【知识】9月4日 - 每日安全知识热点

http://p6.qhimg.com/t017313015b51e6034e.png

热点概要:利用Marketo Forms XSS、postMessage frame-jumping和jQuery-JSONP窃取www.hackerone.com的contact表单数据、在Windows下通过滥用bad assumption检测调试器、通过Burp Macros自动化模糊测试Web应用的输入点、Youtube中的高级Flash漏洞、Ruby on Rails安全检查Checklist、利用内存破坏漏洞进行Python沙盒逃逸

资讯类:

GitLab修复暴露用户私有令牌的会话劫持漏洞

https://threatpost.com/session-hijacking-bug-exposed-gitlab-users-private-tokens/127747/ 

技术类:

利用Marketo Forms XSS、postMessage frame-jumping和jQuery-JSONP窃取www.hackerone.com的contact表单数据

https://hackerone.com/reports/207042 

在Windows下通过滥用bad assumption检测调试器

http://www.triplefault.io/2017/08/detecting-debuggers-by-abusing-bad.html

Safari Accidentally Treating ';' as an Assignment Operator

https://bugs.webkit.org/show_bug.cgi?id=176114 

通过Burp Macros自动化模糊测试Web应用的输入点

http://blog.securelayer7.net/automating-web-apps-input-fuzzing-via-burp-macros/ 

Youtube中的高级Flash漏洞

https://opnsec.com/2017/08/advanced-flash-vulnerabilities-in-youtube/ 

Android tap-jacking can be turned into ransomware

https://youtu.be/FRpcGwCedZ0 

Windows逆向工程

http://www.cse.tkk.fi/fi/opinnot/T-110.6220/2014_Reverse_Engineering_Malware_AND_Mobile_Platform_Security_AND_Software_Security/luennot-files/T1106220.pdf 

Ruby on Rails安全检查Checklist

http://www.engineyard.com/blog/ruby-on-rails-security-checklist 

EvilAbigail:Automated Linux evil maid attack 

https://github.com/GDSSecurity/EvilAbigail 

Remotely Compromising iOS via Wi-Fi and Escaping the Sandbox 

https://www.slideshare.net/mark-smith/remotely-compromising-ios-via-wifi-and-escaping-the-sandbox 

HTTPLeaks:All possible ways, a website can leak HTTP requests 

https://github.com/cure53/HTTPLeaks 

使用RDP跳过网络隔离

https://rastamouse.me/2017/08/jumping-network-segregation-with-rdp/ 

A journey into Radare 2 – Part 2: Exploitation

https://www.megabeets.net/a-journey-into-radare-2-part-2/ 

利用内存破坏漏洞进行Python沙盒逃逸

https://hackernoon.com/python-sandbox-escape-via-a-memory-corruption-bug-19dde4d5fea5 

Flattened Mitre ATT&CK Matrix

https://docs.google.com/spreadsheets/d/e/2PACX-1vSzc2z9ZGpr5rnsFdBlqwG0pKyziZrWmNOPfNHjrFpY3twcyueciWelTMmQETSf8IFcOXvkXYBcyd4W/pubhtml 

Alice and Bob, who the FOCI are they?:Analysis of end-to-end encryption in the LINE messaging application

https://www.usenix.org/system/files/conference/foci17/foci17-paper-espinoza.pdf 

Mako Web-server Tutorials Multiple Unauthenticated Vulnerabilities

https://blogs.securiteam.com/index.php/archives/3391 

(完)