• Analysis of JWT security issues


    When I researched websocket not long ago, I found that port-swigger has a new shooting range. At first glance, I found that it was about jwt security, just to summarize and recall. Introduction to JWT Json web token (JWT), a JSON-based open standard (RFC 7519) for passing claims between web application environments RFC 7519:https://datatracker.ietf.org/… He […]

  • A problem caused by hard links


    A problem caused by hard links problem background The loophole about Fastjson has been exposed again recently, and as a repairman (oh no, professional software engineer), it is time for us to perform again. We have a lot of services that use the old version of the vulnerable jar package. In order to solve this […]

  • OSCS Open Source Safety Weekly Issue 9: Open source component command execute vulnerability concentrated outbreak


    Settlement of Security this week The OSCS community contains a total of 39 security vulnerabilities. The public vulnerability is worthy of attention. -2022-37021), github in gitlab introduced API existing remote code execution vulnerabilities (CVE-2022-2992) and OpenSSL existence of command execution vulnerabilities (CVE-2022-1292). For the NPM and PYPI warehouses, a total of 4 poisoning incidents were […]

  • Mobile phone termux running and leak scanning tool, be a script kid anytime, anywhere


    Three easy-to-use scanning tools Kscan run fingerprint/blast afrog run poc run with fscan 1. Termux installation 【termux official website】【ZeroTermux】【ZeroTermux Android 5】 ZeroTermux source change (skipable) sed -i ‘[email protected]^\(deb.*stable main\)[email protected]#\1\ndeb https://mirrors.tuna.tsinghua.edu.cn/termux/termux-packages-24 stable [email protected]’ $PREFIX/etc/apt/sources.list && apt update && apt upgrade 2. Install Linux distribution Alpine with termux Install curl -LO https://raw.githubusercontents.com/Hax4us/TermuxAlpine/master/TermuxAlpine.sh bash TermuxAlpine.sh start alpine startalpine […]

  • Memcached UDP reflection attack vulnerability


    problem log At noon today, a colleague responded that a system was turned on very slowly, thinking it was a computer problem (manually snickering). Open the website and see that even the static files are slow at a speed of a few KB/S. This is obviously unreasonable. After checking the server, the CPU is normal, […]

  • CVE-2019-18276 Gun Bash Conditional Race Vulnerability


    Recently, I was looking at the loopholes in K8S. After analyzing the loopholes, I saw a Gun Bash conditional competition loophole. The reason and recurrence of the loophole are relatively simple, but it includes some conditional competition TOCTOU and some basic knowledge of linux files. It feels worth recording. , hence this article: 1. Vulnerability […]

  • Analysis of Http-Sumggling Cache Vulnerability


    Let’s see what happens when http request smuggling and web caching come together. Before touching the Http Sumggling cache vulnerability, we need to understand Http Sumggling and Web caching first. What is web caching WEB cache refers to the static files of the website, such as pictures, CSS, JS, etc., when the website is accessed, […]

  • This awesome IDE plugin helps you easily fix security holes in your code


    Remember the log4j vulnerability that broke out last year? Remember the scene where security engineers are often chased to fix because of code bugs? Don’t want to spend too much time fixing bugs, or just don’t know how to fix them. Recently, we launched an IDE plug-in to help developers easily solve code security problems. […]