Seclog - #131
"The enemy does not care what systems were in scope for testing. Protect your weak points." - The Art of Cyber War
📚 SecMisc
Cloud-Attack Techniques — Interactive matrix of cloud-attack techniques and mitigations. Read More
Every UUID V4 — Generate, decode, and validate version-4 UUIDs in one click. Read More
BloodHound Query Library — Curated Cypher queries for BloodHound neo4j graphs. Read More
📰 SecLinks #
InfoPêxwas: How They Pick Your Digital Pockets Without You Noticing — Modern info-stealing tactics in the wild. Read More
SugarCRM Vulnerability – SugarCRM <= 6.5.23 (SugarRestSerialize.php) PHP Object Injection Vulnerability allows unauthenticated attackers to execute arbitrary PHP code via specially crafted serialized objects. Read More
A Bit More on Twitter/X’s New Encrypted Messaging — Deeper cryptographic analysis of X’s E2EE beta. Read More
Ghidra Is Best: Android Reverse Engineering — Hands-on guide to reversing Android apps with Ghidra. Read More
Escaping ‘<’ and ‘>’ in Attributes — How tiny escapes thwart mutation-XSS. Read More
CVE-2025-34508: Path Traversal in ZendTo — End-to-end exploit walk-through and detection tips. Read More
Is b for Backdoor? Pre-Auth RCE Chain in Sitecore XP — WatchTowr’s deep dive into a sneaky exploit chain. Read More
Defending the Internet: Cloudflare Blocks a 7.3 Tbps DDoS — Behind the scenes of record-breaking mitigation. Read More
Cloud Hash Cracking Economics – Combines Hashtopolis and Cloudflare Tunnel for cost-effective distributed cracking without hardware investments. Read More
Go Parser Security Footguns – Highlights unexpected risks in Go’s JSON/XML/YAML parsers, including data exposure and format confusion exploits. Read More
Insomnia API Client Template Injection – Uncovers vulnerabilities in developer tools used during offensive security assessments. Read More
🐦 SecX #
Zoom Phishing via App Absence – Warns that victims fall for impersonators directing to fake Zoom links (e.g., Z0om.com) partly due to lacking the native app, which should trigger suspicion. Watch Here
Prompt Injection Mimicry Tactics – Effective prompt injection mimics the model’s training data format for higher success rates. Watch Here
🎥 SecVideo #
Parser Differentials: When Interpretation Becomes a Vulnerability — OffensiveCon 25 talk by Joernchen. Watch Here
Google Cloud CISO: Shift Down not Left, 4 Ways Google Uses AI for Security — Phil Venables on AI-driven defense. Watch Here
💻 SecGit #
nuryslyrt/AISecTips-Tricks — Handy AI-powered security tips & scripts. Explore on GitHub
Ghostcrew – Ghostcrew is an all-in-one offensive security toolbox with AI agent and MCP architecture, integrating tools like Nmap, Metasploit, and FFUF. Explore on GitHub
Fakjs – Fakjs is a fast Go-based tool to uncover sensitive information in JavaScript files, playing a crucial role in reconnaissance during security assessments. Explore on GitHub
Threat Designer – Threat Designer is a GenerativeAI application designed to automate and streamline the threat modeling process for secure system design. Explore on GitHub
← All SeclogsParagon – Paragon is a web-based checklist-driven note-taking app following bug bounty and web app pentest methodology. Explore on GitHub