Seclog - #131

"The enemy does not care what systems were in scope for testing. Protect your weak points." - The Art of Cyber War

📚 SecMisc

• Cloud-Attack Techniques — Interactive matrix of cloud-attack techniques and mitigations. Read More

• Every UUID V4 — Generate, decode, and validate version-4 UUIDs in one click. Read More

• BloodHound Query Library — Curated Cypher queries for BloodHound neo4j graphs. Read More

📰 SecLinks

• InfoPêxwas: How They Pick Your Digital Pockets Without You Noticing — Modern info-stealing tactics in the wild. Read More

• SugarCRM Vulnerability – SugarCRM <= 6.5.23 (SugarRestSerialize.php) PHP Object Injection Vulnerability allows unauthenticated attackers to execute arbitrary PHP code via specially crafted serialized objects. Read More

• A Bit More on Twitter/X’s New Encrypted Messaging — Deeper cryptographic analysis of X’s E2EE beta. Read More

• Ghidra Is Best: Android Reverse Engineering — Hands-on guide to reversing Android apps with Ghidra. Read More

• Escaping ‘<’ and ‘>’ in Attributes — How tiny escapes thwart mutation-XSS. Read More

• CVE-2025-34508: Path Traversal in ZendTo — End-to-end exploit walk-through and detection tips. Read More

• Is b for Backdoor? Pre-Auth RCE Chain in Sitecore XP — WatchTowr’s deep dive into a sneaky exploit chain. Read More

• Defending the Internet: Cloudflare Blocks a 7.3 Tbps DDoS — Behind the scenes of record-breaking mitigation. Read More

• Cloud Hash Cracking Economics – Combines Hashtopolis and Cloudflare Tunnel for cost-effective distributed cracking without hardware investments. Read More

• Go Parser Security Footguns – Highlights unexpected risks in Go’s JSON/XML/YAML parsers, including data exposure and format confusion exploits. Read More

• Insomnia API Client Template Injection – Uncovers vulnerabilities in developer tools used during offensive security assessments. Read More

🐦 SecX

• Zoom Phishing via App Absence – Warns that victims fall for impersonators directing to fake Zoom links (e.g., Z0om.com) partly due to lacking the native app, which should trigger suspicion. Watch Here

• Prompt Injection Mimicry Tactics – Effective prompt injection mimics the model’s training data format for higher success rates. Watch Here

🎥 SecVideo

• Parser Differentials: When Interpretation Becomes a Vulnerability — OffensiveCon 25 talk by Joernchen. Watch Here

• Google Cloud CISO: Shift Down not Left, 4 Ways Google Uses AI for Security — Phil Venables on AI-driven defense. Watch Here

💻 SecGit

• nuryslyrt/AISecTips-Tricks — Handy AI-powered security tips & scripts. Explore on GitHub

• Ghostcrew – Ghostcrew is an all-in-one offensive security toolbox with AI agent and MCP architecture, integrating tools like Nmap, Metasploit, and FFUF. Explore on GitHub

• Fakjs – Fakjs is a fast Go-based tool to uncover sensitive information in JavaScript files, playing a crucial role in reconnaissance during security assessments. Explore on GitHub

• Threat Designer – Threat Designer is a GenerativeAI application designed to automate and streamline the threat modeling process for secure system design. Explore on GitHub

• Paragon – Paragon is a web-based checklist-driven note-taking app following bug bounty and web app pentest methodology. Explore on GitHub

For suggestions and any feedback, please contact: securify@rosecurify.com