β¬… Back to Hub

πŸ“š Knowledge Base

Vulnerability Database, CVE Feeds, Attack Chains & Security Glossary

🚨 Latest Web Application CVEs
CVE-2024-4577
CRITICAL
PHP-CGI Argument Injection Vulnerability - RCE via crafted query strings in PHP CGI mode
View Details β†’
CVE-2024-21413
CRITICAL
Microsoft Outlook Remote Code Execution - Hyperlink spoofing leading to RCE
View Details β†’
CVE-2024-3400
CRITICAL
Palo Alto Networks PAN-OS Command Injection - Pre-auth RCE in GlobalProtect Gateway
View Details β†’
CVE-2024-27198
HIGH
JetBrains TeamCity Authentication Bypass - Pre-auth account takeover
View Details β†’
CVE-2023-50164
CRITICAL
Apache Struts File Upload - Path traversal leading to RCE
View Details β†’

🧠 Vulnerability Knowledge Base

πŸ—ΊοΈ
Interactive MindMaps
Visual mind-maps covering 9 vulnerability categories with attack chains and exploitation workflows.
Explore MindMaps
🎯
OWASP Resources
Comprehensive guides for OWASP Top 10, testing methodology, and Web Security Testing Guide (WSTG).
OWASP WSTG Top 10
⛓️
Attack Chain Library
Multi-stage attack scenarios: IDOR β†’ Privilege Escalation, XSS β†’ Session Hijacking, SQLi β†’ RCE chains.
View Techniques
πŸŽͺ
Practice Playgrounds
Hands-on vulnerability labs and intentionally vulnerable applications for practice.
PortSwigger Labs Hacksplaining
πŸ“‘
Exploit Database
Searchable archive of exploits, shellcodes, and proof-of-concepts for known vulnerabilities.
Exploit-DB Packet Storm
πŸ”§
Misconfiguration Guides
Common security misconfigurations in cloud platforms, containers, APIs, and web servers.
View Guides

πŸ“° Threat Intelligence & Security News

πŸ””
CVE Feeds & NVD
Latest Common Vulnerabilities and Exposures from National Vulnerability Database.
NVD CVE Search
🏒
Vendor Advisories
Official security bulletins from Microsoft, Google, Apache, Cisco, and major vendors.
Microsoft Cisco
🌐
Security Blogs & Research
Cutting-edge security research, 0-days, and vulnerability disclosure from researchers.
PortSwigger Orange Tsai ZDI
πŸ“»
Security Podcasts & Videos
Educational content, conferences, and real-world hacking demonstrations.
Video Hub NahamSec PwnFunction
🎯
Bug Bounty Writeups
Real-world bug bounty reports from HackerOne, Bugcrowd, and independent researchers.
HackerOne Pentester Land
πŸ”¬
Exploit PoCs & Tools
GitHub repositories with proof-of-concept exploits and exploitation frameworks.
Payloads Nuclei

πŸ“– Security Glossary

Bounty Hunter
Security researcher who finds and reports vulnerabilities to organizations in exchange for monetary rewards.
Bug Bounty
CVSS Score
Common Vulnerability Scoring System - standardized metric (0-10) for measuring vulnerability severity.
Severity
Responsible Disclosure
Practice of reporting security vulnerabilities privately to the affected organization before public disclosure.
Ethics
Scope (Bug Bounty)
Defined boundaries of systems, domains, and vulnerabilities that are authorized for testing in a bug bounty program.
Bug Bounty
XSS (Cross-Site Scripting)
Injection vulnerability allowing attackers to inject malicious scripts into web pages viewed by other users.
Injection
CSRF (Cross-Site Request Forgery)
Attack forcing authenticated users to execute unwanted actions on a web application they're logged into.
Authentication
SQL Injection (SQLi)
Code injection technique exploiting SQL query vulnerabilities to manipulate database operations.
Injection
IDOR (Insecure Direct Object Reference)
Access control vulnerability allowing attackers to access unauthorized objects by modifying object identifiers.
Access Control
SSRF (Server-Side Request Forgery)
Vulnerability allowing attackers to make server send crafted requests to internal systems or external domains.
SSRF
XXE (XML External Entity)
Injection attack exploiting XML parsers to access local files, internal systems, or trigger denial of service.
Injection
LFI (Local File Inclusion)
Vulnerability allowing attackers to include local files on the server, potentially leading to code execution.
File Operations
RFI (Remote File Inclusion)
Vulnerability allowing inclusion of remote files, often leading to remote code execution.
File Operations
RCE (Remote Code Execution)
Critical vulnerability allowing attackers to execute arbitrary code on a remote system.
Exploitation
Clickjacking
UI-based attack tricking users into clicking on malicious content disguised as legitimate interface elements.
Client-Side
Open Redirect
Vulnerability allowing attackers to redirect users to malicious external sites via manipulated URL parameters.
Redirection
Subdomain Takeover
Claiming ownership of unclaimed subdomains pointing to external services (GitHub Pages, AWS S3, etc.).
DNS
2FA/MFA (Multi-Factor Authentication)
Security mechanism requiring multiple verification methods beyond just username and password.
Authentication
JWT (JSON Web Token)
Compact, URL-safe token format for securely transmitting information between parties as a JSON object.
Authentication
OAuth
Open standard authorization protocol allowing third-party applications limited access to user accounts.
Authorization
Session Fixation
Attack forcing a user's session ID to a known value, allowing session hijacking after authentication.
Session Management
PoC (Proof of Concept)
Demonstration code or exploit proving that a vulnerability exists and can be exploited.
Testing
Payload
Malicious input or code designed to exploit a vulnerability and achieve a specific objective.
Exploitation
Fuzzing
Automated testing technique providing invalid, unexpected, or random data as input to discover vulnerabilities.
Testing
Enumeration
Information gathering phase extracting usernames, hostnames, network resources, and services from a system.
Reconnaissance
OSINT (Open-Source Intelligence)
Collecting information from publicly available sources like social media, websites, and public databases.
Reconnaissance
WAF (Web Application Firewall)
Security system filtering and monitoring HTTP traffic between a web application and the Internet.
Defense
REST API
Architectural style for web services using HTTP methods (GET, POST, PUT, DELETE) for CRUD operations.
API
GraphQL
Query language for APIs allowing clients to request exactly the data they need with flexible queries.
API
BOLA (Broken Object Level Authorization)
API vulnerability where object-level permissions aren't properly enforced (OWASP API Security #1).
API Security
Rate Limiting
Security control restricting the number of requests a user can make within a time period.
Defense
Privilege Escalation
Exploiting bugs or misconfigurations to gain elevated access beyond initially granted permissions.
Exploitation
Reverse Shell
Remote access technique where target system initiates connection back to attacker's machine.
Exploitation
Webshell
Malicious script uploaded to web server enabling remote administration and command execution.
Exploitation
Zero-Day (0-day)
Previously unknown vulnerability with no patch available, giving zero days to fix before exploitation.
Vulnerability
CVE (Common Vulnerabilities and Exposures)
Standardized identifier for publicly known security vulnerabilities (e.g., CVE-2024-1234).
Vulnerability
CWE (Common Weakness Enumeration)
Community-developed categorization system for software security weaknesses (e.g., CWE-79: XSS).
Vulnerability