Home
Recommended
Other Links
We know what you’re waiting for - this isn’t it. Today, we’re back with more tales of our adventures in Kentico’s Xperience CMS. Due to it’s wide usage, the type of solution, and the types of enterprises using this solution - any serious vulnerability, or chain of vulnerabilities to serious impact, is no bueno - and so we have more to tell you about today.
As you may remember from our previous blog post, Kentico’s Xperience CMS product is a CMS solution aimed at enterprises but widely used by o
TL;DR ¶ Exported concrete error types are superior to sentinel errors. They can be more performant, cannot be clobbered, and promote extensibility. Third-party function errutil.Find is a powerful alternative to standard-library function errors.As. Setting the scene ¶ Imagine that you’re writing a package named bluesky whose purpose is to check the availability of usernames on Bluesky, the up-and-coming social-media platform:
package bluesky func IsAvailable(username string) (bool, error) { // actual implementation omitted return false, nil } Calls to IsAvailable may fail (i.
Hacking Lab Hacking Lab Home People Publications CVEs Contact Light Dark Automatic Automated Attack Synthesis for Constant Product Market Makers (to appear) Sujin Han , Jinseo Kim , Sung-Ju Lee , Insu Yun June 2025 Cite Publication Proceedings of the ACM SIGSOFT International Symposium on Software...
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
### Summary
All versions of W3C CSS validator are vulnerable to XXE due to unsafe parsing of XML data when untrusted XML data is passed to the `DocumentParser()` constructor and is not properly s...
Use-after-free is a memory corruption condition where a program references memory after it has been released back to the allocator. Statically detecting these bugs can be challenging. In the past, several approaches have addressed this problem, such as GUEB by Josselin Feist and Sean Heelan's work
# CSPT Resources
27 Mar 2025 - Posted by Maxence Schmitt
As a follow up to Maxence Schmitt’s research on **Client-Side Path Traversal (CSPT)**, we wanted to encourage researchers, bug hunters, and security professionals to explore CSPT further, as it remains an underrated yet impactful attack...
An analysis of the NSO BLASTPASS iMessage exploit Posted by Ian Beer, Google Project Zero On September 7, 2023 Apple issued an out-...
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
Introduction Many vulnerability writeups nowadays focus on the exploitation process when it comes to software bugs. The term “Exploit Developer” is also still used synonymously with Vulnerability Research, presumably coming from the early 2000s where bugs were easily discoverable and the community was just beginning to explore the art of exploitation. However nowadays with SDL and continuous fuzzing, the discovery of unknown vulnerabilities in crucial systems is getting more important, arguably more than the exploitation process.
A step-by-step guide for open source maintainers on how to handle vulnerability reports confidently from the start.
Key Points VanHelsing RaaS In recent weeks, a new and rapidly expanding ransomware-as-a-service (RaaS) program called VanHelsingRaaS has been making waves in the cybercrime world. Launched on March 7, 2025, this service has already demonstrated its rapid growth and deadly potential, having infected three victims within just two weeks of its introduction. Reputable affiliates can […]
Why hack one device, when you can hack all of them? By reverse-engineering and finding vulnerabilities in user-machine association flows for smart weighing machines, I was able to take over millions of internet-connected health devices. Hardware and web security are two halves of modern smart device security, and learning to hack both can yield impressive and scary results.
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
It’s us again!
Once again, we hear the collective groans - but we're back and with yet another merciless pwnage of an inspired and clearly comprehensive RCE solution - no, wait, it's another vuln in yet another backup and replication solution..
While we would enjoy a world in which we could be a little merciful - today we'll explore the painful world of blacklist-based security mechanisms. You can treat this post as a natural continuation of our CVE-2024-40711 writeup, which was written by fel
Introduction In this post, we’ll show precisely how to chain round-trip attacks and namespace confusion to achieve unauthenticated admin access on GitLab Enterprise by exploiting the ruby-saml library
# !exploitable Episode Three - Devfile Adventures
18 Mar 2025 - Posted by Francesco Lacerenza
## Introduction
I know, we have written it multiple times now, but in case you are just tuning in, Doyensec had found themselves on a cruise ship touring the Mediterranean for our company retreat. To...
I recently joined watchTowr, and it is, therefore, time - time for my first watchTowr Labs blogpost, previously teased in a tweet of a pre-auth RCE chain affecting some ‘unknown software’.
Joining the team, I wanted to maintain the trail of destruction left by the watchTowr Labs team, and so had to get my teeth into things quickly.
Two primary goals were clear:
1. Look at something completely new - I quickly realized that I've never looked at any CMS solution, and so could be a fun good star
STAR Labs Windows Exploitation Challenge Writeup Over the past few months, the STAR Labs team has been hosting a Windows exploitation challenge. I was lucky enough to solve it and got myself a ticket to Off-By-One conference. Here is my writeup for the challenge!
Analyzing the binary We are given a Windows kernel driver. Basic analysis shows that it is used to receive and save messages sent from usermode.
Important structures There are two key structures used in this driver: handle and message entry.

Cisco Talos Intelligence Group - Comprehensive Threat Intelligence
Mar 13 2025 @ 11:24 AM
Kri Dontje
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
This post highlights some new research, tricks and improvements on data smuggling techniques.
Critical authentication bypass vulnerabilities were discovered in ruby-saml up to version 1.17.0. See how they were uncovered.
