专业的安全技术分享平台,汇聚全球黑客智慧
Attackers can abuse the near-maximum severity flaw in nginx-ui to restart, create, modify, and delete NGINX configuration files. 文章来源: https://www.darkreading.com/application-security/critical-mcp-i...
admin
5
0
Many testers and tools give up the moment a protocol upgrade to WebSocket occurs, or only perform shallow analysis. This is a huge blind spot, leaving many bugs like Broken Access Controls, Race condi...
admin
5
0
HTTP Anomaly Rank If you've ever used Burp Intruder or Turbo Intruder, you'll be familiar with the ritual of manually digging through thousands of responses by repeatedly sorting the table via length,...
admin
5
0
TLDR This post shows how to achieve a full authentication bypass in the Ruby and PHP SAML ecosystem by exploiting several parser-level inconsistencies: including attribute pollution, namespace confusi...
admin
5
0
Update: nominations are now closed, and voting is live! Cast your vote here Over the last year, security researchers have shared a huge amount of work with the community through blog posts, presentati...
admin
5
0
Welcome to the Top 10 Web Hacking Techniques of 2025, the 19th edition of our annual community-powered effort to identify the most innovative must-read web security research published in the last year...
admin
5
0
SIEM是安全运营中心的核心平台。本文介绍SIEM系统的建设要点。 【SIEM核心功能】 • 日志收集与集中存储 • 实时关联分析 • 威胁检测与告警 • 事件调查与取证 • 合规报告 【开源方案】 ELK Stack(Elasticsearch + Logstash + Kibana)【 Wazuh - 开源安全监控平台【 Apache Metron - 大数据安全分析【 ...
admin
6
0
Cobalt Strike是红队行动的商业C2框架。本文介绍其基本功能和使用场景。 【核心功能】 • Beacon - 灵活的payload,支持多种通信方式 • Team Server - 团队协作服务器 • Malleable C2 - 自定义通信特征 • Aggressor Script - 自动化脚本 【攻击模块】 • 钓鱼攻击【 • 后渗透(提权、横向移动)【 • 凭证...
admin
5
0
开源情报是从公开来源收集信息的过程。本文介绍OSINT的工具和方法。 【信息收集目标】 • 域名和子域名枚举 • 员工信息(邮箱、职位) • 技术栈识别 • 代码泄露(GitHub、GitLab) • 社交媒体情报 【工具推荐】 theHarvester、Maltego、Shodan、Censys、SpiderFoot、OSINT Framework 文章来源: https:/...
admin
5
0
社会工程学利用人的心理弱点进行攻击。本文介绍钓鱼攻击的常见形式和防范措施。 【钓鱼攻击类型】 • 【邮件钓鱼】:伪装成可信机构发送恶意邮件 • 【鱼叉式钓鱼】:针对特定目标的定制化攻击 • 【鲸钓】:针对高管的特殊钓鱼 • 【语音钓鱼(Vishing)】:通过电话进行诈骗 • 【短信钓鱼(Smishing)】:通过短信传播恶意链接 【防范措施】 安全意识培训、邮件过滤、多因素认证、...
admin
5
0