%term

ServiceNow - Username Enumeration Vulnerability (CVE-2021-45901)

Feb 4, 2022 By Trustwave In Trustwave

During a recent engagement Trustwave SpiderLabs discovered a vulnerability (CVE-2021-45901) within ServiceNow (Orlando) which allows for a successful username enumeration by using a wordlist. By using an unauthenticated session and navigating to the password reset form, it is possible to infer a valid username. This is achieved through examination of the HTTP POST response data initially triggered by the password reset web form. This response differs depending on a username's existence.

Read Post

Trustwave

Read more about ServiceNow - Username Enumeration Vulnerability (CVE-2021-45901)

Pentest 101: How to Dodge the Directory Traversal Vulnerability

Feb 4, 2022 By Astra In Astra

Directory Traversal might not be considered as a high-impact vulnerability but it can be a stepping stone to information leak and shell upload vulnerability. The lack of directory traversal security can allow an attacker to manipulate the file path to gain unauthorized access to different files in the directory. You need penetration testing to detect the directory traversal vulnerability. This video is a short explanation of how the file traversal vulnerability can be exploited, and how you can avoid it.

View Video

Astra

Read more about Pentest 101: How to Dodge the Directory Traversal Vulnerability

Vulns Unleashed: Pwnkit

Feb 3, 2022 By Snyk In Snyk

Dive in to the Pwnkit privilege escalation vulnerability with Kyle and Brian!

View Video

Snyk

Read more about Vulns Unleashed: Pwnkit

Fun with ciphers in copycat Wordles

Feb 2, 2022 By Micah Silverman In Snyk

Here at Snyk, we spend a lot of time researching vulnerabilities. We do that because there are a lot of other folks out there researching new ways to break into apps and systems. We’re often putting on our “grey hats” to think like a malicious hacker. I regularly view-source, look at network traffic and eyeball query strings. One such delicious little query string caught my attention this week on one of the many copycat Wordle sites.

Read Post

Snyk

Read more about Fun with ciphers in copycat Wordles

Log4Shell Live Hack: A Hands-on, Actionable Fix Guide

Feb 2, 2022 By Snyk In Snyk

In this live hack webinar on the Log4Shell exploit we give a brief overview of the vulnerability and dive right into some examples of the exploit in action. We then show several real-world remediation approaches as well as other fixes outside of code. We feature a final round of fun demos, including container and IaC hacks and Java-based game hacks. We wrap up with a great list of takeaway resources and answer your questions.

View Video

Snyk

Read more about Log4Shell Live Hack: A Hands-on, Actionable Fix Guide

Top 10 Uses of Website Vulnerability Scanner Tools

Feb 2, 2022 By Indusface In Indusface

The average cost of data breaches in 2021 was USD 4.24 million, the highest figure in at least 17 years. So, proactive, accurate, and effective identification of security vulnerabilities is non-negotiable and offers a solid basis for adequate security. By proactively identifying these vulnerabilities, weaknesses, and flaws in the application, website vulnerability scanner tools bring accuracy and efficiency in web application security.

View Video

Indusface

Read more about Top 10 Uses of Website Vulnerability Scanner Tools

Log4j Update: Brian Roche - Chief Product Officer

Feb 1, 2022 By Veracode In Veracode

Things we learned from the Log4j vulnerability.

View Video

Veracode

Read more about Log4j Update: Brian Roche - Chief Product Officer

The Impact of CVE-2022-0185 Linux Kernel Vulnerability on Popular Kubernetes Engines

Feb 1, 2022 By Itay Vaknin and Jonathan Sar Shalom In JFrog

Last week, a critical vulnerability identified as CVE-2022-0185 was disclosed, affecting Linux kernel versions 5.1 to 5.16.1. The security vulnerability is an integer underflow in the Filesystem Context module that allows a local attacker to run arbitrary code in the context of the kernel, thus leading to privilege escalation, container environment escape, or denial of service.

Read Post

JFrog

Read more about The Impact of CVE-2022-0185 Linux Kernel Vulnerability on Popular Kubernetes Engines

Snyk integrates with AWS CloudTrail Lake to simplify security audits

Feb 1, 2022 By David Lugo, David Schott In Snyk

Since organizations around the globe began investing more aggressively in their digital transformation by migrating and modernizing applications within the cloud, the value of audit logging has shifted. It has expanded from industries like finance and healthcare to nearly any company with a digital strategy.

Read Post

Snyk

Read more about Snyk integrates with AWS CloudTrail Lake to simplify security audits

Hunting pwnkit Local Privilege Escalation in Linux (CVE-2021-4034)

Feb 1, 2022 By Andrew Munchbach In CrowdStrike

In November 2021, a vulnerability was discovered in a ubiquitous Linux module named Polkit. Developed by Red Hat, Polkit facilitates the communication between privileged and unprivileged processes on Linux endpoints. Due to a flaw in a component of Polkit — pkexec — a local privilege escalation vulnerability exists that, when exploited, will allow a standard user to elevate to root.

Read Post