projectdiscovery.io
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-04-19.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-04-19 2026 | The 2026 State of Attack Surface Management — ProjectDiscoveryRecon | Whitepaper on Attack Surface Management in 2026, detailing how AI adversaries operate at machine speed and render legacy ASM tools insufficient. It explains why traditional visibility-focused approaches fail against autonomous, adaptive attackers, and introduces the concept of "Proof-Based Intelligence" as the future of ASM. The document highlights the need for deterministic validation, application exposure logic, and adaptive learning, supported by real-world case studies demonstrating significant reductions in alerts and operational savings. |
| 2026-04-17 2026 | The Ultimate Guide to Finding Bugs With Nuclei (ProjectDiscovery)Recon | Library for efficient, extensible vulnerability scanning using YAML-based templates. Nuclei supports HTTP, DNS, SSL, and raw TCP protocols, allowing detection of CVEs, misconfigurations, and sensitive file exposures. It integrates into workflows with other tools and offers features like custom template creation, fuzzing, advanced DSL for matchers, and various scan modes including headless and network. Advanced options include rate limiting, template filtering by technology, severity, or name, and resuming interrupted scans. |
| 2026-04-16 2026 | A Deep Dive on Katana Field ExtractionRecon | Tool for headless web crawling and field extraction. Katana, a Golang-based CLI tool from ProjectDiscovery, efficiently spiders web applications and supports customizable field extraction using regex. It reduces unstructured data by allowing users to filter and utilize output for reconnaissance pipelines or to identify specific data like unique parameters for fuzzing XSS vulnerabilities. Katana supports predefined fields and custom regex-based extraction for enhanced data processing. |
| 2026-04-11 2026 | GitHub Enterprise SAML Authentication Bypass (CVE-2024-4985 / CVE-2024-9487)AuthN | Library analyzing GitHub Enterprise's SAML implementation, detailing CVE-2024-4985 and CVE-2024-9487 which allow bypassing authentication with encrypted assertions through improper signature verification. The research locally recreates the SAML handling, identifies issues in the `build` method's signature extraction logic, and examines how the `valid?` function processes signatures to bypass validation by exploiting the order of operations during decryption and signature checking. |
| 2026-04-09 2026 | Neo Found an SSRF Vulnerability in Faraday (CVE-2026-25765)SSRF | Library analysis detailing CVE-2026-25765, a Server-Side Request Forgery (SSRF) vulnerability discovered in the Ruby HTTP client library Faraday. The SSRF arises from a URL parsing edge case where inputs like `//evil.com/steal` can override the intended destination host, even when passing basic path validation checks. This vulnerability, affecting Faraday up to version 2.14.0, was identified by AI security copilot Neo through autonomous code review of URL building logic, highlighting how subtle logic flaws can evade traditional static analysis tools. |
| 2026-04-03 2026 | Reconnaissance 102: Subdomain Enumeration | ProjectDiscoveryRecon | Tool series exploring subdomain enumeration for penetration testing and bug bounty hunting, detailing passive techniques with `subfinder` and active methods including brute-forcing with `amass` and `puredns`. This resource emphasizes the importance of efficient information gathering through both active and passive reconnaissance to identify potential attack vectors. |