Collaborate Disseminate
I saw a setup recently where frontend and resource servers were hosted on subdomains of the same second level domain. E.g. ui.example.com and api.example.com.
It had an interesting authentication flow that seemed like a variant of the refr… Continue reading Security implications of using the current session to mint new access tokens
The Qualys Threat Research Unit (TRU) has been hard at work detecting vulnerabilities worldwide, and its latest report is set to shake up the industry. In this Help Net Security interview, Travis Smith, VP of the Qualys TRU, talks about the 2023 Qualys… Continue reading Data-backed insights for future-proof cybersecurity strategies
Cyberattacks tend to come from two angles: criminals take advantage of employees with privileged access or of security weaknesses in your hardware/software infrastructure. These broad categories encompass attack vectors such as phishing, man-in-the-mid… Continue reading What you need before the next vulnerability hits
Threat Overview Earlier this week, Microsoft released a patch for Outlook vulnerability CVE-2023-23397, which has been actively exploited for almost an entire year. This exploit has caught the attention of a hacking group linked to Russian military intelligence that is using it to target European organizations. CVE-2023-23397 allows threat actors to steal NTLM credentials of…
The post <strong>Critical Outlook Vulnerability: In-Depth Technical Analysis and Recommendations (CVE-2023-23397)</strong> appeared first on TrustedSec.
I joined as an intern at this organization as a supposed cyber security consultant and now I’m expected to conduct a vulnerability assessment of the website and prepare a report on that.
Any suggestions as to what tools I can use for free … Continue reading Need help with the process of vulnerability assessing a website [closed]
Our consulting company has received a VAPT from a consulting company on behalf of a financial customer.
The application has an HR/group management module.
Normally employees are created by an asynchronous process, but in case this fails th… Continue reading Information leakage from a API 404 response
One of the most discussed concepts in the Information Security world in recent history has been Zero Trust. Although many vendors claim to have products for implementing Zero Trust, an organization must not view them as an instant solution to achieving Zero Trust. Zero Trust should be viewed as a philosophy comprised of many controls…
The post The First Steps on the Zero Trust Journey appeared first on TrustedSec.
After the 2022 LastPass breach, many organizations began searching for alternative password vault solutions. KeePass, a legacy open-source option has risen to the top for many organizations evaluating their options. Others have been using this option already for years. A recent POC demonstrating who to abuse the Trigger feature was released and assigned a CVE….
The post What this KeePass CVE means for organizations searching for new password vaults appeared first on TrustedSec.
Continue reading What this KeePass CVE means for organizations searching for new password vaults
//$ cat greetings.c
/*
* Compile this program with ‘make greetings’; run it with ./greetings
*
* A simple program to say hello and get to know the user better.
*
*/
#define _GNU_SOURCE
#pragma GCC diagnostic ignored "-Wformat&quo… Continue reading What are some of the vulnerabilities in this code and What threat model is appropriate for this code?
Given that 2021 was a record year for new vulnerabilities published and threat actors became better at weaponizing vulnerabilities, timely and well-judged vulnerability prioritization and remediation are a goal all organizations should aspire to achiev… Continue reading SSVC: Prioritization of vulnerability remediation according to CISA