Here’s a few of the interesting and useful articles and tools that I’ve come across last week.
Articles and news:
Zero-day in popular jQuery plugin actively exploited for at least three years
For at least three years, hackers have abused a zero-day in one of the most popular jQuery plugins to plant web shells and take over vulnerable web servers
A red teamers guide to pivoting
Pivoting is a set of techniques used during red team/pentest engagements which make use of attacker-controlled hosts as logical network hops with the aim of amplifying network visibility.
Exploiting blind SQL injections with Burpsuite collaborator
Intel techniques: new OSINT search portal
The all powerful set of OSINT tools by Michael Bazzell receives an update
LibSSH flaw allows attackers to take over servers without a password
A four-year-old severe vulnerability has been discovered in the Secure Shell (SSH) implementation library known as Libssh that could allow anyone to completely bypass authentication and gain unfettered administrative control over a vulnerable server without requiring a password
Tools and tech:
Gitleaks provides a way for you to find unencrypted secrets and other unwanted data types in git source code repositories.
Another tool that clones and scans repo’s for secrets.
A huge curated list of OSINT resources
Script to retrieve O365 information with valid credentials
ZeroBin.net is a minimalist, open source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256 bits AES.