Security Review #251

This article detail how a canary can be setup to detect XSS attacks on a victim's browser.

We discovered CVE-2025-1097, CVE-2025-1098, CVE-2025-24514 and CVE-2025-1974, a series of unauthenticated Remote Code Execution vulnerabilities in Ingress NGINX Controller. Exploitation of these vulnerabilities leads to unauthorized access to all secrets stored across all namespaces in the Kubernetes cluster by attackers, which can result in cluster takeover.

Defensive tools like AVs and EDRs rely on command-line arguments for detecting malicious activity. This post demonstrates how command-line obfuscation, a shell-independent technique that exploits executables' parsing "flaws", can bypass such detections.

Distributed COM (DCOM) remoting technology can be abused by trapping COM objects that can be used to execute .NET managed code in the context of a server-side DCOM process. We will leverage this technique to develop a proof-of-concept fileless lateral movement technique by abusing trapped COM objects.

Gemini relies on a sandbox to safely run AI-generated or custom piece of code. We detail how we managed to get part of the sandbox code and how we escaped it.

VanHelsingRaaS is a new and rapidly growing ransomware-as-a-service (RaaS) targeting Windows, Linux, BSD, ARM, and ESXi systems. We provide a technical analysis of the Windows variant.

We explore a critical vulnerability discovered in the Next.js. This vulnerability (CVE-2025-29927) stems from the x-middleware-subrequest header, which can override middleware rules. It allows bypassing middleware security checks, including authentication and authorization.

Firefox stores extensive user activity data, making it possible to determine browsing history, downloads, bookmarks, and even synchronized data. This guide will walk you through a detailed forensic analysis of Firefox, covering history tracking, filling in evidence gaps, and deep-dive analysis techniques.

Mozilla Firefox, one of the most widely used web browsers, offers users extensive customization options, privacy controls, and synchronization capabilities. As for forensic perspective, this will generate crucial artifacts that can provide valuable insights during investigations.

Web browsers store credentials and other sensitive data for user convenience, but this also introduces security risks. Understanding how browsers manage credential storage, encryption mechanisms like DPAPI, and forensic recovery techniques is crucial for security professionals and incident responders.

Microsoft Edge introduced Collections, a unique feature that enhances how users organize and save web content. Unlike traditional bookmarks, Collections allow users to group URLs, images, text snippets, and notes in a structured way. This makes it an invaluable tool for research, productivity, and forensic investigations.

For anyone dealing with Edge synchronization, whether from a security, privacy, or forensic analysis perspective, knowing how data is handled is key to making informed decisions about digital traces and potential vulnerabilities.

We detail the steps, cybersecurity investigators and digital forensic analysts should follow to uncover a comprehensive picture of user activities and potential security threats. Browser data analysis is a powerful tool in the fight against cybercrime, providing invaluable insights that can make or break an investigation.

Electron is a game-changer in the world of app development. From a forensic perspective, Electron apps are interesting for two main reasons: Electron is Chromium-based, and each Electron app maintains its own browser-like database. If you're investigating a system, chances are you'll find multiple Electron applications, each leaving behind valuable forensic artifacts.

In this article, we illustrate how encrypted applications may not always be as secure as they appear and demonstrates methods that other experts can utilise to gain access to the application's data.

We provide a full attack chain analysis of a ranswomware achieving initial access through CVE-2024-55591, an authentication bypass vulnerability affecting FortiOS and FortiProxy. Threat actors executed various reconnaissance commands, created user accounts, and attempted to exfiltrate data. Then the ransomware was deployed to encrypt files.

The threat of BitM attacks emphasizes the importance of robust authentication and access-control mechanisms. By adopting a multi-layered defense strategy incorporating client certificates, hardware-based MFA solutions such as FIDO2-compatible security keys, and compensating controls, organizations can significantly enhance their resilience against these sophisticated threats.

Threat actors are increasingly leveraging legitimate remote monitoring and management (RMM) applications to infiltrate and move through networks. This article is a tutorial on threat hunting for RMM software abuse.