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
Key Points Introduction APT-C-36, also known as Blind Eagle, is a threat group that engages in both espionage and cybercrime. It primarily targets organizations in Colombia and other Latin American countries. Active since 2018, this Advanced Persistent Threat (APT) group focuses on government institutions, financial organizations, and critical infrastructure. Blind Eagle is known for employing […]
# Exploiting Neverwinter Nights
Back in 2024, we looked for vulnerabilities in Neverwinter Nights : Enhanced Edition as a side research project. We found and reported multiple vulnerabilities to the publisher Beamdog. In this article we will detail how we can chain two vulnerabilities to obtain a...
# Node is a loader
Node.js supports C++ addons(may be referred to as native modules). They allow you to extend your module functionality using a shared object.
_Addons_ are dynamically-linked shared objects written in C++. The require() function can load addons as ordinary Node.js modules....
### Summary
A logical flaw in the pg_cron extension allows low-privileged users with ownership over pg_cron's job table or ability to change the value of cron.database_name to run arbitrary SQ...
# Case Study: How Hunters International and friends target your hypervisors
Hunters International is a Ransomware-as-a-Service (RaaS) operation that surfaced in October 2023, after acquiring the source code and infrastructure of the late Hive ransomware group. Today, according to publicly...
In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Simon Humbert and Guy Lederfein of the Trend Micro Research Team detail a recently patched code execution vulnerability in the Microsoft Windows Key Distribution Center (KDC) Proxy. This bug was originally discov
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
You can email the...
# !exploitable Episode Two - Enter the Matrix
04 Mar 2025 - Posted by Dennis Goodlett
## Introduction
In case you are just tuning in, Doyensec has found themselves on a
cruse ship touring the Mediterranean. Unwinding, hanging out with colleagues and having
some fun. Part 1 covered our journey...
TL;DR ¶ In this post, I discuss the cost of Go’s panic and recover functions through a programme adapted from Joshua Bloch’s Effective Java book.
Abusing Java exceptions for control flow ¶ Even though my Java days are long gone and Go has been my language of predilection for a while, I still occasionally revisit Effective Java, Joshua Bloch’s seminal and award-winning book, and I never fail to rediscover nuggets of wisdom in it.
Research by: Itay Cohen (@megabeets_) Over the past few decades, hacktivism has been, in a lot of cases, characterized by minor website defacements and distributed denial-of-service (DDoS) attacks, which, while making headlines, had minimal lasting impact. However, in recent years, we have observed a significant shift in the nature of these activities. Groups that appear to […]
# !exploitable Episode Two - Enter the Matrix
27 Feb 2025 - Posted by Dennis Goodlett
## Introduction
In case you are just tuning in, Doyensec has found themselves on a
cruse ship touring the Mediterranean. Unwinding, hanging out with colleagues and having
some fun. Part 1 covered our journey...
As an industry, we believe that we’ve come to a common consensus after 25 years of circular debates - disclosure is terrible, information is actually dangerous, it’s best that it’s not shared, and the only way to really to ensure that no one ever uses information in a way that you don’t like (this part is key) is to make up terms for your way of doing things.
We have actively petitioned vendors to be more transparent, and we’re currently investing a lot of R&D time in the development of the bes
#### Withdraw
Loading…
# Modeling Microarchitectural Side Channel Attacks for Fun & Profit
#### Ravichandran, Joseph
Loading…
## Permalink
https://hdl.handle.net/2142/110288
## Description
TitleModeling Microarchitectural Side Channel Attacks for Fun & ProfitAuthor(s)Ravichandran,...
## Discovering Novel Microarchitectural Security Vulnerabilities in Modern Processors
##### Author(s)
Ravichandran, Joseph
DownloadThesis PDF (5.729Mb)
##### Advisor
Yan, Mengjia
##### Terms of use
##### Metadata
Show full item record
##### Abstract
For decades, computer security issues...
# Taking the relaying capabilities of multicast poisoning to the next level: tricking Windows SMB clients into falling back to WebDav
When performing LLMNR/mDNS/NBTNS poisoning in an Active Directory environment, it is fairly common to be able to trigger SMB authentications to an...
By: Dikla Barda, Roaman Zaikin & Oded Vanunu On February 24, Check Point Blockchain Threat Intel System observed a sophisticated attack on a DeFi protocol, Infini. Infini is a digital banking platform in the crypto space that offers its users savings yields and other financial services. The platform aims to make crypto assets more accessible […]
Highlights Introduction While the abuse of vulnerable drivers has been around for a while, those that can terminate arbitrary processes have drawn increasing attention in recent years. As Windows security continues to evolve, it has become more challenging for attackers to execute malicious code without being detected. As a result, the attackers often aim to […]
Research by Dikla Barda, Roman Ziakin and Oded Vanunu On February 21st, Check Point Blockchain Threat Intel System alerted on a critical attack log on the Ethereum blockchain network. The log indicated that the AI engine identify anomality change with this transaction and categorize it as critical attack in real time. It was indicated that […]
Executive Summary Why We Care about Sandbox Emulation As a discipline, information security involves a vast web of entry vectors, mitigations, and counter-mitigations. Among these, one of the most impactful points of conflict between attackers and defenders is what happens when binaries are subjected to sandbox emulation. Purely static analysis has been understood to be […]
Have you ever wondered how many vulnerabilities you've missed by a hair's breadth, due to a single flawed choice? We've just released Shadow Repeater, which enhances your manual testing with AI-powere
# LSA Secrets: revisiting secretsdump
When doing Windows or Active Directory security assessments, retrieving secrets stored on a compromised host constitutes a key step to move laterally within the network or increase one's privileges. The infamous `secretsdump.py` script from the impacket suite...
As you may have already heard, the HIPAA Security Rule is undergoing a much-needed update. We wanted to discuss what Covered Entities and Business Associates - now referred to as “Regulated Entities” - can expect as the new rule moves through the federal register phases of the Notice of Proposed Rul