As an attacker, what do you do when you come across an IIS server? @infosec_au shares his first steps when it comes to hacking IIS/.NET. There will be more videos on this topic area. Please like, share and subscribe. youtu.be/HrJW6Y9kHC4
Assetnote
176 posts
Assetnote
@assetnote
Assetnote combines advanced reconnaissance and high-signal continuous security analysis to help enterprises gain insight and control of their evolving exposure.
Joined July 2017
- We've just released our research, tooling and datasets on contextual content discovery, if you're interested in improving your content discovery skills, you should check it out!
- We're releasing a new tool to help you exploit tricky SSRF vulnerabilities called surf. With this tool, you can work out which external hosts are not responding to HTTP(s) that are prime candidates for your SSRF vulnerability. github.com/assetnote/surf
- What do you do once you have found a blind SSRF? Check out our blind SSRF glossary which contains a number of handy attack chains: blog.assetnote.io/2021/01/13/bli…. The post also briefly touches on SSRF canaries, using existing DNS data and side channel attacks.
- Discovering a zero day and getting code execution on Mozilla's AWS Network
- Our security research team discovered a full-read SSRF in the Next.JS framework (CVE-2024-34351). You can read about our research here: assetnote.io/resources/rese…
- Zoom Zero Day Followup: Getting the RCE. Find our writeup and proof-of-concept in our blog: buff.ly/30xfcrW
00:00 - Our security research team discovered multiple critical vulnerabilities in Websphere Portal. You can read about these issues in our advisory and research blog post: blog.assetnote.io/2021/12/26/cha… blog.assetnote.io/2021/12/25/adv… Please follow the remediation section if you run this software.
- Our security research team discovered a full-read SSRF vulnerability in Jamf Pro. We have published an advisory on this issue here: blog.assetnote.io/2021/11/30/adv… and you can read about the discovery process here: blog.assetnote.io/2021/11/30/jam…
- Our security research team discovered a pre-auth RCE vulnerability in Progress WS_FTP (CVE-2023-40044). Due to the exploit being released on Twitter, we've also published - Blog: assetnote.io/resources/rese… Advisory: assetnote.io/resources/rese…
- In May 2024, our security research team disclosed three critical issues in ServiceNow, which allowed for unauthenticated arbitrary code execution and data access for ServiceNow Vancouver or Washington instances. You can read our blog post here: assetnote.io/resources/rese…
- Given the recent high profile breaches of file transfer software, our security research team focused on Citrix ShareFile and discovered a critical pre-authentication RCE vulnerability. This has been assigned CVE-2023-24489. Our blog post can be found here:
- Early this morning, we alerted our customers to a new Ivanti SSRF vulnerability that our research team discovered when reverse engineering Ivanti’s latest patch. We decided to hold off on releasing this blog post publicly and support our customers in their remediation. Since
- Last week, our security research team reverse-engineered a critical CVSS 9.8 vulnerability in Magento (CVE-2024-34102), which allows for pre-authentication XML Entity Injection. Originally discovered by Sergey Temnikov (spacewasp). Read our notes here: assetnote.io/resources/rese…