This blog post aims to highlight how access to ServiceNow can be abused to perform a range of attacks: custom actions, discovery, orchestration, LDAP listener, and relaying.

Rilide is an example of an information stealer masquerading as a browser extension. In this article, we will learn about its delivery methods, and intrusion chain.

CVE-2024-8690 is a vulnerability in Palo Alto's Cortex XDR. This article provides the technical details outlining how this could be exploited by an Administrator-level user account to disable Cortex XDR.

If you're using Kali Linux on WSL (Windows Subsystem for Linux) and want to capture or analyze its traffic in Burp Suite, you may run into challenges. In this guide, we'll walk you through the complete process of proxying Kali WSL traffic through Burp Suite installed on your Windows machine.

We rely on the different techniques related to Windows shortcut exploitation to build a proof-of-concept of LNK file embedding a malicious payload.

In this post, I will attempt to integrate AI into a C2 implants. The purpose is to have the malware performing actions based on natural language requests from the operator.

This post details 3 vulnerabilities in Appsmith Enterprise platform, including technical breakdowns, proof-of-concept exploits, and detection methods: CVE-2024-55963, which allows unauthenticated remote code execution, CVE-2024-55964 and CVE-2024-55965 that enable unauthorized access to sensitive data and application denial of service.

This blog explores the advantages of using Rust over C for malware development, highlighting Rust's evasive characteristics and challenges for reverse engineering. Through a hands-on example of a simple shellcode dropper, it demonstrates how Rust can better simulate modern adversarial tactics.

This blog covers Windows pool memory from scratch, including memory types, debugging in WinDbg, and analyzing pool tags. We'll also use a custom tool to enumerate pool tags effortlessly and explore the segment heap.

This posts main topic revolves around one idea: Broken Tiering. We will see here examples showing how to exploit common misconfigurations in virtualized environments such as storing unencrypted VM backups, managing hypervisors and EDR consoles within Active Directory or lack of integrity check on disk images, user profiles or backups.

In this second part, we'll demonstrate how an attacker, having bypassed authentication, can leverage subsequent vulnerabilities to completely compromise the JumpServer infrastructure and internal hosts.

This blogpost discusses the journey of finding and exploiting CVE-2024-26170, a kernel 0day in Windows 11 Composite Image File System driver (cimfs.sys) leading to Local Privilege Escalation.

This is the story of how we uncovered an exposed secret leading to a race condition on GitHub CodeQL, a potential supply chain attack, and CVE-2025-24362

This blog post explores the usage of Binary Ninja's Medium Level Intermediate Language (MLIL) to establish a data flow graph by tracing interactions between a specific memory allocation and other memory regions. Building on the data flow graph, it is further utilized in context-insensitive reachability analysis across functions to identify potential Use-After-Free (UAF) vulnerabilities in binaries.

This article covers the development of a Linux kernel module written in Rust aimed at detecting rootkits.

We explore the complexities of breaking AES-encrypted firmware. We will see how we detected patterns in highly encrypted firmware files and leveraged XOR properties, machine learning, and reinforcement learning to recover approximately 65% of the original firmware content.

GoPhish provides a nice platform for creating and running phishing campaigns. This blog will guide you through installing GoPhish and creating a campaign.

We provide an analysis of the BLASTPASS iMessage exploit chain, a zero-click exploit relying on a buffer overflow in ImageIO (CVE-2023-41064), and an arbitrary code execution through attachments (CVE-2023-41061).

In this post, we'll go over three popular third-party software services that most (internal) software teams make use of. We'll explain thoroughly how they can lead to data theft, service disruption, or even financial damage when access to them is left incorrectly configured.

Both Windows software trace preprocessor (WPP) and TraceLogging were designed primarily for debugging purposes but potentially offer reverse engineers, vulnerability researchers, and detection engineers an opportunity to peer inside Windows binaries all without requiring a debugger.