This article explains what server‑side request forgery (SSRF) is, describes its impact, common attack vectors such as targeting the server itself or internal services, outlines bypass techniques for blacklist and whitelist filters, and discusses blind SSRF detection using out‑of‑band methods.
This article continues a series on server‑side template injection by presenting four hands‑on labs covering Tornado (Python), Velocity (Java), Freemarker (Java) and a Freemarker sandbox‑escape, detailing syntax basics, attack surfaces, exploit payloads, defensive measures, and step‑by‑step exercises.
This article provides a comprehensive overview of the MQTT protocol, covering its origin in 1999, the problems it addresses, and detailed explanations of its fixed header, variable header, and payload structures, along with practical considerations for IoT applications.
This article explains how Python's eval can execute arbitrary code, demonstrates multiple bypass techniques—including __import__, __builtins__ manipulation, and object subclass exploitation—and shows how to safely restrict eval using whitelist globals or ast.literal_eval to prevent code injection and denial‑of‑service attacks.
This article walks through setting up a Kali Linux host, creating a malicious payload, configuring Metasploit’s handler, and successfully gaining a meterpreter session on a Windows 7 target, illustrating core penetration‑testing techniques for educational purposes.
The article presents a comprehensive technical analysis of a sophisticated Windows trojan that masquerades as a Word document, detailing its delivery method, file extraction process, registry modifications, remote‑control capabilities, and the organized, targeted attack infrastructure behind it.
