Prototype Pollution is a JavaScript vulnerability where it’s possible for an attacker to control unexpected variables in JavaScript, which on the client-side can lead …
Author: Netspi
During a recent red team operation, NetSPI discovered a local privilege escalation path in the default installation of Microsoft Service Fabric Runtime, a software commonly used for local application development. …
Summary: The interaction between web2 client-server architectures and web3 systems presents security challenges. Web3 systems often rely on classic centralized components, which can create unique attack surfaces. In this post, …
Summary: Azure Deployment Scripts with User-Assigned Managed Identities can be exploited by attackers to gain unauthorized access and escalate privileges. The Deployment Scripts service allows users to run code in …
____________________ Summary: The article discusses the Azure Batch service and highlights potential areas for misconfigurations and sensitive data exposure. It explains how the service functions as a middle ground between …
______________________ Summary: The article discusses the technique of HTML smuggling and introduces a new approach using Web Assembly (Wasm). It explains how Wasm allows code to be written in system …
Summary: TOTP (Time-Based One-Time Password) is a common two-factor authentication method that generates time-sensitive passcodes. However, it has become outdated and vulnerable to brute force attacks. In this article, the …
______________________ Summary: The blog post discusses the potential security risks associated with Azure Container Registry (ACR) and the abuse of Managed Identities to generate tokens. It introduces a tool called …
____________________ Summary: XPath Injection is a significant threat in web applications that allows attackers to exploit user input and gain unauthorized access to sensitive data. This blog explores the risks …
______________________ Summary: The article discusses the discovery of a vulnerability in Azure Function Apps that allowed for the extraction of managed identity credentials. The issue has since been addressed by …