I read this last week: WC 15 October 2018

By | October 22, 2018

Here’s a few of the interesting and useful articles and tools that I’ve come across last week.

Articles and news:

Zero-day in popular jQuery plugin actively exploited for at least three years

For at least three years, hackers have abused a zero-day in one of the most popular jQuery plugins to plant web shells and take over vulnerable web servers


A red teamers guide to pivoting

Pivoting is a set of techniques used during red team/pentest engagements which make use of attacker-controlled hosts as logical network hops with the aim of amplifying network visibility.


Exploiting blind SQL injections with Burpsuite collaborator

 


Intel techniques: new OSINT search portal

The all powerful set of OSINT tools by Michael Bazzell receives an update


LibSSH flaw allows attackers to take over servers without a password

A four-year-old severe vulnerability has been discovered in the Secure Shell (SSH) implementation library known as Libssh that could allow anyone to completely bypass authentication and gain unfettered administrative control over a vulnerable server without requiring a password



Tools and tech:

Gitleaks

Gitleaks provides a way for you to find unencrypted secrets and other unwanted data types in git source code repositories.


Git-All-Secrets

Another tool that clones and scans repo’s for secrets.


Awesome OSINT

A huge curated list of OSINT resources


O365 recon

Script to retrieve O365 information with valid credentials


ZeroBin

ZeroBin.net is a minimalist, open source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256 bits AES.