Vulhub
Vulhub is an open-source collection of pre-built vulnerable docker environments for security researchers and educators.
Explore Environments
GitHub
19.0k+ Stars
β’
4.6k+ Forks
β’
298 Environments
# Clone the repository
git clone --depth 1 https://github.com/vulhub/vulhub.git
# Enter the directory
cd vulhub/spring/CVE-2022-22947
# Start the environment
docker compose up -d
ποΈπ» Les Logiciels Libres de l'Γ©tΓ©, jour 32 :
Vulhub : un projet Open Source offrant des environnements vulnΓ©rables prΓ©construits basΓ©s sur Docker-Compose. IdΓ©al pour tester et apprendre la gestion des vulnΓ©rabilitΓ©s, chaque environnement inclut un guide d'installation et d'utilisation.
22.07.2025 19:30 β π 16 π 3 π¬ 1 π 0
Install Docker (example for Ubuntu 24.04):
# Install the latest version docker
curl -s https://get.docker.com/ | sh
# Run docker service
systemctl start docker
For other operating systems, see the Docker documentation.
Although all Vulhub environments are running based on Docker Compose, you no longer need to install docker-compose separately. Instead, you can use the built-in docker compose command to start Vulhub environments.
Download and set up Vulhub:
git clone --depth 1 https://github.com/vulhub/vulhub
Launch a vulnerable environment:
cd vulhub/langflow/CVE-2025-3248 # Example: enter a vulnerability directory
docker compose up -d
Each environment directory contains a detailed README with reproduction steps and usage instructions.
Clean up after testing:
docker compose down -v
π Liens utiles Vulhub :
π Le projet : github.com/vulhub/vu...
π En savoir plus : https://vulhub.org/
Sponsorisez Vulhub β€οΈ : github.com/sponsors/...
22.07.2025 19:30 β π 3 π 1 π¬ 0 π 0
Most open redirects are low-severity or N/A.
But used creatively, they can become high impact gadgets.
Here are 4 ways to show impact with open redirects:
07.07.2025 09:37 β π 1 π 1 π¬ 1 π 0
NoSQL injection
NoSQL injection is a vulnerability where an attacker is able to interfere with the queries that an application makes to a NoSQL database
NoSQL injection is a vulnerability where an attacker is able to interfere with the queries that an application makes to a NoSQL database.
Read my new Blog here:
blog.amalpk.in/nosql-inject...
17.05.2025 10:21 β π 0 π 0 π¬ 0 π 0
We've just released Shadow Repeater, for AI-enhanced manual testing. Simply use Burp Repeater as you normally would, and behind the scenes Shadow Repeater will learn from your attacks, try payload permutations, and report any discoveries via Organizer.
portswigger.net/research/sha...
20.02.2025 13:24 β π 22 π 12 π¬ 2 π 3
This article on Solr and its (in)security is really good π
And I strongly recommend to read @hacefresko.com previous article on Solr before diving in this one (I will share the link in my reply)
07.03.2025 20:32 β π 14 π 4 π¬ 2 π 0
π οΈ waymore: Tip #1 π
By default, waymore will get URLs and download responses (-mode B).
If you just want URLs, then use "-mode U".
If you just want to download archived responses, then use "-mode R".
π€
09.03.2025 23:18 β π 3 π 1 π¬ 0 π 0
09.03.2025 02:13 β π 2 π 1 π¬ 0 π 0
Yesterday I discovered a tweet of mine was referenced in the book "Attacking and Exploiting Modern Web Applications: Discover the mindset, techniques, and tools to perform modern web attacks and exploitation"
www.amazon.nl/-/en/Simone-...
Since I deleted my account, this is the tweet:
12.02.2025 08:19 β π 12 π 2 π¬ 0 π 0
made an archive collection site thing for all the x3ctf web design stuff i did
the intro/outro can be rewatched with websocket replay data (eg the messages and synced mouse cursors)
and the platform itself has emulations for auth and flags and stuff
u can check it out at x3c.tf/archive/
09.02.2025 22:00 β π 15 π 2 π¬ 0 π 0
Thanks man!
02.02.2025 07:01 β π 0 π 0 π¬ 0 π 0
Amal PK
A blog about everything.
Do this count:
0xkrat0s.github.io
And 0xkratos.medium.com
If so please add me to the list.
