I wrote a hands on guide that shows how leaked webhooks surface as an attack vector; how to find them in the wild; how to craft safe non destructive PoCs; how to harden receivers. Includes curl examples for Slack and Discord; Node.js and Go HMAC verification samples; a disclosure template.

Why this matters

• webhooks are often treated as bearer secrets; leaks are common
• small mistakes in verification or ordering can become business logic bugs
• many real world impacts are serviceable without flashy RCE

What you get in the post

• threat model and scope guidance
• detection rules and SIEM ideas

Read it here: https://blog.himanshuanand.com/posts/2025-09-17-how-to-hack-webhooks/
Notes: do not test endpoints you do not own. follow program scope and responsible disclosure rules.

Happy hunting

A few months ago Dutch newspaper de Volkskrant published a very interesting article describing how, according to secret Iranian documents obtained by the newspaper, the Islamic Revolutionary Guard Corps (IRGC) was attempting to procure encrypted, Chinese Tiantong-1 satellite phones due to increasing distrust of Iranian communications infrastructure in the light of the Iran-Israel war. In this first blogpost of a 2-part series, the previously unexplored Tiantong-1 satellite system and its security aspects are illuminated.

As an AppSec leader building out our AI agent security program, I’m constantly looking for real-world insights. By luck I was in New York when the first AI Agent Security Summit took place, and it exceeded my expectations. Talks covered persistence, lateral movement, and runtime defenses — not just theory.

The next one is in San Francisco on October 8. I’m making the trip from Austin this time. It’s a small summit, but the speaker lineup looks excellent, so I figured I’d spread the word for folks in the Bay Area who may not have heard about it.

A path traversal in LG webOS TV allows unauthenticated file downloads, leading to an authentication bypass for the secondscreen.gateway service, which could lead to a full device takeover.

A cross platform GUI app for browsing LDAP and will direct YOLO into a Neo4J database, it comes with LDAP/LDAPS browsing capabilities, it'll run standalone and you can modify it how you like.

This class by Bill Roberts (a core maintainer in the tpm2-software organization), provides a comprehensive introduction to Trusted Platform Module (TPM) 2.0 programming using the Python-based tpm2-pytss library. Designed for developers, security engineers, and researchers, the course covers both foundational TPM 2.0 concepts and practical hands-on development techniques for interacting with TPM hardware and simulators.

Students will learn the architecture and security goals of TPM 2.0, the structure of TPM objects, and how to work with cryptographic keys, non-volatile storage, platform configuration registers (PCRs), and authorization policies. Through the use of the tpm2-pytss library, participants will develop Python applications that interface with the TPM to perform tasks such as key provisioning, sealing and unsealing secrets, attestation, and policy-based access control.

Like all current #OST2 classes, the core content is made fully public, and you only need to register if you want to post to the discussion board or track your class progress. Based on beta testing this class takes a median of 13 hours to complete.

Hey everyone,

We just published our 2025 Supabase Security Best Practices Guide, based on findings and common misconfigurations we’ve seen during recent pentest engagements.

It’s a rolling article that we plan to keep updating over time as new issues come up — we still have a few more findings to post about, but wanted to share what we’ve got so far.

If you’re running Supabase in production (or planning to), it might help you double-check RLS, Edge Functions, Vault, and other areas where we often see mistakes.

Happy to hear feedback, and we’d love to know if you’ve run into similar issues.

Hey folks,

I’ve recently launched a Pentesting Weekly Digest where I cover the most important updates in pentesting, red teaming, CVEs, and cybersecurity news — all in one short weekly post.

Each issue includes:

• 📰 Top security news & breaches
• ⚒️ Tools & frameworks relevant for pentesters
• 🔎 A highlighted CVE/vulnerability of the week
• 🧑‍💻 My own short commentary on why it matters

My goal is to make it a useful resource both for beginners learning offensive security and for professionals who want a quick overview of the week’s highlights.

👉 Here’s the latest issue: https://open.substack.com/pub/yaroslavbui/p/pentesting-weekly-digest-september?r=r84oh&utm_campaign=post&utm_medium=web

I’d love if you could:

1. Subscribe if you find it valuable
2. Share your feedback — what would you like me to add, remove, or improve?
3. Discuss — which format works best for this kind of digest (short summaries, deep dives, tool demos, etc.)?

Your input will help me shape this into something that’s actually useful for the community. Thanks in advance! 🙏

With the recent npm/Node.js supply chain incident (phished maintainer, 18 packages briefly shipping crypto-stealing code), I wanted to share a small project:
Typo squat Detective, a 2-3 minute browser game to practice spotting look-alike domains.

