Last Week in Security (LWiS) - 2024-11-04

WAF bypasses (@MDSecLabs), sastsweep (@_chebuya), Early Cascade injection (@DaWouw), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-10-28 to 2024-11-04.

News

Techniques and Write-ups

Tools and Exploits

  • rustmerger - A robust command-line tool built in Rust that makes merging and deduplicating text files a breeze. Whether you're dealing with small files or massive datasets, this tool handles the heavy lifting with parallel processing and smart error handling.
  • CVE-2024-46538 - PfSense Stored XSS leads to remote code execution, proof of concept.
  • OpenHashAPI - OpenHashAPI (OHA) is designed to store and maintain hashes and plaintext in a centralized database. OHA is written in Go and designed for containerized deployment. For more information see [PDF] No Cap Cracking: Improving Offline Hash Recovery Methodologies.
  • sastsweep - Automatically detect potential vulnerabilities and analyze repository metrics to prioritize open source security research targets.
  • Cable - .NET post-exploitation toolkit for Active Directory reconnaissance and exploitation.
  • rustclr is a powerful library for hosting the Common Language Runtime (CLR) and executing .NET binaries directly with Rust, among other operations.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • microsocks - a SOCKS5 service that you can run on your remote boxes to tunnel connections through them, if for some reason SSH doesn't cut it for you.
  • Hijack the TypeLib. New COM persistence technique - Introduces TypeLibWalker to persist via TypeLib hijacking on Windows.
  • Scrapegraph-ai - Python scraper based on AI.
  • Through the Looking Glass - A small post about tunnelling UDP over TCP and WireGuard Site-to-Site VPN configurations.
  • noir - Attack surface detector that identifies endpoints by static analysis.
  • chartdb - Free and open-source database diagrams editor, visualize and design your DB with a single query.
  • sidekick - Bare metal to production ready in mins; your own fly server on your VPS.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.

page 1 | older articles »