Aggregator

文章讲述作者发现个人信息被暗网拍卖后学习OSINT和取证技术的经历, 揭示了暗网的混乱本质及普通用户的真实身份暴露问题, 并探讨了调查人员对勒索软件的关注。

文章强调在Web开发中从设计阶段开始考虑安全的重要性，并介绍了如何通过应用安全架构审查（ASARs）识别和修复潜在漏洞。文中详细探讨了威胁建模、认证与授权、输入验证等关键安全措施，并结合云、容器和DevSecOps等现代需求，提供了实用的安全实践建议。

文章解释了HTTPS的工作原理、Burp Suite如何通过代理和证书伪造实现中间人攻击，以及SSL Pinning如何防止此类攻击及其绕过方法。

一家东南亚电动汽车初创公司的移动应用在手机号验证过程中存在重大漏洞：即使输入的手机号从未注册过，系统仍会发送验证码至该号码。这一缺陷可能导致滥用、经济损失甚至平台被封禁。

苹果可能放弃自研AI，转而与OpenAI和Anthropic合作，在未来版本的Siri中整合ChatGPT和Claude。这一转变源于内部延误、产品失败和投资者质疑。Siri曾是创新标杆，但已被竞争对手的生成式AI超越。

凌晨2:47 AM的研究人员在测试GraphQL API时发现大量用户数据泄露，揭示了API欺骗性提示背后的潜在风险。

凌晨2:47,看完《黑镜》后,作者探索GraphQL端点,发现API谎称"已达到限制",实则泄露大量用户数据。

A newly disclosed vulnerability in the Python-based data-exfiltration utility used by the notorious Cl0p ransomware group has exposed the cybercrime operation itself to potential attack. The flaw, cataloged as GCVE-1-2025-0002, was identified by Italian security researcher Lorenzo N and published by the Computer Incident Response Center Luxembourg (CIRCL) on July 1, 2025. Vulnerability Details The […]

The post Cl0p Ransomware’s Exfiltration Process Exposes RCE Vulnerability appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

这篇文章记录了作者学习网络安全知识的第二周内容，涵盖了不同类型的网络（如PAN、LAN）、网络设备（如集线器、交换机）、蓝牙技术、Wi-Fi安全协议（如WEP、WPA2）、ARP中毒攻击以及TCP和UDP协议等内容。

文章探讨了在Proxmox服务器中选择存储后端（ZFS或LVM-Thin）的重要性，并通过用户反馈分析了两者的优缺点及适用场景。

Craig Giles组织的“Waveband Hack Club YSWS”是一个非营利项目，旨在通过编程项目教青少年学习。参与者需用RTL-SDR dongle编写程序，并在完成任务后获得V4 dongle和天线套件奖励。活动限时至7月11日。

Без IBM и без Google: в России появился конкурент в квантовой гонке.

文章介绍了一种SQL注入技术，通过利用产品分类过滤器中的漏洞进行UNION攻击。作者展示了如何确定查询返回的列数，并成功注入字符串“2ibKWe”，以演示如何从其他表中提取数据。

文章介绍了一种SQL注入UNION攻击方法，通过确定查询返回的列数和识别兼容字符串数据的列来构造攻击，最终提取目标值。

文章介绍了一个时间盲SQL注入漏洞的实验过程。通过发送特定的payload（如`' || (SELECT pg_sleep(10))--`），攻击者可以利用PostgreSQL数据库的`pg_sleep`函数引发10秒延迟，从而确认漏洞的存在并推断数据库类型。

A vulnerability classified as problematic was found in MultiVendorX Plugin up to 4.2.22 on WordPress. Affected by this vulnerability is an unknown functionality. The manipulation leads to insertion of sensitive information into sent data. This vulnerability is known as CVE-2025-48261. The attack can be launched remotely. There is no exploit available.

A vulnerability, which was classified as critical, was found in Steel Browser up to 0.1.3. This affects the function handleFileUpload of the file api/src/modules/files/files.routes.ts. The manipulation of the argument filename leads to path traversal. This vulnerability is uniquely identified as CVE-2025-6152. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability was found in conda-build up to 25.3.x. It has been declared as critical. Affected by this vulnerability is an unknown functionality. The manipulation leads to path traversal. This vulnerability is known as CVE-2025-32799. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Master Slider Plugin up to 3.10.8 on WordPress. It has been rated as problematic. This issue affects the function ms_slide of the component Shortcode Handler. The manipulation leads to cross site scripting. The identification of this vulnerability is CVE-2025-5291. The attack may be initiated remotely. There is no exploit available.

A vulnerability, which was classified as problematic, was found in spdlog up to 1.15.1. This affects the function scoped_padder in the library include/spdlog/pattern_formatter-inl.h. The manipulation leads to resource consumption. This vulnerability is uniquely identified as CVE-2025-6140. It is possible to launch the attack on the local host. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.