I'm happy to release a script gadgets wiki inspired by the work of Sebastian Lekies, koto, and Eduardo Vela in their Black Hat USA 2017 talk! 🔥 The goal is to provide quick access to gadgets that help bypass HTML sanitizers and CSPs 👇 gmsgadget.com 1/4

I am back to posting to ADSecurity.org in my free time (which I have again). I plan on adding new content relating to Active Directory & Azure AD (now Entra ID). First up is "Entra & Azure Managed Access Revisited". This article expands on one I wrote years ago about

The AD CS security landscape keeps evolving, and so does our tooling. 🛠️ Valdemar Carøe drops info on Certify 2.0, including a suite of new capabilities and refined usability improvements. ghst.ly/45IrBxI

hashcat v7.1.0 released! This update includes important bug fixes, new features, and support for new hash-modes, including KeePass with Argon2. Read the full write-up here: hashcat.net/forum/thread-1…

Finally, with NoRiskNoLive, we managed to bypass the Cloudflare mTLS protection after around 5 days of work. I'd like to share a few golden tips for bug bounty hunters who might face something similar in the future. But first, here's a quick summary: The target was a banking app with

I wrote an article about this RCE I discovered via LaTeX injection, a pretty rare case, to be honest. Hope you find it helpful! Here is the blog post, take a look and enjoy :) blog.koalasec.co/from-latex-inj… #BugBounty #bugbountytip #RCE #infosec

This blog post about impostor certificates by Squiblydoo is a gem and very relevant right now. Or: How threat actors impersonate companies to obtain authenticode certificates for signing their malware. And why revokation is important. squiblydoo.blog/2024/05/13/imp…

My IPv6 name now fits nicely on the line, thanks OffSec

A new NetExec module: certipy-find🔥 As ADCS is still configured insecurely in many environments, I decided to integrate the certipy find command into NetExec. Now you can quickly find and enumerate vulnerable templates before bringing out the big guns.

The recording of "HTTP/1.1 must die: the desync endgame" has now landed on YouTube. Enjoy! youtube.com/watch?v=zr5y6B…

TombWatcher from Hack The Box is an assume breach Windows AD box. BloodHound shows a path abusing targeted Kerberoasting, GMSA, password change, and shadow creds. Then there's AD Recycle Bin and ESC15. 0xdf.gitlab.io/2025/10/11/htb…

New Pixnapping Attack: allows any Android app without permissions to leak info displayed by other apps exploiting Android APIs and a hardware side channel (CVE-2025-48561) Pixnapping is not fixed and probably affects all Androids. PoC: Not available yet. Steal 2FA codes 👇

0-click vulnerability affected Android in Dolby's DDPlus decoder-CVE-2025-54957 Malformed audio could lead to memory corruption and crashes. Android decodes audio locally, making this exploitable without user interaction just by receiving crafted RCS voice message by Natalie Silvanovich

Android TikTok RCE From WebView XSS to native lib overwrite via Zip Slip led to full RCE: 1. Universal XSS 2. JavaScript bridge → open internal deep-link 3. Launch protected activity 4. Split APK 5. Zip Slip → overwrite native lib 6. App restart → RCE medium.com/@dphoeniixx/pr…

Stealing Microsoft Teams access tokens in 2025 blog.randorisec.fr/ms-teams-acces…

AdminSDHolder: the AD security feature everyone thinks they understand but probably don't. 😬 Jim Sykora went to the source code to debunk decades of misconceptions — including ones in Microsoft's own docs. Read more ⤵️ ghst.ly/3Lpmjzv

🫠

📞 Microsoft fixed an authenticated RCE in Windows Telephony Service (CVE-2026-20931), discovered by our researcher Sergey Bliznyuk bronzebee Read the write-up: swarm.ptsecurity.com/whos-on-the-li…