SecWiki周刊(第253期)
2018/12/31-2019/01/06
安全资讯
[新闻]  2018年网络安全大事记
https://mp.weixin.qq.com/s/YvlUX8Zjp9gfAtJ6YY27BA
[法规]  公安机关办理刑事案件电子数据取证规则
http://www.mps.gov.cn/n2254314/n2254409/n4904353/c6337154/content.html
[新闻]  2018安防监控、雪亮工程项目盘点
https://mp.weixin.qq.com/s/Sz8HguJ0X13nw4ajAhxOhg
安全技术
[Web安全]  关于Shiro反序列化漏洞的延伸—升级shiro也能被shell
https://mp.weixin.qq.com/s/NRx-rDBEFEbZYrfnRw2iDw
[运维安全]  github_dis: 一款精简版github信息泄露搜集工具
https://github.com/dongfangyuxiao/github_dis/
[Web安全]  SDL最初实践-安全培训
https://mp.weixin.qq.com/s/s2D513XseLpIyE2i0UOC8Q
[恶意分析]  2018年全球十大APT攻击事件盘点
https://mp.weixin.qq.com/s/ja8eunPUaTqLj_smdABLTQ
[恶意分析]  全球高级持续性威胁(APT)2018年总结报告
https://mp.weixin.qq.com/s/sSuTHTLfqAGfaBbopU8yEQ
[Web安全]  SDL最初实践-开篇
https://mp.weixin.qq.com/s/tPzrWzZjRcfNZaHIa7JTWA
[漏洞分析]  子域名接管:二阶漏洞利用
http://www.4hou.com/web/15504.html
[漏洞分析]  Etouch2.0 分析代码审计流程 (二) 前台SQL注入
https://www.anquanke.com/post/id/169152
[漏洞分析]  Struts2-005远程代码执行漏洞分析
https://www.freebuf.com/vuls/193078.html
[Web安全]  XML外部实体注入(XXE)漏洞学习资源及相关开源项目
https://nosec.org/home/detail/2139.html
[漏洞分析]  利用EXCEL进行XXE攻击
https://xz.aliyun.com/t/3741
[Web安全]  WAF绕过技术系列文章(二)
https://nosec.org/home/detail/2137.html
[漏洞分析]  SpEL injection(译)
https://cryin.github.io/blog/SpEL%20injection/
[数据挖掘]  网络空间测绘在网络国防中的重大意义和作用
https://mp.weixin.qq.com/s/TBmigl6-TTJNDzYCqlFc4w
[恶意分析]  2018年高级持续性威胁(APT)研究报告
https://mp.weixin.qq.com/s/F5hBw_pVithLlY6ixE0q-g
[漏洞分析]  项目推荐:awesome-browser-exploit
https://paper.seebug.org/780/
[Web安全]  JGillam/burp-paramalyzer: Paramalyzer
https://github.com/JGillam/burp-paramalyzer
[设备安全]  2018 年 IoT 那些事儿
https://paper.seebug.org/782/
[比赛]  CTF取证方法总结
http://www.4hou.com/web/15206.html
[运维安全]  中通内部安全通讯实践
https://xz.aliyun.com/t/3759
[恶意分析]  atmoner/nodeCrypto: Ransomware written in NodeJs
https://github.com/atmoner/nodeCrypto
[数据挖掘]  不解密识别恶意流量
http://www.4hou.com/web/14120.html
[数据挖掘]  基于QQ空间的说说数据的分析
https://www.jianshu.com/p/a5e1ca0c5204
[Web安全]  Reflected XSS on ws-na.amazon-adsystem.com(Amazon) – newp_th – Medium
https://medium.com/@newp_th/reflected-xss-on-ws-na-amazon-adsystem-com-amazon-f1e55f1d24cf
[取证分析]  Harpoon: an OSINT / Threat Intelligence tool
https://www.randhome.io/blog/2018/02/23/harpoon-an-osint-threat-intelligence-tool/
[恶意分析]  Targeted cyberattacks logbook: APT Overview
https://apt.securelist.com/#!/threats/
[恶意分析]  Talos 2018年恶意软件追踪调查总结
http://www.4hou.com/info/observation/15463.html
[设备安全]  Expliot - Internet of Things Exploitation framework
https://gitlab.com/expliot_framework/expliot
[杂志]  SecWiki周刊(第252期)
https://www.sec-wiki.com/weekly/252
[漏洞分析]  区块链安全—经典溢出漏洞cve分析
https://xz.aliyun.com/t/3743
[Web安全]  PHP mt_rand安全杂谈及应用场景详解
https://www.freebuf.com/vuls/192012.html
[漏洞分析]  菜鸟学代码审计:Xnuca2018-hardphp详细分析
https://www.freebuf.com/articles/rookie/193118.html
[比赛]  35c3CTF collection writeup
https://xz.aliyun.com/t/3747
[其它]  WeiboImageReverse: Chrome 插件,反查微博图片po主
https://github.com/fei-ke/WeiboImageReverse
[取证分析]  首个已知 UEFI Rootkit 与 Sednit APT 有关联
https://www.solidot.org/story?sid=59167
[观点]  从传统安全转行风控领域的心路历程,兼谈黑产和风控行业趋势
https://mp.weixin.qq.com/s/GWOjp1E2B4J0efUjFBnp8Q
[观点]  构建网络攻击响应框架的政治考量
https://mp.weixin.qq.com/s/iOq84kVblAW5a2mK2GDJwA
[工具]  patoolkit: a collection of traffic analysis plugins focused on security
https://github.com/pentesteracademy/patoolkit
[观点]  信息新时代的软件新技术
https://mp.weixin.qq.com/s/cz-zjZw3rmFQ1o0w2ciHBQ
[恶意分析]  dreadl0ck/netcap: A framework for secure and scalable network traffic analysis
https://github.com/dreadl0ck/netcap
[取证分析]  OSINT Resources for 2019
https://xz.aliyun.com/t/3742
[运维安全]  ANSSI-FR/audit-radius: A RADIUS authentication server audit tool
https://github.com/ANSSI-FR/audit-radius
[视频]  网易公开课:犯罪侦查科技
https://open.163.com/movie/2017/11/1/F/MD2P1B6R2_MD2P8LF1F.html
[数据挖掘]  从Lucene到Elasticsearch:全文检索实战
http://www.bugs.cc/2018/12/30/reading-notes-from-lucene-to-elasticsearch-full-text-search/
[漏洞分析]  Guardzilla IoT Video Camera Hard-Coded Credentials (CVE-2018-5560)
https://www.0dayallday.org/guardzilla-video-camera-hard-coded-aws-credentials/
[论文]  Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates
https://securitygossip.com/blog/2019/01/02/cloud-strife-mitigating-the-security-risks-of-domain-validated-certificates/
[编程技术]  Cryptography in Python Burp Extensions
https://parsiya.net/blog/2018-12-24-cryptography-in-python-burp-extensions/
-----微信ID:SecWiki-----
SecWiki,5年来一直专注安全技术资讯分析!
SecWiki:https://www.sec-wiki.com

本期原文地址: SecWiki周刊(第253期)