Assetnote combines advanced reconnaissance and high-signal continuous security analysis to help enterprises gain insight and control of their evolving exposure.
As an attacker, what do you do when you come across an IIS server?
@infosec_au
shares his first steps when it comes to hacking IIS/.NET. There will be more videos on this topic area. Please like, share and subscribe.
We've just released our research, tooling and datasets on contextual content discovery, if you're interested in improving your content discovery skills, you should check it out!
We're releasing a new tool to help you exploit tricky SSRF vulnerabilities called surf. With this tool, you can work out which external hosts are not responding to HTTP(s) that are prime candidates for your SSRF vulnerability.
What do you do once you have found a blind SSRF? Check out our blind SSRF glossary which contains a number of handy attack chains: . The post also briefly touches on SSRF canaries, using existing DNS data and side channel attacks.
Our security research team discovered multiple critical vulnerabilities in Websphere Portal. You can read about these issues in our advisory and research blog post:
Please follow the remediation section if you run this software.
Our security research team discovered a full-read SSRF vulnerability in Jamf Pro. We have published an advisory on this issue here: and you can read about the discovery process here:
Our security research team discovered a pre-auth RCE vulnerability in Progress WS_FTP (CVE-2023-40044). Due to the exploit being released on Twitter, we've also published -
Blog:
Advisory:
In May 2024, our security research team disclosed three critical issues in ServiceNow, which allowed for unauthenticated arbitrary code execution and data access for ServiceNow Vancouver or Washington instances. You can read our blog post here:
Given the recent high profile breaches of file transfer software, our security research team focused on Citrix ShareFile and discovered a critical pre-authentication RCE vulnerability. This has been assigned CVE-2023-24489.
Our blog post can be found here:
Early this morning, we alerted our customers to a new Ivanti SSRF vulnerability that our research team discovered when reverse engineering Ivanti’s latest patch.
We decided to hold off on releasing this blog post publicly and support our customers in their remediation.
Since
Last week, our security research team reverse-engineered a critical CVSS 9.8 vulnerability in Magento (CVE-2024-34102), which allows for pre-authentication XML Entity Injection. Originally discovered by Sergey Temnikov (spacewasp). Read our notes here:
Watch our third episode of Bug Bounty Redacted to learn about hacking APIs and finding XSS, SQLi, WAF Bypass in a regional web application.
#bugbountytips
#bugbounty
Our security research team took a deeper look into FortiGate. In this post we detail the steps we took to identify the patched vulnerability and produce a working exploit.
Read the research here:
If you're looking to fine-tune your detections for the authentication bypass for Ivanti Pulse Connect Secure (CVE-2023-46805), the best way is to send a POST request to /api/v1/totp/user-backup-code/../../system/platform?operation=testConnectivity
If the response has
We've released a new blog post with the full details from
@seanyeoh
and
@devec0
's
#NahamCon2022
talk on hacking CI systems. Join us on an epic 3-part adventure through
@Cloudflare
's Pages system - from command injection to container escape to compromise:
Our security research team were the original reporters of the Metabase Pre-Auth RCE vulnerability (CVE-2023-38646).
You can read our blog post here:
And our advisory here:
Our security research team, in collaboration with
@Jhaddix
and
@bscarvell
discovered a critical pre-auth RCE vulnerability in Oracle Opera - CVE-2023-21932. You can read more about our discovery here:
Do you work for an organization that uses AWS? You may be vulnerable to dangling elastic IP subdomain takeover attacks. We've released a new open source tool called Ghostbuster to address this. Details about this release can be found in our blog post:
Our security research team discovered and reported a high risk SSRF vulnerability in Jira Core and Datacenter to Atlassian. You can read about the issue here:
#bugbountytips
Our security research team discovered critical vulnerabilities in
@ProgressSW
's WhatsUp Gold. We chained a number of vulnerabilities to reach critical severity. You can read our writeup here:
Last year we discovered some critical vulnerabilities in VMWare Workspace One UEM (CVE-2021-22054). You can read about our security teams research here:
Our security research team discovered a reflected cross-site scripting vulnerability in cPanel. There were over 1.2M assets affected before the vulnerability was fixed. You can read more about it in our blog:
Our security research team has performed an analysis on CVE-2023-3519 (Citrix RCE) and we've published our findings on our blog, with an accurate detection mechanism:
We'll continue to update this blog as new information is surfaced or further analysis
Our team spent the last week researching accurate detections for CVE-2023-46805 & CVE-2024-21887 in Ivanti Pulse Connect Secure. We have identified an additional endpoint for the authentication bypass on older versions. You can read our research here:
Tomorrow, we will release a technique that we use to determine the rest of the file or folder name on IIS servers. If you want to get acquainted with BigQuery before tomorrow, check out
We've released the second episode of "Bug Bounty Redacted" on our YouTube channel.
This episode covers third party subdomain takeovers and exposed administration interfaces.
New episodes monthly!
#bugbountytips
#bugbounty
We're stoked to sponsor
#NahamCon2024
this year. Our CTO,
@infosec_au
, will present Modern WAF Bypass Techniques on Large Attack Surfaces. We're looking forward to the conference!
Our security research team discovered a pre-auth XSS in Citrix Gateway (CVE-2023-24488). This affected over 50k instances on the internet.
You can read about our discovery here:
Our security research team discovered a critical pre-authentication RCE vulnerability in IBM Aspera Faspex CVE-2022-47986. You can read the research on our blog:
Our security research team discovered an SSRF vulnerability in VMWare Workspace One Access. You can read about the issue on our blog.
