Dominique Righetto

...I tested it in my context and it provided me with interesting information.

😊 So, I added this tool to my offline code scanning toolbox to handle .Net technology.

📖 References:

- github.com/microsoft/De...
- github.com/righettod/to...
- github.com/semgrep/semg...

#appsec #appsecurity

💡 Discovery of the week for me:
While reviewing code on a .Net project (CSharp language), I noticed that SemGrep, with its set of community rules, was not effective on this technology.

So I looked for a complement and found Microsoft's DevSkim tool...

Exemple D2

🏖️🐻 Les Logiciels Libres de l'été, jour 46

D2 : Un outil de scripting Open Source pour générer vos diagrammes. (p)

Un tableau listant des alternatives gratuites et/ou open source aux applications Adobe.

Un tableau listant des alternatives gratuites et/ou Open Source aux applications Adobe.

Les Essentiels de l'ANSSI - Mise en œuvre sécurisée d’une infrastructure de gestion de clés

📚 L'ANSSI publie un nouvel Essentiel relatif à la mise en œuvre sécurisée d’une infrastructure de gestion de #clés (IGC) hiérarchique gérant les certificats à usage interne à une entité.

Découvrez les recommandations de l'ANSSI sur :
🔗 cyber.gouv.fr/publications...

Comment installer le plugin

Téléchargez le plugin

Ouvrir chrome et le mode développeur

Sélectionnez le plugin sur votre bureau et voilà :)

Des améliorations du plugin DIMA pour détecter et sensibiliser sur les techniques de manipulation en ligne sont disponibles ! : m82-project.org/articles/dim...

How OSS Rebuild Works

Sécurité Open Source : Google annonce OSS Rebuild, un service qui reconstruit automatiquement les paquets Open Source (Python, JavaScript, Rust) et compare le résultat avec les artefacts publics.

👉 security.googleblog....

Logo tldr page

tldr-pages : propose des fiches d’aide communautaires pour les outils CLI, avec des exemples concrets et lisibles en complément des pages 'man' parfois un peu trop longues et techniques.

👉 le projet : github.com/tldr-pages/
👉 En savoir plus : https://tldr.sh/

ICYMI: In Senior Security Consultant Douglas Berdeaux's latest blog he breaks down the best process for incorporating penetration testing into the Software Development Lifecycle 🔗 redsiege.com/sdlcpentesting

#hacking #infosec #cybersecurity

My 2 cents about this tool. This is a rule file I use and enrich over the different case meets.

github.com/righettod/to...

Exemple de Gitleaks

🏖️🐻 Les Logiciels Libres de l'été, jour 36 :

Gitleaks : un outil Open Source pour détecter et prévenir les secrets et infos sensibles dans les dépôts Git. Il scanne les commits, les branches et l'historique à la recherche de mdp, clés API, etc. Il peut être intégré dans votre CI/CD.

Analyzing Sharepoint Exploits (CVE-2025-53770, CVE-2025-53771) https://isc.sans.edu/diary/32138

Interface lnav

🏖️🐻 Les Logiciels Libres de l'été, jour 33 :

Lnav : visualisation de logs Open Source permettant de parcourir et d'analyser vos logs dans une interface conviviale en CLI.

It's been 0 days since git reflog saved my ass (and files) again. Instead of rebase this branch, I did reset this branch, losing my commits. `git reflog`, find out what happened (reset at {46} and {48} in the pic), then `git branch name id` (id ends with 67 at {50}, commits are back.

Vulhub Vulhub is an open-source collection of pre-built vulnerable docker environments for security researchers and educators. Explore Environments GitHub 19.0k+ Stars • 4.6k+ Forks • 298 Environments # Clone the repository git clone --depth 1 https://github.com/vulhub/vulhub.git # Enter the directory cd vulhub/spring/CVE-2022-22947 # Start the environment docker compose up -d

🏖️🐻 Les Logiciels Libres de l'été, jour 32 :

Vulhub : un projet Open Source offrant des environnements vulnérables préconstruits basés sur Docker-Compose. Idéal pour tester et apprendre la gestion des vulnérabilités, chaque environnement inclut un guide d'installation et d'utilisation.

Now live on tools.honoki.net/smuggler.html

Let me know what you think! ✨

GitHub - C4illin/ConvertX: 💾 Self-hosted online file converter. Supports 1000+ formats ⚙️ 💾 Self-hosted online file converter. Supports 1000+ formats ⚙️ - C4illin/ConvertX

🎉 Celebrating！ 🎉 (500+ new stars)

📦 C4illin / ConvertX
⭐ 3,928 (+657)
🗒 TypeScript

💾 Self-hosted online file converter. Supports 1000+ formats ⚙️

💻 Script:

github.com/righettod/to...

📖 References & tools used:

- deps.dev
- owasp.org/www-project-...
- docs.npmjs.com/cli/v9/comma...
- classic.yarnpkg.com/lang/en/docs...

#appsec #appsecurity #cve #maven #npm

... that contains the internal libraries used, and I am then unable to compile the project to extract all the external libraries used.

🧑‍💻 In order to inspect the external libraries used, I created a script that generates a valid project descriptor with all external libraries resolvable.
#maven #npm

🔬 When I perform a secure code review, I want to inform the DevOps team of any external libraries used that are affected by a public vulnerability (CVE/GHSA).
However, it is very common for the team to use an internal artifact repository (such as Nexus, Artifactory, etc.) ...

#appsec #appsecurity

MalwareBazaar - c68e42f416f482d43653f36cd14384270b54b68d6496a8e34ce887687de5b441 Threat intel on c68e42f416f482d43653f36cd14384270b54b68d6496a8e34ce887687de5b441 (MD5 ed375deea6f7407d2ff9dab1cb326473)

This is dropping ed375deea6f7407d2ff9dab1cb326473 (bazaar.abuse.ch/sample/c68e4...)

credits Varun Sharma for the share on LinkedIn

Looks like the maintainer of a number of highly-popular npm packages was phished through npnjs[.]com, and his access used to publish malicious versions of their packages

x.com/JounQin/stat...

www.linkedin.com/feed/update/...

github.com/prettier/esl...

Gemini : les résumés d'e-mails se transforment en phishing ! Une nouvelle technique de phishing par injection de prompt indirecte exploite l'IA Gemini pour injecter du contenu malveillant dans les résumés d'e-mails.

IA : avec cette technique, les résumés d’e-mails de Gemini se transforment en phishing !
ino.to/IYjB2SE

Interface language tool

🏖️🐻 Les Logiciels Libres de l'été, jour 22 :

@languagetool_fr : un correcteur d’orthographe et de grammaire multilingue Open Source.

📖 References:

- github.com/trickest/cve
- github.com/projectdisco...

🤔 Nothing advanced technically, but it allows me to visually see if POCs/exploits are available, which helps me adjust the severity and proposed remediation order.

💻 Script:

github.com/righettod/to...

🔬 When I perform a secure code review, I also check whether the external components used are affected by public vulnerabilities (CVE). Recently, after a advice from my manager on this subject, I tried to go further and check whether the CVEs identified had a POC/Exploit.

#appsec #appsecurity #cve

Yet another ZIP trick...
hackarcana.com/article/yet-...

+ a hands on exercise if you want to try this yourself:
hackarcana.com/article/yet-...

DNS rebinding attacks explained: The lookup is coming from inside the house! DNS rebinding attack without CORS against local network web applications. See how this can be used to exploit vulnerabilities in the real-world.

We break down DNS rebinding attacks in our latest blog post. Explore the topic further and see how it can be used to exploit vulnerabilities in the real-world. github.blog/security/app...