Of note - A .NET flaw called “SOAPwn” lets hackers run code on enterprise apps — no patch from Microsoft.

I kept seeing the same problem on servers I worked with: • Sudden bursts of requests from a single IP • Not serious DDoS, just noisy scanners, bots, scrapers • Too small for a WAF • Fail2Ban felt overkill or hard to reason about So I built a small tool for myself. LogSentinel is a lightweight, offline, log-based traffic sentinel. It: • Reads Apache/Nginx access logs • Detects burst traffic per IP in a sliding window • Temporarily blocks IPs using ipset • Auto-unblocks (no permanent bans) • Has zero external dependencies or APIs • Runs via systemd timer (low CPU/RAM) It’s intentionally simple and transparent — no signatures, no threat feeds, no magic. I open-sourced it in case it’s useful to others working with small or mid-scale servers. GitHub: https://lnkd.in/g4hjZJXW Feedback welcome — especially from people who’ve dealt with log-based detection or Fail2Ban in production.

Not all critical bugs are complex. Some exist because trust is applied too loosely. In this write-up, I walk through a real CORS misconfiguration where authenticated internal data could be read cross-origin, without attacking the server directly. #bugbounty #bugbountytips #penetrationtesting #Cybersecurity #infosec #CORS 📖 Read here: 👉 https://lnkd.in/dUTwd87J

"Microsoft won’t fix .NET RCE bug affecting slew of enterprise apps, researchers say - Devs and users should know better, Microsoft tells watchTowr". Microsoft won’t fix .NET RCE bug affecting enterprise apps • The Register https://lnkd.in/ewpZKwx8 "several vendor and in-house solutions could be vulnerable to remote code execution (RCE) attacks due to errors in the way applications built on Microsoft's .NET framework handle Simple Object Access Protocol (SOAP) messages".

📂 The Fast Directory Brute-Forcer Written in Go Gobuster is a blazing-fast tool for directory/file enumeration, DNS subdomain discovery, and vhost brute-forcing. Written in Go for maximum performance, this cheat sheet covers every mode and option to uncover hidden content on your targets. 🚀

With a push from the Federal government, Microsoft finally announces the end of a weak Kerberos cypher used for DC key distribution. Is it enough? No, not until Server 2008 is dead and gone. But it's a good step in the right direction. https://lnkd.in/e7PUriN3 They're also releasing a new PowerShell script to help Domain Admins find where RC4 is still being used in their legacy systems. If you MUST continue using RC4, there will be manual ways to accommodate that. But if that's you, you're in a vanishingly small crowd.

🔐 Are Passkeys Ready for Enterprises? Short answer: Yes. Passkeys aren’t experimental anymore. They’re enterprise-ready, standards-based, and already being adopted at scale. If you’re modernizing IAM in 2026, Passkeys + FIDO should be on your roadmap, if they aren’t already. #Passkeys are: ✔️ Phishing-resistant by design: No shared secrets or passwords to steal ✔️ Proven at massive global scale: Backed by Apple, Google, and Microsoft For IT and security teams, this means: ✔️Fewer breaches caused by stolen credentials ✔️Lower support costs from password resets ✔️Faster, more reliable logins for users ✔️Strong alignment with Zero Trust strategies To learn more about passkeys, visit our article for a full FAQ: https://lnkd.in/gpQVPR-P

Identity is easy to take for granted… until it fails. To see how failures happen and what they impact, I’ve been breaking the underlying network and system pieces that identity depends on in my lab environment. This week, the focus was DNS. I misconfigured system DNS to point at a non-responsive resolver, fully expecting the login pages for Microsoft and Google to fail immediately. To my surprise, they didn’t; the pages loaded normally. Turns out the browser was bypassing system DNS entirely using DNS-over-HTTPS (DoH). Once I disabled DoH and forced the browser to use system DNS, the pages failed to load. Main takeaway: in the network steps before authentication, clients may use more than one way to resolve names. Whether something fails depends on which one is actually in use. Full lab writeup below in the comments ⬇️

Pentesting Model Context Protocol (MCP) servers is tough when you can't see the traffic. I wrote a guide on forcing Claude Desktop to route everything through Burp Suite. Great for inspecting JSON-RPC payloads or testing your tools for MCP vulnerabilities. Check it out: https://lnkd.in/drSCMccB #PenTesting #AppSec #Claude #AI

🕵️♂️ Uncovering Hidden Vulnerabilities: Exploiting Unused API Endpoints I recently completed a hands-on lab focused on API Penetration Testing, and it was a great reminder that what you don't see in the UI can often be the most vulnerable part of an application. The Scenario: While browsing a standard e-commerce store, I identified a background API request used to fetch product prices. By stepping outside the intended user flow, I discovered a "hidden" administrative capability that allowed for unauthorized price manipulation. Key Technical Takeaways: 🔹 Reconnaissance: Used Burp Suite to map out API endpoints that weren't visible in the frontend. 🔹 Verb Tampering: Utilized the OPTIONS method to discover that the server supported PATCH requests—a common sign of update functionality. 🔹 Business Logic Exploitation: By crafting a custom JSON payload ({"price":0}), I successfully bypassed the intended business logic to "purchase" a high-value item for free. 🔹 Security Through Obscurity is NOT Security: Just because a feature isn't in the UI doesn't mean it's protected. The Fix: I’ve documented a full mitigation strategy in my latest GitHub repository, focusing on the Principle of Least Privilege, server-side validation, and disabling unnecessary HTTP methods. Check out the full project and walkthrough here: https://lnkd.in/dXTFXGdB #CyberSecurity #PenetrationTesting #APISecurity #EthicalHacking #BugBounty #BurpSuite #Infosec #WebSecurity