OWASP, XSS, SQLi & Web Application Security · 69 Artikel
An enterprise with a long-running public bug bounty shipped a major release. Weeks later, a critical SQL injection surfaced in an authenticated reporting path. More than ten thousand PII records and clear-text card data were reachable via crafted queries. The vulnerable code sat behind role checks...
Two releases shipped this cycle - v10.4.2 (April 15) and v10.4.3 (May 5) - delivering deep KEV coverage, a major push into AI/LLM attack surface, fresh Perforce visibility, and broad quality improvements across the template library. 🚀 April Stats Release New Templates CVEs Added First-time...
Rough Monday. Somebody poisoned a trusted download again, somebody else turned cloud servers into public housing, and a few crews are still getting into boxes with bugs that should’ve died years ago — the same old holes, same lazy access paths, same “how the hell is this still open” feeling. One...
The malware framework targets web applications and cloud environments, including AWS, Docker, Kubernetes, and more. The post ‘PCPJack’ Worm Removes TeamPCP Infections, Steals Credentials appeared first on SecurityWeek.
Traccar GPS Tracking System 6.11.1 - Cross-Site WebSocket Hijacking (CSWSH)
deephas 1.0.7 - Prototype Pollution
FacturaScripts 2025.43 - XSS
HAX CMS 24.x - Stored Cross-Site Scripting (XSS)
Neue Forschung von ProjectDiscovery zeigt, dass die Entwicklung mit KI-Assistenten beschleunigt wird, während sich Sicherheitspraktiker überfordert fühlen. Die Anzahl und Größe der Codeänderungen wächst schneller als die Kapazität der Sicherheitsteams, um diese zu überprüfen. Entwickler sollten sicherstellen, dass AI-Generierte Codesicherheit integriert ist, indem sie regelmäßige Sicherheitsprüfungen durchführen und spezifische Richtlinien für KI-basierte Codegenerierung einsetzen.
Neo, ein Sicherheitstool, hat 33 oder mehr echte CVEs in Open-Quell-Projekten identifiziert und sich bei weißschleusiger Sicherheitsprüfung als fähig erwiesen. Nun wurde gezeigt, dass Neo auch als Black-Box-DAST-Agent effektiv arbeitet, indem es nur mit einer URL operiert und keine Quelldateien oder Architekturinformationen benötigt. Entwickler sollten Neo für externe Angriffsszenarien ohne Zugriff auf interne Systemdetails einsetzen.
Davis Franklin aus einer Webinaraufzeichnung betonte den Unterschied zwischen der Erkennung von Sicherheitslücken mit Hilfe eines LLM und dem Betreiben eines ausgereiften Sicherheitssystems. Die Plattform Neo soll diesen Unterschied überbrücken, indem sie eine funktionsfähige Prototypenentwicklung ermöglicht, die innerhalb von 30 Minuten realisiert werden kann und echte Schwachstellen findet. Nutzer sollten jedoch bedenken, dass ein vollständiges Sicherheitsprogramm mehr als nur einen einfachen DIY-Ansatz erfordert.
ProjectDiscovery reduzierte die Kosten für große Sprachmodelle wie Opus 4.5 um 59% durch die Implementierung von Prompt-Caching in ihrem autonomen Sicherheitsplattform-Tool Neo. Ohne diese Optimierung konnten komplexe Aufgaben bis zu 60 Millionen Tokens verbrauchen. Entwickler sollten ähnliche Kosteneinsparungen durch die Anwendung von Prompt-Caching bei der Nutzung von Sprachmodellen erwarten.
RomM 4.4.0 - XSS_CSRF Chain
LLMs are a genuine leap forward for vulnerability discovery. Anthropic reported 500+ zero-days from Opus 4.6 and OpenAI's Codex Security discovered 14 CVEs across projects like OpenSSH and GnuTLS. If you've experimented with LLMs for security testing, you've probably been impressed too. The...
This is Part 2 of our vibe coding security benchmark study. In Part 1, we compared how LLM-based security tools like ProjectDiscovery's Neo and Claude Code performed against traditional SAST and DAST scanners on AI-generated code. We found that LLM-based tools like Neo and Claude Code detected many...
Executive Summary Neo found a Server-Side Request Forgery (SSRF) vulnerability in Faraday, a widely used HTTP client library in the Ruby ecosystem. This is Neo’s first credited CVE discovery. Neo is ProjectDiscovery’s AI security copilot for tasks like code review and vulnerability discovery. For...
AI code review can reason about intent, but real incidents often stem from business logic flaws that only show up in runtime. Our benchmark reveals where code-only review falls short.
Welcome to the Top 10 Web Hacking Techniques of 2025, the 19th edition of our annual community-powered effort to identify the most innovative must-read web security research published in the last year
Democratizing Security, One Contribution at a Time Today, we're excited to announce the launch of the ProjectDiscovery OSS Bounty Program, a new initiative to reward meaningful contributions to our open-source security tools. The Vision At ProjectDiscovery, we've always believed that security...
In 2026, most organizations aren’t shipping “applications” so much as they’re shipping continuous change; across APIs and services, infrastructure and configuration, identity and permissions, feature flags, and AI-assisted code.
Introduction Accurate external asset discovery remains a moving target for security teams at scale. What’s actually exposed is hard to pin down, regardless of how many inventories or spreadsheets an organization maintains. Release cycles move faster, new domains and endpoints are added constantly,...
Update: nominations are now closed, and voting is live! Cast your vote here Over the last year, security researchers have shared a huge amount of work with the community through blog posts, presentati
A Year of Real-World Exploitation If you work in security, you probably remember React2Shell. Shortly after public disclosure, scanning activity increased, and exploitation attempts began to surface. That sequence showed up repeatedly across several of 2025’s most impactful vulnerabilities....
TLDR This post shows how to achieve a full authentication bypass in the Ruby and PHP SAML ecosystem by exploiting several parser-level inconsistencies: including attribute pollution, namespace confusi
Neo is a cloud-based AI security engineer that works alongside your team and takes on real security tasks like a true co-engineer. As it operates, it continuously learns your systems and processes, improving over time just like an engineer ramping up on your team. Neo is built as a framework, not...
Summary of Releases v10.3.2 & v10.3.4 This month, we had two releases of Nuclei Templates, introducing numerous improvements and new templates for Nuclei users. 🚀 November Stats Release New Templates Added CVEs Added First-time Contributors Bounties Awarded v10.3.2 129 56 9 7 v10.3.4 68 27 11...
Introduction This blog serves as a detailed methodology guide for analyzing, reversing, and researching web vulnerabilities, particularly those with CVEs assigned. The content outlines repeatable processes used to evaluate vague advisories, analyze vulnerable software, and ultimately recreate or...
HTTP Anomaly Rank If you've ever used Burp Intruder or Turbo Intruder, you'll be familiar with the ritual of manually digging through thousands of responses by repeatedly sorting the table via length,
Imagine discovering that your company's login credentials are sitting in plain sight on the internet, accessible to anyone who knows where to look. Unfortunately, this isn't hypothetical – it's happening right now to organizations worldwide through malware-stolen credentials. The Hidden Threat:...
Summary of Releases v10.3.0 & v10.3.1 This month, we had two major releases of Nuclei Templates, introducing numerous improvements and new templates for Nuclei users. 🚀 Hacktober Stats Release New Templates Added CVEs Added First-time Contributors Bounties Awarded v10.3.0 124 90 6 12 v10.3.1...