Tencent Security Xuanwu Lab Daily News
• [PDF] https://www.cristiandaniele.com/sources/Stateful_Fuzzing_survey_(INTERSECT).pdf:
https://www.cristiandaniele.com/sources/Stateful_Fuzzing_survey_(INTERSECT).pdf
・ Stateful Fuzzing 综述
– Jett
• Insecure Deserialization in JavaScript: GoogleCTF 2022 Web/HORKOS Writeup:
https://blog.huli.tw/2022/07/11/en/googlectf-2022-horkos-writeup/
・ GoogleCTF 2022 一道 JavaScript 反序列化漏洞题的 writeup
– Jett
• V8 Sandbox – External Pointer Sandboxing – Google Docs:
https://docs.google.com/document/d/1V3sxltuFjjhp_6grGHgfqZNK57qfzGzme0QTk0IXDHk/edit#heading=h.xzptrog8pyxf
・ V8 Sandbox 关于内存裸露指针封装保护机制的介绍
– Jett
• Retbleed: Arbitrary Speculative Code Execution with Return Instructions – Computer Security Group:
https://comsec.ethz.ch/research/microarch/retbleed/
・ Retbleed: Arbitrary Speculative Code Execution with Return Instructions
– Jett
• 零基础入门V8——理解通用利用链原理:
https://tttang.com/archive/1653/
・ 零基础入门V8——理解通用利用链原理
– lanying37
• From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud:
https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/
・ 攻击者通过钓鱼攻击窃取 Cookie 等登录凭据,然后登录邮件系统进一步对目标组织发起攻击,来自微软的分析
– Jett
• Microsoft Azure Site Recovery DLL Hijacking | by James Sebree | Tenable TechBlog | Jul, 2022 | Medium:
https://medium.com/tenable-techblog/microsoft-azure-site-recovery-dll-hijacking-cd8cc34ef80c
・ Azure Site Recovery DLL 注入漏洞分析
– Jett
• How to secure Kubernetes deployment with signature verification:
https://sysdig.com/blog/secure-kubernetes-deployment-signature-verification/
・ 在 Kubernetes 管理部署容器的过程中引入签名验证保证安全性
– Jett
• nRF52 平台芯片电压毛刺注入绕过调试保护:
https://paper.seebug.org/1929/
・ nRF52 平台芯片电压毛刺注入绕过调试保护
– lanying37
* 查看或搜索历史推送内容请访问:
https://sec.today
* 新浪微博账号:腾讯玄武实验室
https://weibo.com/xuanwulab
原文始发于微信公众号(腾讯玄武实验室):每日安全动态推送(07-13)