Featured Stories

Alibaba Cloud - Nuclei Templates v10.1.1 🎉

We're excited to tell you about Nuclei Templates release v10.1.1 ! This new version includes newly added Alibaba Cloud Review templates. In this blog post, we'll discuss automating Alibaba cloud misconfiguration review, creating custom checks, and sharing results on the PDCP Cloud for review. An Alibaba Cloud Configuration Security Review is essential for assessing and improving the security of your cloud infrastructure. It ensures that your resources are configured correctly, compliant with re

From CVE to Template: The Future of Automating Nuclei Templates with AI

In the fast-paced world of cybersecurity, staying ahead of new vulnerabilities is a constant challenge. Every week, new vulnerabilities are disclosed, and attackers are quick to exploit them. As security teams, we need to be equally swift in identifying and addressing these vulnerabilities to protect our organizations and users. Your ProjectDiscovery team desires to speed up the creation of Nuclei templates for new CVEs. Creating Nuclei templates manually for every new CVE is time-consuming and

Nuclei & Templates

Windows Security Hardening and Auditing - Nuclei Templates v10.1.0 🎉

We're thrilled to introduce Nuclei Templates release v10.1.0! In this update, we are focusing on Windows Security Hardening and Auditing. Our latest release expands your toolkit with new Windows security templates, designed to automate and enhance the security auditing of Windows systems. Here, we'll explore how to use these templates effectively, customize them for your specific security needs, and share results on the PDCP Cloud for review. Windows operating systems, widely utilized in both e

Nuclei & Templates

GitHub Enterprise SAML Authentication Bypass (CVE-2024-4985 / CVE-2024-9487)

Introduction In light of the recent Ruby-SAML bypass discovered in GitLab, we set out to examine the SAML implementation within GitHub Enterprise. During our research, we identified a significant vulnerability that enabled bypassing GitHub’s SAML authentication when encrypted assertions were in use. This blog post will provide an in-depth look at GitHub Enterprise’s SAML implementation and analyze the specific code issue that permitted this bypass. Although we uncovered this vulnerability inde

Vulnerability Research Nuclei & Templates

GitHub Enterprise SAML Authentication Bypass (CVE-2024-4985 / CVE-2024-9487)

Vulnerability Research Nuclei & Templates

Ruby-SAML / GitLab Authentication Bypass (CVE-2024-45409)

Introduction In this blog post, we will analyze CVE-2024-45409, a critical vulnerability impacting Ruby-SAML, OmniAuth-SAML libraries, which effectively affects GitLab. This vulnerability allows an attacker to bypass SAML authentication mechanisms and gain unauthorized access by exploiting a flaw in how SAML responses are handled. The issue arises due to weaknesses in the verification of the digital signature used to protect SAML assertions, allowing attackers to manipulate the SAML response a

Vulnerability Research

Hacking Apple - SQL Injection to Remote Code Execution

Introduction In our last blog post, we delved into the inner workings of Lucee and took a look at the source code of Masa/Mura CMS, and the vastness of the potential attack surface struck us. It became evident that investing time in understanding the code could pay off. After dedicating a week to our exploration, we stumbled upon several entry points for exploitation, including a critical SQL injection flaw that we were able to exploit within Apple's Book Travel portal. In this blog post, we a

Vulnerability Research Nuclei & Templates

Advancing Asset Management - PDCP v0.8.9

We're excited to announce the release of version 0.8.9 of the ProjectDiscovery Cloud Platform. This update introduces significant enhancements to our asset management capabilities, focusing on asset inventory, AI-powered search, and improved user experience. Key Features in v0.8.9 Asset Inventory and Technologies The new interface for cataloging and organizing all assets along with their associated technologies in one place represents a significant advancement in asset management. Now, rega

Vulnerability Management

Enhancing Asset Discovery: ProjectDiscovery Cloud Platform (v0.8.8)

We're excited to announce the release of version 0.8.8 of the ProjectDiscovery Cloud Platform. This update brings significant enhancements to our asset discovery capabilities, introduces new features for Basic Tier (Free) users, and resolves several critical issues. Our primary focus remains on improving the visibility and analysis of discovered assets and refining the insights available to our users. Empowering Basic Tier (Free) Users Our mission at ProjectDiscovery is to make advanced secur

Vulnerability Management

Nuclei v3.2 Release with Authenticated Scanning, Advanced Fuzzing & more

We're thrilled to announce the launch of Nuclei v3.2.0. This latest version introduces a host of new features, enhancements, and bug fixes, significantly elevating the Nuclei engine's performance and capabilities. Notably, the inclusion of authentication support and advanced fuzzing support positions this release as a pivotal milestone, further building upon the foundation laid by version 3.0.0. In this blog, and a number of upcoming feature spotlights, you'll learn a lot more about all that nu

