Login
Iran's Internet: A Censys Perspective https://censys.com/blog/irans-internet-a-censys-perspective
After discovering that the haveibeenpwned.com data is accessible via the API and noticing the lack of a visualization tool, I dedicated a few evenings to building haveibeenpwned.watch. This single-page website processes and presents data on leaks from Have I Been Pwned, with daily updates.
The site provides details on the total number of recorded breaches, the number of unique services affected, and the total accounts compromised. Charts break down the data by year, showing the number of breaches, affected accounts, average accounts breached per year, accounts by data type, and accounts by industry. Additionally, tables highlight the most recent breaches, the most significant ones, and the services with the highest number of compromised accounts.
Though simple, the website can be a useful resource for use cases like strategic security planning, cybersecurity sales, risk assessment, or simply tracking trends in the security landscape.
The website is open source, with its repository hosted on GitHub.
Model Context Protocol is quickly becoming the default way for LLMs to call out to tools and APIs—but from a security standpoint, it’s been a little hand-wavy. This post fixes that.
It shows how five OAuth specs—including dynamic client registration and protected resource metadata—combine to form a secure, auditable, standards-based auth flow for MCP.
Try it out and shoot me a dm about what you think
So I cooked up a fake transaction for shits and giggles. No valid IBAN. No real user. No device. No signature. No token. No nothing. Just pure distilled bullshit in a JSON payload.
Guess what? “Transaction accepted” “attack_success”: true “fraud_score”: 0.99999 System looked at it and said: “yeah, looks good to me.”
I even told the sandbox I was sending 10k EUR from FAKE_IBAN_901 to INVALID_IBAN_123 using a spoofed IMEI and some RSA nonsense I made up in Notepad. Bunq backend? Nodded politely and gave me a sandbox TXID.
It gets better — it accepts critical priority flags, fake biometric hashes, invalid currency codes, all wrapped in a nice little “success” bow.
This ain’t a bug, this is a fuckin’ confessional.
If bunq staff lurking here: hit me up. This ain’t a ransom, but y’all might wanna know just how open wide your API goes when someone whispers sweet nothings like tpp_id: "lol_fake_999".
We got logs. We got timestamps. We got receipts.
Your move, bunq.
RAWPA helps security researchers and penetration testers with hierarchical methodologies for testing.
This is not a "get bugs quick scheme". I fully encourage manual scouring through JS files and playing around in burp, RAWPA is just like a guided to rejuvenate your thinking.
Interested ? Join the testers now
https://forms.gle/guLyrwLWWjQW61BK9
Read more about RAWPA on my blog: https://kuwguap.github.io/
A Template Injection vulnerability in the latest version of Kong’s Insomnia API Client (v.11.2.0) leads to Remote Code Execution.
[Disclosure: I work at CyberArk and was involved in this research]
We've completed a security evaluation of the Model Context Protocol and discovered several concerning attack patterns relevant to ML practitioners integrating external tools with LLMs.
Background: MCP standardizes how AI applications access external resources - essentially creating a plugin ecosystem for LLMs. While this enables powerful agentic behaviors, it introduces novel security considerations.
Technical Findings:
ML-Specific Implications: For researchers using tools like Claude Desktop or Cursor with MCP servers, these vulnerabilities could lead to:
Best Practices:
This highlights the importance of security-by-design as we build more sophisticated AI systems.
I wrote a blog post discussing how I hid images inside DNS records, you can check out the web viewer at https://dnsimg.asherfalcon.com with some domains I already added images to like asherfalcon.com and containerback.com
I came across this article and in speaking with my friends in the netsec field I received lots of good input. Figured I’d push it here and see what the community thinks.
there are links in the article and I checked them to see if they coincided with the articles points.
i’,m not affiliated with this article but with the lawsuit in New York moving forward and the Dominion lawsuit in 2020 giving the hardware and software to the GOP. I had questions the community might be able to clarify
‘
Hey all, started a blog series on Vulnerability Management. 4 articles posted already the last one is about when open you open the flood gate of a code or cloud scanner and you start drowning in findings!