It covers:
• Numbers ↔ letters (1 ↔ l, 0 ↔ o)
• Unicode homoglyphs (Cyrillic/Greek lookalikes)
• Punycode (xn--) tricks

Play it here: https://typo.himanshuanand.com/

Curious to hear which tricks fooled you and if you would like more levels/brands.

Hey folks,

I wrote a technical breakdown of a vulnerability I discovered in Google Drive Desktop for Windows. It allows one user to copy the DriveFS cache from another user profile and gain full access to their Google Drive without any re-authentication.

The issue: Google Drive does not reverify the identity tied to the local DriveFS cache.

Anyone with local access can copy that cache and impersonate another Drive user. Violates basic Zero Trust and user isolation principles.

Google reviewed and responded that it is “not a security vulnerability.”

I also discuss why this violates NIST, ISO 27001, SOC 2, and even GDPR/HIPAA compliance expectations.

📖 Full article here: 👉 The Hidden Google Drive Flaw Nobody Talks About

The article explores the implementation of our ICMP detection module, detailing the engineering process and how the ICMP Echo Stream (iStream) assembler played a key role in designing its core detection rules.

Hey r/netsec,

As a security researcher, I've been exploring ways to leverage AI for more effective code audits. In my latest Medium article, I dive into a complete end-to-end walkthrough using Hound, an open-source AI agent designed for code security analysis. Originally built for smart contracts, it generalizes well to other languages.

What's in the tutorial:

• Introduction to Hound and its knowledge graph approach
• Setup: Selecting and preparing a Rust codebase
• Building aspect graphs (e.g., system architecture, data flows)
• Running the audit: Generating hypotheses on vulnerabilities
• QA: Eliminating false positives
• Reviewing findings: A real issue uncovered
• Exporting reports and key takeaways

At the end of the article, we create a quick proof-of-concept for one of the tool's findings.

The full post Is here:

https://medium.com/@muellerberndt/hunting-for-security-bugs-in-code-with-ai-agents-a-full-walkthrough-a0dc24e1adf0

Use it responsibly for ethical auditing only.

Struggling to get an existing handle of a browser's process which already has tthe Cookies file open and can't dump the cookies?

Extreme situations require extreme measures!

Learn about the new critical CVE-2025-43300 vulnerability that allows RCE on iOS & macOS by clicking on the post link.

This class by Xeno Kovah (founder of OST2) teaches about the 30+ types of Bluetooth data that the Blue2thprinting software can collect and surface for when you're trying to determine what a device is, and whether it has any known vulnerabilities. New in v2.0+ is the BTIDALPOOL crowd-sourcing server for researchers to push & pull data about devices they've discovered.

Like all current #OST2 classes, the core content is made fully public, and you only need to register if you want to post to the discussion board or track your class progress. Based on beta testing this class takes an median of 8 hours to complete (and an average of 9 hours, with a min of 4h30m and max of 15h22m.)

The new Bluetooth learning path showing this class's relationship to others under development is available here: https://ost2.fyi/Bluetooth.html

Bypassing TLS certificate verification in 5 major TLS libraries with a LD_PRELOAD lib.

• Works on OpenSSL, GnuTLS, NSS, mbedTLS, and wolfSSL.
• And most UNIX Systems
• Plus a deep dive into LD_PRELOAD

A proof-of-concept C2 framework that leverages the Google Calendar API as a covert communication channel between operators and a compromised system. And it works.

I took a bunch of bits and spread them out into ARM's neon registers and then did cool math on them to replicate the effects of an exclusive-or. It turned out to be way faster than I anticipated.

I then wrote unit tests that take advantage of generative testing with Quickcheck to make sure it actually works. I had never seen Quickcheck used to unit test inline assembly but it seems like no function using in-line assembly should ever not be covered by generative testing.

I love how readable this is. Honestly, the Rust tooling is so good that I never have to write assembly outside of Rust again.

I can't really think of a reason not to, don't say file sizes 😩.

https://blog.trailofbits.com/2025/09/03/subverting-code-integrity-checks-to-locally-backdoor-signal-1password-slack-and-more/

Interesting write up on using vulnerable drivers to read the raw disk of a Windows system and extract files without ever touching those files directly. This subsequently allows the reading of sensitive files, such as the SAM.hive, SYSTEM.hive, and NTDS.dit, while also completely avoiding detection from EDR.