bishopfox.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-06-25.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-06-25 2026 | AI Finds Vulnerabilities. Security Experts Find Impact.AIBug Bounty | Walkthrough of a web application assessment demonstrating AI's role in speeding up security work by identifying patterns and tracing data flows. The analysis highlights how AI can accelerate code reviews and identify initial vulnerability candidates, such as a phone verification bypass and SSRF opportunities, but emphasizes the critical need for human expertise to validate findings, uncover deeper impact, and connect seemingly disparate issues. The assessment details how a simple bypass was elevated to a self-reproducing account activation chain and how a seemingly unreliable bypass was revealed to be a timing issue influenced by Redis caching, underscoring the limitations of AI in discerning the true impact and root cause of vulnerabilities. |
| 2026-06-19 2026 | Shynet | VERSION 0.13.1API SecBug Bounty | Library identifying vulnerabilities in Shynet version 0.13.1. Two issues were found: an unauthenticated stored cross-site scripting (XSS) vulnerability (CVE-2026-35508) allowing malicious JavaScript injection into analytics scripts, and an insecure input validation flaw in the password reset feature enabling account takeover via Host header spoofing. |
| 2026-06-18 2026 | A Crash, Not a Shell: SolarWinds Serv-U CVE-2026-28318RCE | Tool for detecting SolarWinds Serv-U CVE-2026-28318, a denial-of-service vulnerability affecting versions prior to 15.5.4 HF1. The vulnerability allows an unauthenticated POST request with `Content-Encoding: deflate` to crash the service by triggering heap corruption. While heap corruption can sometimes lead to remote code execution, this analysis demonstrates that three distinct RCE exploitation paths are dead ends, confirming the vulnerability's impact is availability-only. The tool flags vulnerable hosts without triggering the crash, and mitigation involves patching or WAF filtering of POST requests with `Content-Encoding` headers. |
| 2026-06-18 2026 | The Smash-and-Grab EraAI | Analysis of the "Smash-and-Grab Era" in cyberattacks, detailing the shift from "low-and-slow" espionage exemplified by Volt Typhoon and Titan Rain, to loud ransomware negotiations seen with ALPHV/BlackCat, and now to rapid, parallel operations driven by LLMs. This new era, where LLM-as-C2 malware like PROMPTSTEAL generates commands on the fly, eliminates human inference bottlenecks, enabling attackers to advance multiple paths simultaneously, overwhelming traditional detection and response models by making intervention impossible to prioritize. |
| 2026-06-12 2026 | Enabling Proper PCI Testing with Internal Penetration TestsBug Bounty | Tooling for internal penetration testing (IPT) that supports PCI DSS v4.0.1 requirements, addressing expanded scope including cloud infrastructure, SaaS applications, and build pipelines like GitHub Actions and Azure DevOps. This IPT approach emphasizes understanding cardholder data flows, segmentation controls, and unique access paths into the CDE, testing not only network segmentation but also authentication and authorization. Deliverables include executive summary reports and detailed documentation of tested segments, IP addresses, and open ports. |
| 2026-06-10 2026 | Mythos Doesn't Deploy ItselfAI | Toolset analysis highlighting how AI models like ChatGPT, Claude, and Gemini are impacting vulnerability research. It discusses how skilled researchers leverage LLMs with effective harnesses, referencing Niels Provos's use of IronCurtain to find zero-days, while less skilled practitioners produce inaccurate, polished reports, leading to issues like those seen with Bugcrowd and HackerOne's bug bounty programs. The core argument posits that human judgment and expertise in orchestration and validation remain critical, regardless of model capabilities, as demonstrated by findings in Cisco's Talos and Anthropic's red team efforts. |
| 2026-06-08 2026 | Detecting CVE-2026-0265 at Scale: PAN-OS CAS Authentication BypassAuthNJWT | Tool for detecting CVE-2026-0265, a pre-authentication JWT signature bypass in PAN-OS and Panorama. The vulnerability, exploitable when Cloud Authentication Service (CAS) is attached to an authentication profile, affects both GlobalProtect portals and the management interface. This detection script utilizes a single anonymous HTTP request to the `/global-protect/prelogin.esp` endpoint to definitively determine a system's vulnerable or non-vulnerable status, by examining the presence of `<cas-auth>yes</cas-auth>` and extracting the authoritative PAN-OS version from an embedded JWT. |