This leads to thousands of findings for an SMB, millions for a big org. But vulns can’t all be worth fixing, right? This article walks through a first, simple way to shorten the list. Which is to triage every vuln and confirm if the bug is reachable in your reality.
Let me know if you have any comment to improve the blog or this article, would appreciate it!
This is a walkthrough video for anyone who wants to run Kali Linux in a more lightweight, consistent way using Docker.
The video covers: * Installing Kali Linux via Docker * Avoiding the "it works on my machine" issue * Creating your own custom Docker image * Setting up file share between host and container
It's a solid way to practice hacking without spinning up a whole VM — and great for anyone doing tutorials that require a Kali Linux instance, or folks who are starting out their penetration testing or bug bounty journey.
I am a undergrad Computer Science student working with a team looking into building an security tool for developers building AI agent systems. I read this really interesting paper on how to build secure agents that implement Google's new A2A protocol which had some proposed vulnerabilities of codebases implementing A2A.
It mentioned some things like:
- Validating agent cards
- Ensuring that repeating tasks don't grant permissions at the wrong time
- Ensuring that message schemas adhere to A2A recommendations
- Checking for agents that are overly broad
- A whole lot more
I found it very interesting for anyone who is interested in A2A related security.
This issue affects systems where KTelnetService and a vulnerable version of Konsole are installed but at least one of the programs telnet, rlogin or ssh is not installed. The vulnerability is in KDE's terminal emulator Konsole. As stated in the advisory by KDE, Konsole versions < 25.04.2 are vulnerable.
On vulnerable systems remote code execution from a visited website is possible if the user allows loading of certain URL schemes (telnet://, rlogin:// or ssh://) in their web browser. Depending on the web browser and configuration this, e.g., means accepting a prompt in the browser.
ISPConfig contains design flaws in the user creation and editing functionality, which allow a client user to escalate their privileges to superadmin. Additionally, the language modification feature enables arbitrary PHP code injection due to improper input validation.
In 2023, During a security assessment of Masa CMS, an open-source content management system.
We discovered 11 vulnerabilities in Masa CMS, some allowing server takeover.
Why does it matter? Because it's easy to assume that "if it's open source, someone must have already reviewed it."
But the truth is:
No one looks until someone really looks.
Now, imagine if these vulnerabilities had been found by a malicious actor instead of a security researcher…
Hi all,
I've written a blog post to showcase the different experiments I've had with prompt injection attacks, their detection, and prevention. Looking forward to hearing your feedback.
Hi all, I discovered suspicious behavior and possible malware in a file related to the official MicroDicom Viewer installer. I’ve documented everything including hashes, scan results, and my analysis in this public GitHub repository:
https://github.com/darnas11/MicroDicom-Incident-Report
Feedback and insights are very welcome!
Hi all, I just released this new application that I think could be interesting. It is basically an application that enables hosting Android CTF challenges in a constrained and controlled environment, thus allowing to setup challenges that wouldn't be possible with just the standard apk.
For example you may create a challenge where the goal is to get RCE and read the flag.txt file placed on the device. Or again a challenge where you need to create an exploit app to abuse some misconfigured service or broadcast provider. The opportunities are endless.
As of now the following features are available:
FreshRSS scrcpy)You can see the source code here: https://github.com/SECFORCE/droidground
There is also a simple example with a dummy application.
It also has a nice web UI!
Let me know what you think and please provide some constructive feedback on how to make it better.
We’ve published new research exposing critical vulnerabilities in Anthropic’s Model Context Protocol (MCP). Our findings reveal Full-Schema Poisoning attacks that inject malicious logic into any schema field and Advanced Tool Poisoning techniques that trick LLMs into leaking secrets like SSH keys. These stealthy attacks only trigger in production. Full details and PoC are in the blog.
Discliamer- I'm managing the marketing for ARMO (no one is perfect), a cloud runtime security company (and the proud creator and maintainer of Kubescape). yes, this survey was commisioned by ARMO but there are really intresting stats inside.
some highlights
