- VayFul®
- Posts
- GenAI Security, CSP Bypass, Kubesafe Tool Spotlight, Windows 0-day & More
GenAI Security, CSP Bypass, Kubesafe Tool Spotlight, Windows 0-day & More
Cybersecurity — For Security Professionals
Hey! James here. Welcome to VayFul®!
Bringing you the latest insights from the world of cybersecurity.
Today’s edition includes:
🧠 Top Tutorials/learning: GenAI security, Bypass SSH keystroke obfuscation, XSS and more!
🔥 Writeups: Interesting vulnerabilities - CSP bypass, HTTP request smuggling and more!
🛠️ Tools Spotlight: Kubesafe, DockerSpy and more!
📰 Security reads: Windows Zero Day, Solarwinds Vulnerability and more!
Read time: 5 minutes
P.S. If you have any questions or topics you’d like us to cover, just hit reply and let me know. I’d love to hear from you!
Let’s dive in!
🧠 BEST OF TUTORIALS & LEARNING RESOURCES 🧠
Assetnote reveals a critical vulnerability chain in ServiceNow that, if exploited, could grant attackers access to all your company's data stored within the platform.This chain involved exploiting three separate bugs and highlights the importance of timely patching and security best practices.
Phil Stokes' research exposes limitations in SSH keystroke obfuscation, allowing attackers to bypass these measures and compromise encrypted sessions. This underscores the need for layered SSH security and vigilance against evolving threats.
Netlify's Image CDN flaw enables XSS attacks via malicious URL injection, risking user accounts and data. Researchers stress secure coding and rigorous testing to prevent CDN vulnerabilities.
Tom Goldstein talks about security issues in AI, Open AI, GenAI, ML, LLM.
🔥 INTERESTING WRITEUPS 🔥
A $1500 bounty writeup detailing a content security policy bypass found in Google script resource.
A $4660 bounty writeup detailing a http request smuggling attack found in Apache tomcat resource.
🛠️ TOOLS SPOTLIGHT 🛠️
Safely manage multiple Kubernetes clusters by defining safe contexts and protected commands.
Fibratus detects, protects, and eradicates advanced adversary tradecraft by scrutinizing and asserting a wide spectrum of system events against a behavior-driven rule engine and YARA memory scanner.
DockerSpy searches for images on Docker Hub and extracts sensitive information such as authentication secrets, private keys, and more.
📰 TOP SECURITY READS 📰
Jens Willmer's tutorial showcases Tailscale Funnel, a secure, hassle-free tool for exposing local ports during app development and testing, leveraging Tailscale's VPN for HTTPS access, simplifying secure sharing.
Microsoft warns of Windows Update zero-day "patch rollback" flaw CVE-2024-43491, enabling attackers to undo security fixes, putting users at risk. Urgent update recommended.
SolarWinds ARM 2024.3.1 update fixes bugs, patches RCE flaw, improves UX; users urged to update for security and stability.
⚡️ QUICK LINKS ⚡️
AI security fundamentals Microsoft (Free Course) - Learn the basic concepts of AI security, the types of security controls that apply to AI systems.
Building a Simple Fuzzer (Resource) - Dive into Fuzz Testing Fundamentals by creating a basic fuzzer tool of your own.
Exploring Rate Limiting Nullifier (Resource) - Rate Limiting Nullifier's ability to bypass rate limiting, highlighting need for layered web app security beyond basic rate limiting.
🎯 FAVOURITE QUOTE OF THE DAY 🎯
“The only impossible journey is the one you never begin.”
- Tony Robbins
💡 ABOUT VAYFUL® 💡
Vayful® is a cybersecurity newsletter that curates the best cybersecurity news, research, tools, blogs, talks, tutorials, and learning resources — specially handpicked for security professionals. The content is curated with love by security professionals.
Enjoyed this newsletter? Friends don’t keep good things to themselves - forward this to your friends and have them sign up here!
Did someone forward this email to you? Become a subscriber!
Have feedback or questions? Just hit reply and let us know.