热点概要:利用Marketo Forms XSS、postMessage frame-jumping和jQuery-JSONP窃取www.hackerone.com的contact表单数据、在Windows下通过滥用bad assumption检测调试器、通过Burp Macros自动化模糊测试Web应用的输入点、Youtube中的高级Flash漏洞、Ruby on Rails安全检查Checklist、利用内存破坏漏洞进行Python沙盒逃逸
资讯类:
GitLab修复暴露用户私有令牌的会话劫持漏洞
https://threatpost.com/session-hijacking-bug-exposed-gitlab-users-private-tokens/127747/
技术类:
利用Marketo Forms XSS、postMessage frame-jumping和jQuery-JSONP窃取www.hackerone.com的contact表单数据
https://hackerone.com/reports/207042
在Windows下通过滥用bad assumption检测调试器
http://www.triplefault.io/2017/08/detecting-debuggers-by-abusing-bad.html
Safari Accidentally Treating ';' as an Assignment Operator
https://bugs.webkit.org/show_bug.cgi?id=176114
通过Burp Macros自动化模糊测试Web应用的输入点
http://blog.securelayer7.net/automating-web-apps-input-fuzzing-via-burp-macros/
Youtube中的高级Flash漏洞
https://opnsec.com/2017/08/advanced-flash-vulnerabilities-in-youtube/
Android tap-jacking can be turned into ransomware
Windows逆向工程
Ruby on Rails安全检查Checklist
http://www.engineyard.com/blog/ruby-on-rails-security-checklist
EvilAbigail:Automated Linux evil maid attack
https://github.com/GDSSecurity/EvilAbigail
Remotely Compromising iOS via Wi-Fi and Escaping the Sandbox
https://www.slideshare.net/mark-smith/remotely-compromising-ios-via-wifi-and-escaping-the-sandbox
HTTPLeaks:All possible ways, a website can leak HTTP requests
https://github.com/cure53/HTTPLeaks
使用RDP跳过网络隔离
https://rastamouse.me/2017/08/jumping-network-segregation-with-rdp/
A journey into Radare 2 – Part 2: Exploitation
https://www.megabeets.net/a-journey-into-radare-2-part-2/
利用内存破坏漏洞进行Python沙盒逃逸
https://hackernoon.com/python-sandbox-escape-via-a-memory-corruption-bug-19dde4d5fea5
Flattened Mitre ATT&CK Matrix
Alice and Bob, who the FOCI are they?:Analysis of end-to-end encryption in the LINE messaging application
https://www.usenix.org/system/files/conference/foci17/foci17-paper-espinoza.pdf
Mako Web-server Tutorials Multiple Unauthenticated Vulnerabilities