Whitepaper called The not-so-silent type - Vulnerabilities across keyboard apps reveal keystrokes to network eavesdroppers.
1baca6b77c2dd267d995c6cc273aa8908082ad0a1d57ae3a7cf03d39df9cbc85
This whitepaper shows that the security threat from DMPs is significantly worse than previously thought and demonstrates the first end-to-end attacks on security-critical software using the Apple m-series DMP. Undergirding the author's attacks is a new understanding of how DMPs behave which shows, among other things, that the Apple DMP will activate on behalf of any victim program and attempt to leak any cached data that resembles a pointer.
a26af7248f3a7458c6db704eb23699f3163f79dcf78ceedd895d0097eb93941b
In this paper, the authors present the first GPU cache side-channel attack from within the browser, more specifically from the restricted WebGPU environment. The foundation for our generic and automated attacks are self-configuring primitives applicable to a wide variety of devices, which they demonstrate on a set of 11 desktop GPUs from 5 different generations and 2 vendors.
6c5387e050fc45456bdc1a46bd17a019b33a674a9d2100d5130f5e042b53b654
In this paper, the authors show that the design of DNSSEC is flawed. Exploiting vulnerable recommendations in the DNSSEC standards, they developed a new class of DNSSEC-based algorithmic complexity attacks on DNS, they dubbed KeyTrap attacks. All popular DNS implementations and services are vulnerable. With just a single DNS packet, the KeyTrap attacks lead to a 2.000.000x spike in CPU instruction count in vulnerable DNS resolvers, stalling some for as long as 16 hours. This devastating effect prompted major DNS vendors to refer to KeyTrap as "the worst attack on DNS ever discovered". Exploiting KeyTrap, an attacker could effectively disable Internet access in any system utilizing a DNSSEC-validating resolver.
4c1743e665520f276be83b47e7a1ae86496ca84f1935e9197aa5b5736fc57eb4
Whitepaper called Everlasting ROBOT: the Marvin Attack. In this paper, the author shows that Bleichenbacher-style attacks on RSA decryption are not only still possible, but also that vulnerable implementations are common. The Marvin Attack is a return of a 25 year old vulnerability that allows performing RSA decryption and signing operations as an attacker with the ability to observe only the time of the decryption operation performed with the private key.
11fd5f5eb17765f91bb0b2d7fe6530d7a6e1e20781250cc9cc5e701006d329c9
Whitepaper discussing how to crack Notezilla passwords.
db3961e08ef61a0d202ba7ab4184a19ba1f3ed41a5461a43cca0d7b0d4c10807
Whitepaper called Attacking Optical Character Recognition System.
27d4178ceb7a28e6651e0994b57cf6748e06a11feff3bb4601978c419df69e91
This whitepaper focuses on explaining the Apache Ghostcat vulnerability and how it can be used to read file contents of all web applications deployed on Tomcat.
dc2b8740104317c36ad79dcb929d334c237272637cf804d3dfc086cec7bb44d1
Whitepaper called Exploiting Unrestricted File Upload via Plugin Uploader in WordPress.
efdbdb90e446a0fac9ede57a38883f4aa80f9e270ca7fa7750a06b3b479136af
This is a brief whitepaper that discusses buffer overflows and analysis with the Immunity Debugger.
73127a9cc87fc8a939672df63d83e98a8b71f9eac62cd948cf7afa9a24f08ecb
Whitepaper called Injecting .NET Ransomware into Unmanaged Process.
7e890c6dff5ae8156d98429f6fe186edb3369beed0fab15a6a007e3594801cf7
Whitepaper that appears to be authored by Phineas Fisher called HackBack - A DIY Guide To Rob Banks. Written in Spanish.
27c62be8c0f63cf1ea3399eb23af8641daf76da0da42c41d2bcd2bfc8fd2bdbe
Whitepaper that appears to be authored by Phineas Fisher called HackBack - A DIY Guide To Rob Banks.
