Seclog - #127


"The best defense is not only in strong encryption but in unpredictable behavior." - The Art of Cyber War
📚 SecMisc
Tiny XSS Payloads – A curated list of tiny, minimalistic XSS payloads for testing and evasion.
Top CVE Trends & Expert Vulnerability Insights | cvemon – Real-time CVE trends and insights from vulnerability intelligence experts.
📰 SecLinks
Postman is logging all your secrets and environment variables – Discover how Postman may be exposing sensitive variables to logging systems.
Authentication Bypass to RCE in Versa Concerto (0-Day) – Full technical breakdown of a 0-day RCE in Versa Concerto.
Clipjacking: Hacked by copying text – A creative attack method leveraging clipboard copy-paste behavior.
Stored XSS in My Flow To RCE in Opera Browser #2 – Exploiting stored XSS to achieve RCE in Opera's My Flow feature.
Finding and Exploiting 20-year-old bugs in Web Browsers – Slides covering long-lived browser vulnerabilities and exploitation strategies.
Have I Been Pwned 2.0 is Now Live! – Major updates to Troy Hunt’s breach notification platform.
Pressing Buttons with Popups (on Twitch, LinkedIn and more) – Abuse of popups to trigger unauthorized user actions.
Kusto-Mice: Optimizing Kusto joins – Performance tips for better join operations in Kusto Query Language.
Go Cryptography Security Audit – Detailed report on Go language’s cryptographic libraries and audit findings.
The Single-Packet Shovel: Desync Tunnelling – Exploring HTTP request desync for covert tunneling techniques.
Deloitte’s Secure by Design Approach – with Wiz – Integrating secure design principles with modern cloud-native tools.
Don’t Call That “Protected” Method: vBulletin RCE – How a logic flaw in vBulletin led to full RCE.
Reverse Engineering iOS Shortcuts Deeplinks – Analysis of iOS Shortcuts deep linking for exploitation or automation.
🐦 SecX
The Fake Ledger That Stole Everything | IOC – A gripping thread on a fake hardware wallet that led to total crypto loss.
#OffensiveCon25 videos now up! – Full archive of OffensiveCon 2025 talks now available.
🎥 SecVideo
- Web security is fun (or how I stole your Google Drive files) - Lyra Rebane – Entertaining and educational talk on exploiting cloud document features.
💻 SecGit
urbanadventurer/urlcrazy – Tool for generating typo variants of domain names to detect phishing.
c1phy/sqltimer – A lightweight and fast scanner for time-based SQL injection detection.
NightBloodz/CVE-2025-4123 – PoC for XSS and SSRF leading to data exfiltration in Grafana.
kapellos/LNKSmuggler – Tool to embed data in
.lnk
files and wrap them into ZIPs for evasion.curated-intel/Attribution-to-IP – Collection of methods for IP ownership and attribution analysis.
sw33tLie/uff – A supercharged version of
ffuf
for fuzzing web directories and APIs.cybrly/badsuccessor – An experimental project with unclear purpose – watch this one evolve.
For suggestions and any feedback, please contact: securify@rosecurify.com
Subscribe to my newsletter
Read articles from Rosecurify directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
