Verbose Headers/Information Leakage via HttpResponse Headers vs fingerprinting via named headers
I recently start to learning some Ethical Hacking, to do pentesting, and i was looking for some advices from the community and some techniques in "deserialization vulnerabilities" on web applications.
Continue reading How far can we go with deserialization vulnerabilities
One of my close relatives recently passed away. They had a large digital footprint, and their data was leaked and distributed on the internet. Unfortunately, the websites who store that information keep giving glib responses to requests fo… Continue reading Would an attacker want the PII (personal information) of a deceased natural person?
I’m at home and I am connected to my University’s network using huawei’s SecoClient. When I check my ip I get my university’s IP, as expected.
However, I am also running a VM, which I setup to connect to my wifi adapter. This VPN adapter d… Continue reading Accidental VPN leak/override by using a different network adapter?
I am aware of one paper (although I forget the name) in which an AES key is extracted from some meters away as a result of coil whine (potentially audible vibration of an inductor coil), but I can’t find any research which looks into acous… Continue reading Side-channel impacts of coil whine and related acoustical phenomena over time
My friend asked me if it possible to get somebody’s IP from Google Meet just by being in the same meeting. He found a video that says it is possible.
But when I read about webRTC and STUN servers, I got conflicting information. One side to… Continue reading Does Google Meet leak my IP?
I found an information leakage vulnerability on a company website and I found that the information includes all the usernames of the users.
I also observed that the application uses a lockout mechanism that locks out users after 5 attempts… Continue reading Will this Account Lockout mechanism increase the severity of a information leakage vulnerability that leaks usernames?
It appears as if there has been a Twitch compromise. Somebody hinted that private messages have been leaked out. This makes me paranoid since I’ve had quite a few "private" conversations in "whispers" on that site. Does… Continue reading Is there such a thing as a concise, clean, serious source to learn about "security leaks" without all the stupid BS? [closed]
First of all, yes, I know it’s better to change the password anyways, but I want a figure on the damage done.
What kind of hashing technique was used by Twitch for saving the passwords?
How long do the passwords need to be bruteforced on a… Continue reading Twitch leak – what kind of hashing did they use?