My favorite thing this week: SwiftOnSecurity accidentally dropped a Confluence 0-day on Twitter.&nbs...

Fortinet is communicating with static keys and a simple XOR.  Whoops. https://sec-consult.com/e...

Github is starting SecurityLab.  It's part knowledge sharing, part secure coding, part bounty h...

Great breakdown on finding bugs in an OAUTH flow https://blog.teddykatz.com/2019/11/05/github-oauth-...

Microsoft has a really good article on using a semantic query language to find exploitable DOM XSS f...

Lawfare has a good article  by Jim Baker (former legal council for the FBI) on a new way to thi...

Here's an interesting article on some non-JavaScript Cross-Site Scripting vectors. https://x-c3ll.gi...

Here is a good writeup on the overflow error found in libssh2 https://blog.semmle.com/libssh2-intege...

Portswigger has some good research on a new angle for criss-site leak attacks: https://portswigger.n...

This is a blog entirely dedicated to security analysis of mobine apps.  No idea who writes it b...

The big news of the week is that every iPhone from 1 to X is apparently vulnerable to a bootROM flaw...

Here's a neat Android reverse engineering game. https://0x00sec.org/t/reversing-hackex-an-android-ga...