Over Security

TL;DR If you open an email and see a QR code and some pressing message about something you’re supposed to do, doubt the source of the email. Microsoft won’t ask you to “verify the security of your account” via QR code. Neither will Google, nor Amazon, nor the vast majority of other service providers. This is the usual recommendation you’ve read 200 times already, but still: when in doubt, involve your IT and verify things before taking action. Disclaimer This blog post doesn’t intend

TL;DR both ModSecurity v2 and v3 share a similar bug that can result in a really simple WAF bypass. The bug in the v3 branch has been fixed in version 3.0.12 and has been assigned the CVE number CVE-2024-1019. However, the bug in the v2 line remains unfixed. The core issue lies in ModSecurity's implicit URL-decode behavior before setting certain variables, which not only represents an unwanted behavior but is also totally undocumented. This behavior can lead both v2 and v3 users to really easy W

TL;DR: Basically, if a target website is protected by a WAF using the OWASP Core Rule Set or Comodo Rule Set or Atomicorp Rule Set, you can send the string ORA-1234 or OracleDrive or ASL-CONFIG-FILE in a comment, product review, registration form, e-commerce order details, etc... to prevent the website from showing its content to any users like a Denial of Service with a minimal effort. This happens because the overly inclusive response rules of the WAF try to prevent SQL error leakage or web sh

Medical devices, ranging from pacemakers to infusion pumps, have traditionally been designed with a singular purpose: to improve patient care and outcomes. Yet, as these devices become more interconnected through the Internet of Medical Things (IoMT), the cybersecurity landscape surrounding them has grown increasingly complex.  In the Healthcare landscape there are also the Medical “related things” that means all types of devices, web portals, etc that contains all patient data and can be used

A new cyber-criminal group known as Hunt3r Kill3rs has recently emerged, claiming responsibility for a series of attacks on critical infrastructure with the final political goal of attacking Israeli companies and Israeli allies. This group has primarily focused on industrial control systems (ICS), communication networks, and vulnerable web applications. Their activities represent a significant threat to the stability and security of various operational technology (OT) systems. Based on their Te

TL;DR: Basically, all multipart/form-data parsers fail to fully comply with the RFC, and when it comes to validating filenames or content uploaded by users, there are always numerous ways to bypass validation. We'll test various bypass techniques against PHP, Node.js, and Python parsers, as well as popular WAFs and load balancers like HAProxy, FortiWeb, Barracuda, and even some OpenResty Lua multipart parsers. Months ago, on our Octofence WAAP project, we decided to move away from our old WAF e

What if you could influence an LLM's output not by breaking its rules, but by bending its probabilities? In this deep-dive, we explore how small changes in user input (down to a single token) can shift the balance between “true” and “false”, triggering radically different completions.

Multiple vulnerabilities in vtenext 25.02 and prior versions allow unauthenticated attackers to bypass authentication through three separate vectors, ultimately leading to remote code execution on the underlying server.

Earlier this year, our CTI team set out to build something we'd been thinking about for a while: a phishing intelligence pipeline that could actually keep up with the threat. We combined feeds from hundreds of independent sources with our own real-time hunt for suspicious SSL/TLS certificates. The goal was simple: get better visibility into what attackers are actually doing, not what they were doing six months ago. Last quarter's numbers hit harder than we expected: 42,000+ validated URLs and d

For many of our e-commerce customers the problem of bad bots it's a everyday problem and has evolved a lot in the last few years. A common approach is to "block" automated traffic with a JavaScript challenge, basically a small script that the browser must execute to prove it is a real client... Yes, this works well against primitive scrapers, but it no longer stops modern bot based on real browsers and human-like gestures. Tools like Selenium, Puppeteer, and Playwright can execute the challenge

erev0s blog for cyber security and more

erev0s blog for cyber security and more

erev0s blog for cyber security and more

erev0s blog for cyber security and more

erev0s blog for cyber security and more

erev0s blog for cyber security and more

erev0s blog for cyber security and more

erev0s blog for cyber security and more

erev0s blog for cyber security and more

erev0s blog for cyber security and more

erev0s blog for cyber security and more

In this interview we had the pleasure to interview STALINGRADSKIY (hxxps[:]//t[.]me/rootkalibt), the founder of the rootsploit forum (hxxps[:]//rootsploit[.]org/). Here is the full interview: Origins and Motivation What inspired you to create the Rootsploit forum? I was inspired by other thematic forums, and I like free communication because there are rules in social networks and instant

In this interview we had the pleasure to interview ALPHV Admin (hhxxps[:]//t[.]me/ALPHV_Admin), the founder of the ALPHV forum (hxxps[:]//alphv[.]pro/). Here is the full interview: Origins and Motivation When was the forum born? The forum was created in 2011 Is the forum name related to the BlackCat/ALPHV ransomware gang or does the name have another origin?

The following interview, which we publish in full, was conducted in December 2024 by Erez, a member of the deepdarkCTI community. Q (Erez): Lockbit has been one of the most resilient ransomware groups despitenumerous disruptions. How do you maintain operational secrecy and continuity in the face of global law enforcement efforts like Operation Cronos?A (Lockbit):

On June 3, a message appeared on the Threat Actor GhostSec channel accusing an Italian company (which was not named) that had requested the group to carry out offensive activities against Macedonian government targets. The company that requested the activity later refused to pay for the services that had been agreed upon, and so GhostSec

We interviewed Se7en, the founder of Exodus Market, a platform for selling infostealers logs. This market, active for almost a year, has been expanding its business in recent months and is becoming an increasingly popular alternative to what is currently the most popular market, Russian Market. The market, accessible at the urls indicated within our

The following interview, which we publish in full, was conducted in July2025 by Erez, a member of the deepdarkCTI community. Q (Erez): Devman first appeared in April 2025 and, only two months later, released Devman 2, what drove that rapid evolution and which lessons from version 1 pushed you to move so quickly to version

In this timeline (currently being updated) we show the main events related to the alleged seizure of the XSS underground forum. In addition, here you can find an analysis of the moderators present on the date of the alleged seizure and their latest activities performed on the forum (updated to July 24, 2025). Links to

Here we present an interview with Gabi, a member of the Cyber Toufan team. We contacted Gabi on Telegram and shared a list of questions, which we make available here in full. This team, active since October 2024, has published details of 13 operations it has conducted against Israeli targets on its website since late

The following interview, which we publish in full, was conducted in December 2025 by Erez, a member of the deepdarkCTI community. The Benzona ransomware gang is a cybercriminal entity employing a double-extortion model, which involves both encrypting victims' files and exfiltrating sensitive data with threats of public release should the ransom not be paid. Upon