Vulnerability Management

Bug Bounty Etiquette: Our Guide to Polite Hacking (Part Two)

This is the second part of our series on bug bounty etiquette. Part one looks at what you should be doing. Last month we talked about bug bounty etiquette and how to be a good bug bounty hunter; not in the sense of finding more bugs, but rather in how to be the kind of bug bounty hunter people want to work with. This time, we have some advice about what NOT to while bug bounty hunting. Let's get started. 1. Don’t go all out 2. Don’t ignore the rules 3. Don’t report unnecessary stuff 4. Do

Learning & Automation

Bug Bounty Etiquette: More than Ethical Hacking (part one)

This is part one of our two-part series on polite hacking, focusing on what to do. Part two talks about what not to do (link coming soon). This blog is not about techniques. It’s not about tools to use, how to find the vulnerability, or anything like that. There are plenty of those out there. It’s much more like an etiquette guide for Bug Bounty reporting, and how working within these social norms can lead to better outcomes for you in your career! Think of it like a cotillion class, or the fa

Learning & Automation

Getting Started with ProjectDiscovery in Linux and Windows

"Just for you, we’ve got this brand new blog all about getting started with ProjectDiscovery on Linux AND Windows."

Learning & Automation

December 2024 Newsletter

It’s almost the end of the year, and the holidays are upon us! 🎄 Before taking a well-earned break though, the ProjectDiscovery team are here to give our last round of 2024 updates. Along with additions and fixes for a couple of our tools, we’ve expanded Nuclei templates to include a new set of templates focused on Windows Security Hardening and Auditing - find out more on what’s included in this update by reading on! Alongside our new series of YouTube videos, we’re also shining a spotlight

Announcements

Celebrating 2024: Securing your infrastructure with ProjectDiscovery

As 2024 comes to a close, we want to celebrate the milestones we’ve achieved together with our ProjectDiscovery community. Thanks to your trust and collaboration, here’s what we’ve accomplished this year on ProjectDiscovery. Platform growth 2k+ new vulnerability templates Identifying nearly 1k high-profile vulnerabilities affecting 600+ unique products—including Atlassian Confluence, GitLab, MLflow, Grafana, GitHub Enterprise, Ivanti, Fortinet, and Palo Alto Networks 50k+ cloud-based scans

Announcements

November 2024 Newsletter

Welcome to the November edition of the PD community newsletter - and Happy Thanksgiving to everyone who celebrated! 🦃 As we’re moving over into the holiday season, not only are we starting to look back on all the amazing work that both the ProjectDiscovery team and the wider community have completed this year, but we also haven’t stopped creating. Plenty of bug fixes and enhancements have been added to our tools and templates this month, along with the exciting announcement of some brand new t

Announcements

View all stories

Featured Stories

Alibaba Cloud - Nuclei Templates v10.1.1 🎉

From CVE to Template: The Future of Automating Nuclei Templates with AI

Windows Security Hardening and Auditing - Nuclei Templates v10.1.0 🎉

GitHub Enterprise SAML Authentication Bypass (CVE-2024-4985 / CVE-2024-9487)

Vulnerability Research Stories

GitHub Enterprise SAML Authentication Bypass (CVE-2024-4985 / CVE-2024-9487)

Ruby-SAML / GitLab Authentication Bypass (CVE-2024-45409)

Hacking Apple - SQL Injection to Remote Code Execution

Nuclei & Nuclei Template Stories

Alibaba Cloud - Nuclei Templates v10.1.1 🎉

From CVE to Template: The Future of Automating Nuclei Templates with AI

Windows Security Hardening and Auditing - Nuclei Templates v10.1.0 🎉

Vulnerability Management Stories

Advancing Asset Management - PDCP v0.8.9

Enhancing Asset Discovery: ProjectDiscovery Cloud Platform (v0.8.8)

Nuclei v3.2 Release with Authenticated Scanning, Advanced Fuzzing & more

Educational Stories

Bug Bounty Etiquette: Our Guide to Polite Hacking (Part Two)

Bug Bounty Etiquette: More than Ethical Hacking (part one)

Getting Started with ProjectDiscovery in Linux and Windows

Company Announcements

December 2024 Newsletter

Celebrating 2024: Securing your infrastructure with ProjectDiscovery

November 2024 Newsletter

Monitor your infrastructure

Talk to sales

Platform

Open Source

Resources

Company