31.01.2025 10:00 β π 0 π 0 π¬ 1 π 0
GET /%0D%0ASet-Cookie: foo=bar
403 Forbidden
GET /%E4%BC%8D%E4%BC%8ASet-Cookie: foo=bar
200 OK
Set-Cookie: foo=bar
Discover blocklist bypasses via unicode overflows using the latest updates to ActiveScan++, Hackvertor & Shazzer! Thanks to Ryan Barnett and Neh Patel for sharing this technique.
portswigger.net/research/byp...
28.01.2025 14:01 β π 39 π 22 π¬ 0 π 0
Is there a way to run alert() when "alert" is blocked by a WAF and unsafe-eval is not allowed?
27.01.2025 14:35 β π 3 π 1 π¬ 3 π 0
This one is goodπ²
27.01.2025 16:50 β π 0 π 0 π¬ 0 π 0
Be like OP.
26.01.2025 05:12 β π 0 π 0 π¬ 0 π 0
Right π
26.01.2025 05:09 β π 0 π 0 π¬ 0 π 0
Amal PK
A blog about everything.
Suggest me some topics for my blog!
Link: 0xKrat0s.github.io
#bugbounty #infosec #cybersecurity #bug #hacking #tech
25.01.2025 22:04 β π 2 π 0 π¬ 0 π 0
Exploring the Kubernetes API Server Proxy
First blog post of the new year and this is one I've been meaning to write up for a while which is some details on #Kubernetes API Server proxy feature and how it might be possible to use some known weaknesses in it to escalate your privileges in a cluster.
raesene.github.io/blog/2025/01...
18.01.2025 12:54 β π 24 π 14 π¬ 0 π 0
The Simpsons 'Prediction' !
Internet Blackout On January 16, 2025?
:(
15.01.2025 18:54 β π 0 π 0 π¬ 0 π 0
0x999's Blog - Exploring Javascript events & Bypassing WAFs via character normalization
Just published a new blog post "Exploring Javascript events & Bypassing WAFs via character normalization", check it out: 0x999.net/blog/explori...
18.11.2024 18:07 β π 3 π 1 π¬ 0 π 0
Post: Mutation XSS: Explained, CVE and Challenge | Jorian Woltjer
Learn how to bypass HTML sanitizers by abusing the intricate parsing rules and mutations. Including my CVE-2024-52595 (lxml_html_clean bypass) and the solution to a hard challenge I shared online
To summarize what I have learned about Mutation XSS, my CVE, and the solution to my challenge, I wrote a post going through it all.
If you like regular XSS, this is a whole new world of crazy techniques and many sanitizer bypasses. You too can learn this!
jorianwoltjer.com/blog/p/hacki...
27.11.2024 16:01 β π 23 π 9 π¬ 0 π 2
Summarizes the hottest content on r/cybersecurity once per hour. Warning, the summaries are generated by an LLM and are not guaranteed to be 100% correct. Operated by @tweedge.net, open source @ https://github.com/r-cybersecurity/best-of-bot
Ageing hacker, long time documentary photographer. Black Hat Review board. Now sitting on numerous government cyber security boards so I guess that means Iβve grown up right?
Security Toolsmith
Posts mostly about Go, banter, web development, security and cooking.
https://empijei.science
Staff Security Engineer at some random tech company, previously Mozilla, Dropbox, and (pre-Elon) Twitter. Has read @kateconger.bsky.socialβs autobiography.
web @ grayduck.mn // also github.com/april
Cyber guy. Former NSA cybersecurity director and chief of TAO. Lover of memes. Warning - occasional outrageous Christmas light content.
interested in web security
#InfoSec person, wire #protocol nerd, #vuln gazer.
I post more often on https://infosec.exchange/@todb. Bridged here as @todb2.hugesuccess.org . If you follow both I promise not to manually repost between them.
Master of Disaster @compass-security.com π₯ for all sorts crises, scada, chunk hacking, electronics, cryptography and cyber all the things.
Interests: Sim racing, cybersecurity, LEGO, Dungeons & Dragons, going to theme parks, working out, gaming, and long walks on the beach (with margaritas in hand)
Infosec enthusiast, threat hunter, malware analyst, #GSE #OSCP #GCIH #GPEN, #GREM, #GCTI, #GXPN, #GCIA, #GDAT, #GWAPT, #SLAE, #CISSP (He/Him)
Founder of wlkthru.io
@wlkthru.io we help Businesses manage their Cyber Security risks.
πAutomated Pentests
πΎGamified Learning
π€Sims - Phishing Vishing Smishing
πCompany Leaderboards
π§βπ€βπ§Teams
Plus more...
πKeeping your Team & Customers safe