If you're running this software on your attack surface, please remediate the issue by updating Workspace One Access.
Our security researcher
@TheGrandPew
discovered a pre authentication remote command execution vulnerability in Bitbucket Server. You can read his writeup on our blog here:
Have you ever needed a wordlist for content discovery or subdomain enumeration? Try our wordlists located at . These are generated automatically on a monthly basis using datasets on BigQuery. We also include some manually generated wordlists.
The Citrix Sage Continues! In late 2023, our research team identified and reported two Citrix vulnerabilities involving Storefront and Session Recording. We worked with the Citrix team to coordinate this disclosure.
Our security research team recently reproduced CVE-2023-4966 (Citrixbleed) in Citrix Netscaler Gateway marked as CVSS 9.4. You can read how we protected our customers from this emerging threat and the proof-of-concept at our blog:
Our security researchers identified a critical vulnerability inside Flarum (popular forum software) which allows attackers to read local files from the system. You can read about it on our blog here: and our advisory here:
Our security researcher, Dylan Pindur, discovered several critical vulnerabilities in Sitecore 9.3. Some can be exploited without authentication. You can read our blog post on this here:
Our security research team found vulnerabilities in static site generators (such as GatsbyJS and NextJS) and associated platforms (Netlify and GatsbyJS Cloud). You can read about our findings on our blog here:
We've started a new video series "Bug Bounty Redacted" which goes through the discovery and reporting process for real bugs.
Our first episode is out now:
We'll be releasing new episodes on a Monthly schedule!
#bugbountytips
#bugbounty
Our security research team recently discovered a pre-authentication RCE vulnerability in Sitecore's Experience Platform. You can read about the discovery and remediation advice for this vulnerability at our blog:
Watch our fourth episode of Bug Bounty Redacted to learn about how we overwrote a JS file via S3 PUT requests and insecure JWT implementations.
#bugbountytips
#bugbounty
Last month, our security research team discovered a logic flaw in Dynamicweb that leads to RCE. The vulnerability was present in the codebase since 2018! You can read about our discovery here - CVE-2022-25369.
Adding to transparency in the bug bounty scene, we've published
@infosec_au
's efforts in bug bounties for the last four years. There's a lot to learn, check it out at
We spent some time analysing CVE-2022-22972 to understand the root cause of the issue. This was a fun authentication bypass vulnerability in VMWare Workspace One Access.
Assetnote is pleased to announce we have developed a check in our Exposure Monitoring Engine to help our Continuous Security customers detect where they are vulnerable to log4j. If you need help with this please get in touch with us.
Check out this research on H2C Smuggling by
@seanyeoh
. It was possible to exploit multiple cloud providers through this, in the blog we detail the effects of H2C smuggling on Cloudflare and Azure:
Read our writeup for the MOVEit Transfer SQL injection to RCE CVE-2023-34362:
We hope that our research helps with offensive and defensive security efforts.
In the last post of the series, our security research team describes the steps it took to discover the root cause of the Citrix ADC / Netscaler RCE (CVE-2023-3519). If you're interested in reproducing our work, you can read through our blog post here:
Assetnote is happy to be sponsoring Nahamcon 2021! There's a brilliant lineup of talks, so be sure to catch it on Sunday March 14th 9AM PST.
#NahamCon2021
We discovered some high risk issues in Solarwinds Web Help Desk - CVE-2021-35232. You can read about the issues on our blog.
If you're running this software on your attack surface, please remediate the issue by updating Solarwinds Web Help Desk.
We've released a new blog post containing detailed information about the WatchGuard RCE (CVE-2022-26318). Inside the blog post you will find a more reliable PoC for the issue and the reverse engineering process.
Stop by the Assetnote booth @
#AusCERT2021
to see our Continuous Security Platform in action!
Reach out if you want to schedule a demo with us so we can show you how quickly we map your attack surface and find security exposures!
@AusCERT
@AustCyber
It’s been great watching and participating in the race to CVE-2019-19781. All of our customers have been covered by this check for the last few days.
#cve201919781
#citrix
Our security researcher
@hash_kitten
is talking at Ruxmon in Melbourne on the 26th of July about how he approached his security research on ServiceNow:
We received some feedback from
@frycos
about the AttackerKB vector being a valuable check as well, sometimes finding additional vulnerable hosts. This could be because the API being traversed to does not exist on some versions. The AttackerKB variant is:
This is definitely a serious one we are seeing it pop up all over the place, please make sure to implement the mitigation’s as soon as you can -
#CVE201919781
#citrix
Our team discovered a pre-authentication full read SSRF in VMWare Workspace One UEM (AirWatch). If you’re a customer of Assetnote, we have been scanning for this issue for months. The advisory was released recently, please patch.
Watch our CEO
@mgianarakis
talk to
@AustCyber
about Assetnote, what attack surface management is, where the idea came from, and what's planned for the future in this video:
Hear about Assetnote's co-founders journey on this podcast. Includes discussions about breaking into information security at a young age and how Assetnote was founded.
@vulnerablecode
@20backslash
We had to move from Git LFS which has bandwidth limits on GitHub to Amazon S3. All the wordlists are still downloadable through the website.
@jleyden
@DailySwig
We've found dangling zone takeovers for a lot of large companies, especially when they are using Route53. These takeovers can often be escalated when it comes to severity, similar to what we did in the blog post. Also possible to register SSL certs and receive mail.