Aggregator

文章描述了在基于GraphQL的用户管理系统中发现的CSRF漏洞。由于GraphQL端点配置为接受application/x-www-form-urlencoded内容类型，浏览器会自动附加cookie到外部网站发起的请求中，从而引发潜在安全风险。

文章描述了GraphQL用户管理系统中的CSRF漏洞。该漏洞源于GraphQL端点接受application/x-www-form-urlencoded内容类型，导致浏览器自动附加cookie，从而可能引发CSRF攻击。

文章介绍了文件上传漏洞的概念及其易被忽视的安全风险。通过解释文件类型、扩展名及其作用，强调了正确处理文件上传的重要性。

作者在咖啡店使用SaaS平台发现了一个安全漏洞。通过利用内置脚本语言中的函数从外部URL获取数据，并尝试SSRF（服务器端请求伪造），最终成功提取了Azure云平台的访问令牌。这使他获得了对服务器及其云资源的完全控制权。

作者通过探索SaaS平台内置文件编辑器发现SSRF漏洞，利用外部数据函数获取云元数据和访问令牌，最终实现对服务器的全面控制。

80% of AI tools used by employees go unmanaged by IT or security teams, according to Zluri’s The State of AI in the Workplace 2025 report. AI is popping up all over the workplace, often without anyone noticing. If you’re a CISO, if you want to avoid blind spots and data risks, you need to know where AI is showing up and what it’s doing across the entire organization. What’s happening and why it matters … More →

The post AI tools are everywhere, and most are off your radar appeared first on Help Net Security.

A CVSS score 6.5 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L severity vulnerability discovered by 'Guy Lederfein of Trend Research' was reported to the affected vendor on: 2025-07-03, 77 days ago. The vendor is given until 2025-10-31 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 6.7 AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Aleksandar Djurdjevic (https://github.com/revengsmK)' was reported to the affected vendor on: 2025-07-03, 78 days ago. The vendor is given until 2025-10-31 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

A CVSS score 7.8 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'rgod' was reported to the affected vendor on: 2025-07-03, 78 days ago. The vendor is given until 2025-10-31 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.

作者在2019年发现Java依赖解析中使用HTTP而非HTTPS导致的安全漏洞，并推动多方合作关闭HTTP支持、改进默认设置及利用自动化工具修复大量项目，最终消除这一系统性安全漏洞。

文章讲述作者发现个人信息被暗网拍卖后学习OSINT和取证技术的经历, 揭示了暗网的混乱本质及普通用户的真实身份暴露问题, 并探讨了调查人员对勒索软件的关注。

文章强调在Web开发中从设计阶段开始考虑安全的重要性，并介绍了如何通过应用安全架构审查（ASARs）识别和修复潜在漏洞。文中详细探讨了威胁建模、认证与授权、输入验证等关键安全措施，并结合云、容器和DevSecOps等现代需求，提供了实用的安全实践建议。

文章解释了HTTPS的工作原理、Burp Suite如何通过代理和证书伪造实现中间人攻击，以及SSL Pinning如何防止此类攻击及其绕过方法。

一家东南亚电动汽车初创公司的移动应用在手机号验证过程中存在重大漏洞：即使输入的手机号从未注册过，系统仍会发送验证码至该号码。这一缺陷可能导致滥用、经济损失甚至平台被封禁。

苹果可能放弃自研AI，转而与OpenAI和Anthropic合作，在未来版本的Siri中整合ChatGPT和Claude。这一转变源于内部延误、产品失败和投资者质疑。Siri曾是创新标杆，但已被竞争对手的生成式AI超越。

凌晨2:47 AM的研究人员在测试GraphQL API时发现大量用户数据泄露，揭示了API欺骗性提示背后的潜在风险。

凌晨2:47,看完《黑镜》后,作者探索GraphQL端点,发现API谎称"已达到限制",实则泄露大量用户数据。

A newly disclosed vulnerability in the Python-based data-exfiltration utility used by the notorious Cl0p ransomware group has exposed the cybercrime operation itself to potential attack. The flaw, cataloged as GCVE-1-2025-0002, was identified by Italian security researcher Lorenzo N and published by the Computer Incident Response Center Luxembourg (CIRCL) on July 1, 2025. Vulnerability Details The […]

The post Cl0p Ransomware’s Exfiltration Process Exposes RCE Vulnerability appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

这篇文章记录了作者学习网络安全知识的第二周内容，涵盖了不同类型的网络（如PAN、LAN）、网络设备（如集线器、交换机）、蓝牙技术、Wi-Fi安全协议（如WEP、WPA2）、ARP中毒攻击以及TCP和UDP协议等内容。