6f4bda574c8c9dd1977b94777b2459398ec711e90dcdc1ffba003ee3fe468b72
The Portable Document Format, better known as PDF, is one of the most widely used document formats worldwide, and in order to ensure information confidentiality, this file format supports document encryption. In this paper, the authors analyze PDF encryption and show two novel techniques for breaking the confidentiality of encrypted documents.
517f98746fe2867354db4d9e80fb07916b9d1d2b6c386ab280af27aaadc9b848
This is a guide to red teaming operations. It covers the basic questions like what is a red team, differences between red teaming and vulnerability assessments along with advance theory such as how red team engagements are done. Thought processes and legal processes are also covered.
5cc2490b24414f5aeb2a2e09e0c87501a01a2b68b64b7528e03498377c40dfb4
This pop-scientific conference paper introduces Mythril, a security analysis tool for Ethereum smart contracts, and its symbolic execution backend LASER-Ethereum. The first part of the paper explains symbolic execution of Ethereum bytecode in a largely formal manner. The second part showcases the vulnerability detection modules already implemented in Mythril. The modules use a pragmatic mix of static analysis, symbolic analysis and control flow checking.
8a7fc1857be351bac85ed32986c92e1568085599649c4da76ee6420d59f718c5
This is a whitepaper that goes over methodologies for web application penetration testing. It is very thorough with examples and overviews.
5f258ff9e75dba499306df2a06fa89e9eebcc2fd3b3ee0b82a6a2a06f26b66fd
Whitepaper called Meltdown. It discusses how you can bypass Intel's hardware barrier between applications and the computer's core memory.
593ea59090a096211b06194fb5985d5c2ea2b5bd85b540d01802d5d7da2d36f8
Whitepaper called Spectre Attacks: Exploiting Speculative Execution. It discusses how to trick error-free applications into giving up secret information.
d1a3c8c49faea6321bd01e706e0957012c18a94e1a187f1a5477c0e82270dc51
Short whitepaper called New Methods of Payload Delivery - MSFVenom.
9e1586814423a97f1e8fa42862660c5a5d2c1d8bb20f89737c24e0484f2acf2d
On April 14, 2017, the Shadow Brokers Group released the FUZZBUNCH framework, an exploitation toolkit for Microsoft Windows. The toolkit was allegedly written by the Equation Group, a highly sophisticated threat actor suspected of being tied to the United States National Security Agency (NSA). The framework included ETERNALBLUE, a remote kernel exploit originally targeting the Server Message Block (SMB) service on Microsoft Windows XP (Server 2003) and Microsoft Windows 7 (Server 2008 R2). In this paper, the RiskSense Cyber Security Research team analyzes how using wrong-sized CPU registers leads to a seemingly innocuous mathematical miscalculation. This causes a chain reaction domino effect ultimately culminating in code execution, making ETERNALBLUE one of the most complex exploits ever written. They will discuss what was necessary to port the exploit to Microsoft Windows 10, and future mitigations Microsoft has already deployed, which can prevent vulnerabilities of this class from being exploited in the future. The FUZZBUNCH version of the exploit contains an Address Space Layout Randomization (ASLR) bypass, and the Microsoft Windows 10 version required an additional Data Execution Prevention (DEP) bypass not needed in the original exploit.
fa13189f37eae3318ce25b3bd600e5e83270e401b53f1a2fd4a6340b7b1a8803
A write up by the hacker who hacked FlexiSpy.
210438ee4534c14e66292144d27d635e0535da4750c255a43ca819509ebce9a3
Whitepaper entitled HackBack - A DIY Guide for those without the patience to wait for whistleblowers.
8a4bf253d346e6edb5debbc3d0af1853e0c2c708d9b3c1a2b28a8685f580d674
Whitepaper entitled HackBack - A DIY Guide. Written in Spanish.
cd9224d9caca3f6b88269980123d5374486f1353fbc9efb50253557b2a53a6c0
Whitepaper entitled HackBack - A DIY Guide.
13106443a0101118a7a673f7eab1962e92e195d9d493092b209fc627e5dc9db6