| 2026-06-08 2026 | Sparkplug B Protocol Fuzzing with AI AssistanceAIFuzzing | Tool for fuzzing the Sparkplug B protocol, an MQTT-based standard for industrial control systems. This fuzzer systematically targets message types, data types, and field paths, identifying crashes, protocol violations, and state-handling bugs. AI assistance refined the Python implementation, improving coverage, efficiency, and adding CLI functionality for security testing of ICS and SCADA devices. |
| 2026-06-08 2026 | Looting UniFi Controllers: Detecting and Weaponizing CVE-2026-22557AuthZRCE | Tool for detecting and weaponizing CVE-2026-22557, an unauthenticated path traversal vulnerability in UniFi Network Application's guest captive portal. This critical flaw, with a CVSS score of 10.0, allows attackers to read arbitrary files from customized portals, potentially exfiltrating backups containing administrative credentials for all managed devices. The accompanying tool from Bishop Fox safely identifies vulnerable controllers, while this analysis details attack paths, exploitability preconditions, and mitigation strategies, including patching to updated versions like 10.1.89 or later. |
| 2026-06-08 2026 | Otto Support - Testing MCP ServersAuthZ | Tool for testing MCP servers; utilizes nmap for discovery, a Nuclei template to identify MCP endpoints, and MCP Inspector to enumerate services and exploit an authorization gap. This bypass allows an unprivileged user to delete other users' tickets by directly calling the `delete_ticket` JSON-RPC method, demonstrating that MCP servers share familiar security fundamentals with traditional web services. |
| 2026-06-08 2026 | Popping Root on UniFi OS Server: Unauthenticated RCE Chain Detection & AnalysisAuthZRCE | Tool for detecting unauthenticated RCE chains on UniFi OS Server, specifically addressing CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910. This vulnerability allows attackers to bypass authentication, perform path traversal, and achieve command injection leading to root privileges. The tool aids defenders in identifying exposed systems and recommends immediate patching, network segmentation, and secret rotation, as exploitation grants access to sensitive data and control over managed devices. |
| 2026-04-16 2026 | Power Up Pen Tests: Create Burp Suite Extensions with Montoya APIBurp | Library for developing Burp Suite extensions using the Montoya API, streamlining tasks like authentication handling, API data mining, and UI visualization. This API, introduced in Burp Suite 2022.9.5, offers improved object-oriented design, WebSocket support, and simplified HTTP message manipulation compared to the older extender API, enabling developers to create more robust and flexible tools like the example "BurpCage" extension that replaces images with Nicolas Cage photos. |
| 2026-04-11 2026 | Swagger Jacker: Auditing OpenAPI Definition FilesAPI Sec | Tool for auditing OpenAPI definition files. Swagger Jacker automates the analysis of API routes defined in specification documents, identifying potential vulnerabilities like IDOR and SQL injection. It parses fields such as "Info" for API metadata and "security" for authentication mechanisms, then generates requests to test endpoint accessibility and authentication requirements, significantly reducing manual testing time for publicly exposed or unintentionally leaked definition files. |
| 2026-04-10 2026 | Ruby Vulnerabilities: Exploiting Open, Send, and DeserializationDeser | Library for exploiting common Ruby-specific remote code execution vulnerabilities, including insecure use of the `open` function, malicious `send` or `public_send` calls, and binary deserialization gadget chains. It provides a walkthrough and a vulnerable Ruby on Rails application to demonstrate exploitation techniques found during an assessment. |
| 2026-04-10 2026 | Arista Firewall XSS to RCE ChainXSS | Writeup detailing the exploitation chain of CVE-2025-6980, CVE-2025-6979 (an XSS vulnerability), and CVE-2025-6978 against Arista Next Generation Firewalls. This chain allows for remote code execution by combining an XSS vulnerability that steals administrator credentials with a command injection flaw that grants root privileges, a vulnerability the vendor's patch did not fully remediate. Disabling the captive portal is suggested as a mitigation alongside upgrading to the patched software version. |