Cracking JWTs: A Bug Bounty Hunting Guide [Part 5] JWTs (JSON Web Tokens) are stateless tokens used for authentication. They are signed using either a... 2025-6-8 05:40:37 | 阅读: 12 | 收藏 | Bug Bounty in InfoSec Write-ups on Medium - infosecwriteups.com kid burp symmetric wiener

Cracking JWTs: A Bug Bounty Hunting Guide [Part 5] JWTs (JSON Web Tokens) are stateless tokens used for authentication. They are signed using either a... 2025-6-8 05:40:37 | 阅读: 11 | 收藏 | InfoSec Write-ups - Medium - infosecwriteups.com kid burp symmetric hs256

Abuse-ception: How I Turned the Abuse Report Feature Into a Mass Email Spammer 周一早晨咖啡机故障后，作者利用Burp Suite研究SaaS应用举报功能时意外发现滥用漏洞，并成为垃圾信息发送者。... 2025-6-8 05:40:29 | 阅读: 12 | 收藏 | Bug Bounty in InfoSec Write-ups on Medium - infosecwriteups.com coffee monday sprinkle morning stumbled

Abuse-ception: How I Turned the Abuse Report Feature Into a Mass Email Spammer 周一早晨咖啡机故障后，一位睡眠不足的赏金猎人利用Burp Suite攻击随机SaaS应用的举报功能，意外利用本为防止滥用设计的功能进行攻击，充满讽刺意味。... 2025-6-8 05:40:29 | 阅读: 12 | 收藏 | InfoSec Write-ups - Medium - infosecwriteups.com coffee monday sprinkle mildly burp

$1,000 Bug: Firefox Account Deletion Without 2FA or Authorization Mozilla账户管理API存在严重漏洞，攻击者可通过未认证的POST请求删除Firefox用户账户，仅需目标用户的密码。该API端点未要求双重认证或授权头，存在重大安全风险。... 2025-6-8 05:39:25 | 阅读: 16 | 收藏 | Bug Bounty in InfoSec Write-ups on Medium - infosecwriteups.com mozilla authpw deletion attackers erdy

$1,000 Bug: Firefox Account Deletion Without 2FA or Authorization 安全研究员发现Mozilla账户管理API存在重大漏洞，攻击者可通过未认证的POST请求删除Firefox用户账户，仅需目标用户密码且无需两步验证或授权头。该漏洞因后端验证缺失导致。... 2025-6-8 05:39:25 | 阅读: 11 | 收藏 | InfoSec Write-ups - Medium - infosecwriteups.com mozilla attackers deletion authpw 000the

The 5 Cybersecurity Roles That Will Disappear First 文章探讨了人工智能对网络安全领域的影响，指出部分传统角色可能被取代。通过Adeel的例子展示了人类与AI协作的必要性，并强调了技能更新的重要性。... 2025-6-8 05:39:1 | 阅读: 14 | 收藏 | InfoSec Write-ups - Medium - infosecwriteups.com adeel expertise stood planning

Living Off The Land: The Stealth Art of Red Team Operations 文章介绍了Living Off The Land (LOTL) 技术，利用Windows内置工具如PowerShell、WMI等进行隐秘攻击。通过内存执行脚本、WMI横向移动及Certutil下载payload等方式实现隐秘性和持久性。强调了其绕过杀软的能力，并提供了具体工具和技术示例。... 2025-6-7 05:50:4 | 阅读: 15 | 收藏 | InfoSec Write-ups - Medium - infosecwriteups.com lotl powershell payload download windows

21 Secret Linux Commands Hackers and Sysadmins Don’t Want You to Know About Satyam推荐了几个实用的Linux工具和命令，帮助用户提升工作效率。例如`bat`是一个现代版的`cat`命令，支持语法高亮、行号显示和Git集成功能。... 2025-6-7 05:49:53 | 阅读: 15 | 收藏 | InfoSec Write-ups - Medium - infosecwriteups.com bashrc iit satyam

From Classic SOC to Autonomous SOC: The Future of Cyber Defense 传统安全运营中心（Classic SOC）面临规模、警报量和人员倦怠问题。现代安全运营中心（Modern SOC）和自主安全运营（ASO）更高效、智能，是未来发展的关键。... 2025-6-7 05:49:23 | 阅读: 12 | 收藏 | InfoSec Write-ups - Medium - infosecwriteups.com security autonomous socs merely aso

