assetnote.io
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-04-22.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-04-22 2026 | Maximizing Security Outcomes: The Role of ASM in Bug Bounty ProgramsRecon | Library for optimizing bug bounty programs, focusing on attacker mentality and high-impact findings. It emphasizes continuous, wide-breadth attack surface analysis and deep mapping, reflecting principles born from the bug bounty space. The library helps companies attract top talent by aligning with hunter motivations, who prioritize high payouts and focus on a limited number of programs that offer significant returns for their manual hacking efforts. |
| 2026-04-16 2026 | Internet-Wide Recon: Moving Past IP-Centric ApproachesRecon | Reference on internet-wide reconnaissance challenges, this resource discusses the limitations of IP-centric scanning approaches due to modern cloud architectures, complex routing, WAFs, CDNs, and TLS-SNI. It highlights how relying solely on IP addresses can miss significant attack surface by failing to identify numerous subdomains pointing to the same IP, leading to incorrect host header values and application routing. The discussion emphasizes the need for more robust discovery methods that consider subdomain data and associated metadata for comprehensive attack surface mapping. |
| 2026-04-16 2026 | The Art of Recon: Strategies for Modern Asset DiscoveryRecon | Technique outlining modern asset discovery and reconnaissance strategies, moving beyond purely tool-centric approaches. This method emphasizes a conceptual framework comprising breadth, depth, context, amplification, and focus to achieve outcome-driven reconnaissance, enabling the discovery of critical vulnerabilities and unique insights into an organization's attack surface. The approach acknowledges the evolution of IT infrastructure, from traditional data centers to cloud-native environments, and adapts reconnaissance techniques accordingly. |
| 2026-04-16 2026 | Exploiting GraphQL (Assetnote Research)GraphQL | Tool for auditing GraphQL APIs, BatchQL, detects introspection, schema suggestions, and CSRF. It enables JSON list-based batching attacks to bypass rate limiting on functionalities like password resets. Techniques also cover query name-based batching and leveraging tools like Clairvoyance to recover schemas when introspection is disabled. |
| 2024-10-15 2024 | Digging for SSRF in NextJS appsSSRF | Library detailing common Server-Side Request Forgery (SSRF) vulnerabilities in NextJS applications, specifically highlighting misconfigurations in the `_next/image` component and Server Actions. It explains how SSRF can be exploited through the `remotePatterns` configuration, SVG XSS or XML response leaks in older versions, and blind SSRF via open redirects on whitelisted domains. Furthermore, it details how SSRF can be achieved by forging the `Host` header when a Server Action redirects to a path starting with `/`, allowing attackers to access internal resources. |