#AppSec
#Whitepaper
#Threat_Research
"Application Programming Interface (API):
Vulnerabilities and Risks", Special Report, 2024.
// This report describes 11 common vulnerabilities and 3 risks related to APIs, providing suggestions about how to fix or reduce their impact. Recommendations include using a standard API documentation process, using automated testing, and ensuring the security of the identity and access management system
See also:
]-> API Specification Parser
]-> Tool to detect API auth weaknesses
]-> API Security Vulnerability Scanner
──────────────
📡 Follow :
👉 @zerosec_team
#Whitepaper
#Threat_Research
"Application Programming Interface (API):
Vulnerabilities and Risks", Special Report, 2024.
// This report describes 11 common vulnerabilities and 3 risks related to APIs, providing suggestions about how to fix or reduce their impact. Recommendations include using a standard API documentation process, using automated testing, and ensuring the security of the identity and access management system
See also:
]-> API Specification Parser
]-> Tool to detect API auth weaknesses
]-> API Security Vulnerability Scanner
──────────────
📡 Follow :
👉 @zerosec_team
GitHub
GitHub - NSSL-SJTU/VoAPI2
Contribute to NSSL-SJTU/VoAPI2 development by creating an account on GitHub.
❤2👏1
#exploit
#Fuzzing
#AppSec
A Fuzzy Escape - A tale of vulnerability research on hypervisors (CVE-2025-30712)
https://bughunters.google.com/blog/5800341475819520/a-fuzzy-escape-a-tale-of-vulnerability-research-on-hypervisors
// The research uncovered critical VM escape vulnerabilities in QEMU and VirtualBox through static analysis and fuzzing, including a buffer overflow and an integer overflow enabling arbitrary code execution
⭐️ @Zerosec_team
#Fuzzing
#AppSec
A Fuzzy Escape - A tale of vulnerability research on hypervisors (CVE-2025-30712)
https://bughunters.google.com/blog/5800341475819520/a-fuzzy-escape-a-tale-of-vulnerability-research-on-hypervisors
// The research uncovered critical VM escape vulnerabilities in QEMU and VirtualBox through static analysis and fuzzing, including a buffer overflow and an integer overflow enabling arbitrary code execution
⭐️ @Zerosec_team
Google
Blog: A Fuzzy Escape - A tale of vulnerability research on hypervisors
This blog post describes the journey of discovering a VM escape bug with the goal of demystifying the security research process and demonstrating how persistence and pivoting can lead to achieving successful exploitation.
❤2🔥2
#exploit
#AppSec
1⃣ Dell UnityVSA Pre-Auth Command Injection (CVE-2025-36604)
https://labs.watchtowr.com/its-never-simple-until-it-is-dell-unityvsa-pre-auth-command-injection-cve-2025-36604
2⃣ Authentication Bypass in the Rest API via XSS on Safari and Chrome (iOS/iPhone)
https://bugcrowd.com/disclosures/d5f4aa80-77da-49bb-a259-afe23b6bfa0a/authentication-bypass-in-the-rest-api-via-xss-on-safari-and-chrome-ios-iphone-only
3⃣ Arbitrary Code Execution in Android Unity Runtime (CVE-2025-59489)
https://flatt.tech/research/posts/arbitrary-code-execution-in-unity-runtime
// Atlassian Confluence AuthN Bypass in the API via XSS on iOS Safari and Chrome
4⃣ Abusing the NinjaShell API for Code Execution in Google Web Designer
https://sudistark.github.io/2025/09/23/RCE-in-web-designer.html
⭐️ @Zerosec_team
#AppSec
1⃣ Dell UnityVSA Pre-Auth Command Injection (CVE-2025-36604)
https://labs.watchtowr.com/its-never-simple-until-it-is-dell-unityvsa-pre-auth-command-injection-cve-2025-36604
2⃣ Authentication Bypass in the Rest API via XSS on Safari and Chrome (iOS/iPhone)
https://bugcrowd.com/disclosures/d5f4aa80-77da-49bb-a259-afe23b6bfa0a/authentication-bypass-in-the-rest-api-via-xss-on-safari-and-chrome-ios-iphone-only
3⃣ Arbitrary Code Execution in Android Unity Runtime (CVE-2025-59489)
https://flatt.tech/research/posts/arbitrary-code-execution-in-unity-runtime
// Atlassian Confluence AuthN Bypass in the API via XSS on iOS Safari and Chrome
4⃣ Abusing the NinjaShell API for Code Execution in Google Web Designer
https://sudistark.github.io/2025/09/23/RCE-in-web-designer.html
⭐️ @Zerosec_team
watchTowr Labs
It's Never Simple Until It Is (Dell UnityVSA Pre-Auth Command Injection CVE-2025-36604)
Welcome back, and what a week! We’re glad that happened for you and/or sorry that happened to you. It will get better and/or worse, and you will likely survive.
Today, we’re walking down the garden path and digging into the archives, publishing our analysis…
Today, we’re walking down the garden path and digging into the archives, publishing our analysis…
❤3👍1