SecWiki周刊（第263期） – 作者:SecWiki

安全资讯

[法规]  中央网信办关于开展App安全认证工作的公告 

http://gkml.samr.gov.cn/nsjg/rzjgs/201903/t20190315_292035.html?from=timeline&isappinstalled=0

[观点]  肖力：从RSA2019看安全技术发展的十个机遇

https://mp.weixin.qq.com/s/2JsDvnAGz4d1w1dg0qvChA

安全技术

[Web安全]  API 渗透测试基础介绍

http://blog.securelayer7.net/api-penetration-testing-with-owasp-2017-test-cases/

[其它]  红蓝对抗-大型互联网企业安全蓝军建设

https://kingx.me/Thinking-about-Red-Teaming.html

[其它]  验证码安全

https://bloodzer0.github.io/ossa/business/captcha/

[Web安全]  Goscan：一款功能强大的交互式网络扫描工具 

https://www.freebuf.com/sectool/196849.html

[取证分析]  入侵钓鱼站并溯源

http://drivertom.blogspot.com/2019/03/blog-post_16.html

[运维安全]  堡垒机的自动化功能实践-1

https://mp.weixin.qq.com/s/N8rtlk4Ai-Kb9QXW4Q77Lg

[数据挖掘]  董祎铖：态势感知从入坑到重生

https://mp.weixin.qq.com/s/vxQpnWKBYxzM4aZ3kFw4UA

[取证分析]  中通内网安全之外发流量管理

https://mp.weixin.qq.com/s/inANTt-97Rjfr6Rf5lJ07A

[Web安全]  绕过 WAF 的 XSS 检测机制研究

https://github.com/s0md3v/MyPapers/tree/master/Bypassing-XSS-detection-mechanisms

[Web安全]  Metinfo利用sql注入快速getshell

https://nosec.org/home/detail/2324.html

[运维安全]  旧树开新花—再谈GitHub监控

https://security.tencent.com/index.php/blog/msg/132

[运维安全]  Kubernetes安全入门

https://xz.aliyun.com/t/4276

[Web安全]  Apache Solr RCE POC（CVE-2019-0192）

https://github.com/mpgn/CVE-2019-0192/

[数据挖掘]  用大数据扒一扒蔡徐坤的真假流量粉

https://mp.weixin.qq.com/s/j1kgf2RR7jssbWa7uWC-uA

[设备安全]  对小米Mi Band 2的破解

https://www.4hou.com/reverse/16759.html

[漏洞分析]  WinRAR远程代码执行漏洞结合Metasploit+Ngrok实现远程上线

https://www.freebuf.com/articles/network/197025.html

[杂志]  SecWiki周刊（第262期)

https://www.sec-wiki.com/weekly/262

[漏洞分析]  优秀 Windows 内核漏洞利用方向资源收集

https://github.com/ExpLife0011/awesome-windows-kernel-security-development/blob/master/README.md

[工具]  Nessus_to_report: Nessus中文报告自动化脚本

https://github.com/Bypass007/Nessus_to_report

[恶意分析]  威胁建模模型ATT&CK

https://www.aqniu.com/vendor/44748.html

[漏洞分析]  如何利用汽车警报器去攻击300多万辆汽车

https://nosec.org/home/detail/2329.html

[运维安全]  堡垒机的自动化功能实践-4

https://mp.weixin.qq.com/s/zRPENsWRrL3s9fdUQUC1Dw

[Web安全]  XSS in Limited Input Formats

https://brutelogic.com.br/blog/xss-limited-input-formats/

[Web安全]  利用WebSocket跨站劫持（CSWH）漏洞接管帐户

https://nosec.org/home/detail/2335.html

[漏洞分析]  StackStorm – From Originull to RCE – CVE-2019-9580

https://quitten.github.io/StackStorm/

[Web安全]  Attack Spring Boot Actuator via jolokia Part 1

https://lucifaer.com/2019/03/11/Attack%20Spring%20Boot%20Actuator%20via%20jolokia%20Part%201/