Race Condition Rumble: How I Bought 100 Products for the Price of One ️️ 文章讲述了一名黑客利用电子商务平台的并发逻辑漏洞进行攻击的故事。通过发送大量重复请求，成功生成50个订单却只支付一次，揭示了平台缺乏并发控制和锁定机制的问题。... 2025-6-7 05:49:15 | 阅读: 13 | 收藏 | Bug Bounty in InfoSec Write-ups on Medium - infosecwriteups.com staging quantity concurrency usual bearer

Race Condition Rumble: How I Bought 100 Products for the Price of One ️️ 文章讲述了一名黑客利用电子商务平台的并发逻辑漏洞进行订单注入攻击的故事。通过多线程请求，攻击者成功以一次支付获取50个订单。漏洞源于后端缺乏并发控制和锁定机制。这种高危漏洞可能导致平台在销售期间遭受重大经济损失。... 2025-6-7 05:49:15 | 阅读: 10 | 收藏 | InfoSec Write-ups - Medium - infosecwriteups.com staging concurrency quantity orders intruder

How I Captured a Password with One Command 文章介绍如何通过tshark工具捕获HTTP POST请求中的用户名和密码，并演示在Linux系统中安装tshark并运行命令监听网络流量的过程。... 2025-6-7 05:48:1 | 阅读: 12 | 收藏 | InfoSec Write-ups - Medium - infosecwriteups.com tshark network eth0 captured vulnweb

$7,500 Bug: Exposing Any HackerOne User’s Email via Private Program Invite 安全研究员发现HackerOne私人邀请系统存在漏洞，通过结合GraphQL查询和“邀请用户名”功能可泄露用户私人邮箱地址。该漏洞可能导致大规模隐私泄露、账户去匿名化及钓鱼攻击等风险。... 2025-6-7 05:47:43 | 阅读: 13 | 收藏 | Bug Bounty in InfoSec Write-ups on Medium - infosecwriteups.com hackerone invite username phishing invite3

$7,500 Bug: Exposing Any HackerOne User’s Email via Private Program Invite 安全研究员haxta4ok00发现HackerOne私人项目邀请系统中的一个严重漏洞，通过结合GraphQL查询和“邀请用户名”功能，可泄露受邀用户的私人邮箱地址。此漏洞可能导致大规模隐私泄露和账户去匿名化风险。... 2025-6-7 05:47:43 | 阅读: 11 | 收藏 | InfoSec Write-ups - Medium - infosecwriteups.com hackerone invite username uncovered violations

How to Set Up a VPN with Tailscale: Overcoming CGNAT Challenges 文章描述了作者在ISP使用CGNAT的情况下设置VPN的挑战，并通过Tailscale成功解决。Tailscale基于WireGuard协议，无需复杂配置即可实现跨平台远程网络访问，并支持将Ubuntu设备设为出口节点以增强网络灵活性。... 2025-6-7 05:47:31 | 阅读: 17 | 收藏 | InfoSec Write-ups - Medium - infosecwriteups.com tailscale network machine cgnat windows

OIDC: Integrate Kubernetes authentication with Azure AD via OIDC (Part IV) 文章介绍了如何通过OIDC协议将Kubernetes与Azure AD集成以实现用户身份验证，并详细说明了配置OIDC提供者、kube-api-server和kubeconfig的步骤及所需工具。... 2025-6-7 05:47:10 | 阅读: 16 | 收藏 | InfoSec Write-ups - Medium - infosecwriteups.com oidc kube loginazure involves

Create own Hacking SERVER Instead of Portswigger exploit server 文章介绍如何创建自己的服务器以利用CORS漏洞或其他安全问题。支持多种编程语言（如Node.js和Python），并提供代码示例。需安装Ngrok进行端口转发。... 2025-6-6 05:13:14 | 阅读: 16 | 收藏 | Bug Bounty in InfoSec Write-ups on Medium - infosecwriteups.com flask exfiltrated python requestapp serverhi

Create own Hacking SERVER Instead of Portswigger exploit server 文章介绍如何创建自定义服务器用于利用CORS漏洞或其他安全问题，并提供基于JavaScript和Python Flask的代码示例，同时需要Ngrok进行端口转发。... 2025-6-6 05:13:14 | 阅读: 11 | 收藏 | InfoSec Write-ups - Medium - infosecwriteups.com flask exfiltrated describes serverhi

OIDC: The Fellowship of the Token (Part III) 文章探讨了身份验证中的令牌机制及其分类。令牌分为服务器依赖型和自包含型，前者如不透明令牌（如游乐场手环），需后端解析；后者如JWT，在令牌中携带所有必要信息。... 2025-6-6 05:11:47 | 阅读: 8 | 收藏 | InfoSec Write-ups - Medium - infosecwriteups.com baggins scream bearer recognize barcode