appsec.fyi · Sources

latesthackingnews.com

5 curated AppSec resources from latesthackingnews.com across 5 topics on appsec.fyi.

latesthackingnews.com

Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-07-04.

Date Added Resource Excerpt
2026-07-04 2026CSRF Attack Explained: Mechanics Real Exploits and How to Test for ItCSRFLibrary for understanding and testing CSRF attacks, explaining how they exploit browser cookie handling to force unwanted actions on authenticated users. It details the mechanics, preconditions, and real-world exploits like router DNS hijacking and uTorrent configuration flaws, contrasting CSRF with XSS. The library also covers defensive strategies including synchronizer tokens, signed double-submit cookies, SameSite cookies, and pre-session tokens for login CSRF, along with manual testing techniques.
2026-06-28 2026Programming Languages for Cyber Security: What the Tools UsePythonLibrary of articles exploring programming languages crucial for cybersecurity tool development and operation. It highlights Python as the dominant language for offensive and defensive tooling, citing examples like Impacket and Volatility 3. Bash and PowerShell are presented as essential for OS interaction, while C and C++ are linked to memory safety vulnerabilities and exploit development. JavaScript is key for web security, SQL for injection attacks and database defence, and Assembly for malware analysis and reverse engineering. Ruby's role is tied to Metasploit, and Rust and Go are positioned as future languages for secure tooling.
2026-06-26 2026Gaslight macOS Malware and the AI Triage Blind SpotAIAnalysis of the Gaslight macOS malware details its novel technique of embedding 38 fabricated error messages designed to confuse LLM-assisted triage systems. This Rust-based backdoor, attributed to a North Korean-linked cluster, targets the AI analysis output stage rather than traditional sandboxes. While current production AI platforms were unaffected, this adversarial approach highlights the evolving threat landscape as malware authors adapt to defensive tooling, demonstrating an iterated progression from earlier evasion methods.
2026-06-25 2026Cisco Unified CM SSRF Flaw Is Being Exploited to Drop WebshellsSSRFWriteup detailing CVE-2026-20230, a critical Cisco Unified CM SSRF vulnerability actively exploited for webshell deployment. Attackers use the flaw in the WebDialer component to write arbitrary files to the OS via `file://` URIs, leading to persistent remote code execution. The attack chain involves installing a rogue Apache Axis service, writing a JSP file-writer, and then dropping a command-execution webshell. Cisco released patches for Release 14 (14SU6) and an interim COP patch for Release 15, with the full fix (15SU5) expected in September.
2026-06-22 2026SQL Injection: Why It Persists and How to Prevent ItSQLiGuide to preventing SQL injection, a persistent vulnerability that remains in the OWASP Top 10, detailing its mechanisms like in-band, blind, and out-of-band attacks. It emphasizes parameterized queries as the definitive fix, alongside allow-listing structural query parts, least privilege database accounts, error suppression, and static analysis tools like Semgrep for early detection. The guide also suggests manual testing with single quotes and automated tools like sqlmap for identifying and exploiting potential injection points, referencing CVEs and vendor advisories for known vulnerabilities.