[Web安全]  劫持 Chrome 会话以绕过多因素认证

https://ijustwannared.team/2019/03/11/browser-pivot-for-chrome/

[数据挖掘]  暗网黑产交易中dark jargons(黑话)的检测与理解

https://mp.weixin.qq.com/s/WD6A7Y9-4bPSysEm9QeXjg

[Web安全]  通过 libFuzzer 对 Janus 进行 fuzzing 

https://webrtchacks.com/fuzzing-janus/

[数据挖掘]  使用Keras和Tensorflow检测恶意URL请求

https://mp.weixin.qq.com/s/DCtKYK3Xw_pbdNCUF593Lg

[恶意分析]  软件供应链安全威胁：从“奥创纪元”到“无限战争”

https://www.freebuf.com/articles/network/197574.html

[Web安全]  Escalating SSRF to RCE

https://generaleg0x01.com/2019/03/10/escalating-ssrf-to-rce/

[设备安全]  如何进行对 Xiaomi MiBand 2 的攻击

https://hakin9.org/how-i-hacked-my-xiaomi-miband-2-fitness-tracker%e2%80%8a-%e2%80%8aa-step-by-step-linux-guide-by-andrey-nikishaev/

[运维安全]  堡垒机的自动化功能实践-2

https://mp.weixin.qq.com/s/sAQV0NEdIf05ofIxcIp-zg

[Web安全]  .NET高级代码审计（第二课） Json.Net反序列化漏洞

https://www.anquanke.com/post/id/172920

[数据挖掘]  采用NLP机器学习来进行自动化合规风险治理

https://www.aqniu.com/vendor/44785.html

[其它]  MSRC 成员对 Microsoft bug bounty 的介绍、如何 ‘ 润色 ‘ 报告及获得更高的奖金

https://github.com/JarekMSFT/Presentations/blob/master/Getting%20to%2010K_Nullcon2019.pdf

[移动安全]  Android逆向之旅—最右App的签名算法解析(ARM指令学习喜欢篇)

http://www.520monkey.com/archives/1319

[工具]  Stepper: A natural evolution of Burp Suite’s Repeater tool

https://github.com/CoreyD97/Stepper

[工具]  Sysmon configuration and scripts

https://github.com/0xpwntester/Sysmon

[比赛]  some-crypto-challenges-author-writeup-from-bsidessf-ctf

https://blog.skullsecurity.org/2019/some-crypto-challenges-author-writeup-from-bsidessf-ctf

[Web安全]  NAVEX->Precise and Scalable Exploit Generation for Dynamic Web Applications

http://zeroyu.xyz/2019/03/11/NAVEX-Precise-and-Scalable-Exploit-Generation-for-Dynamic-Web-Applications/

[运维安全]  堡垒机的自动化功能实践-3

https://mp.weixin.qq.com/s/kRiIZSsKo0Hjtxu-6B6M8w

[工具]  CarHackingTools: Install and Configure Common Car Hacking Tools.

https://github.com/jgamblin/CarHackingTools

[恶意分析]  windows-object-case-sensitivity

https://tyranidslair.blogspot.com/2019/03/windows-object-case-sensitivity.html

[恶意分析]  clustering-and-associating-attacker-activity-at-scale

https://www.fireeye.com/blog/threat-research/2019/03/clustering-and-associating-attacker-activity-at-scale.html

[工具]  Writing a Password Protected Reverse Shell (Linux/x64)

https://medium.com/@0x0FFB347/writing-a-password-protected-reverse-shell-linux-x64-5f4d3a28d91a

[取证分析]  firecracker：Secure and fast microVMs for serverless computing

https://github.com/firecracker-microvm/firecracker

[恶意分析]  Ramblings about MITRE ATT&CK, CarbonBlack Response, and Powershell

https://cflaws.blog/2019/03/10/ramblings-about-mitre-attck-carbonblack-response-and-powershell/

[Web安全]  Inserting arbitrary files into Google Earth Projects Archives

https://github.com/si9int/OFFSEC-Archive/blob/master/web/Inserting%20arbitrary%20files%20into%20Google%20Earth%20Projects%20Archives.pdf

[恶意分析]  orangeworm-group-kwampirs-analysis-update

https://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/

-----微信ID：SecWiki-----
SecWiki，5年来一直专注安全技术资讯分析！
SecWiki：https://www.sec-wiki.com

本期原文地址: SecWiki周刊(第263期)

来源：freebuf.com 2019-03-18 20:39:49 by: SecWiki