DDoS is a bitch which can takedown basic websites

 DDoS is a bitch which can takedown basic websites

I hate you guys if you do this. I don't want you to do this if the website isn't yours or if its not for educational purpose.

And I am not gonna spoonfeed you with each and every line of commands to under in terminal or command prompt. Its a python script, I am giving link to it directly so those who understand what they are doing will do it mostly.

https://raw.githubusercontent.com/IkzCx/ProgramsForDDos/6242138f4a1fbbcb24c329f47282e7a73fc3864c/Saphyra.py

Read More

Chrome 0-Day Bug Under Active Attacks

 Attention readers, if you are using Google Chrome browser on your Windows, Mac, or Linux computers, you need to update it immediately to the latest version Google released earlier today.

Google on Wednesday rolled out an urgent update for Chrome browser to address 14 newly discovered security issues, including a zero-day flaw that it says is being actively exploited in the wild.

Tracked as CVE-2021-30551, the vulnerability stems from a type confusion issue in its V8 open-source and JavaScript engine. Sergei Glazunov of Google Project Zero has been credited with discovering and reporting the flaw.

Although the search giant's Chrome team issued a terse statement acknowledging "an exploit for CVE-2021-30551 exists in the wild," Shane Huntley, Director of Google's Threat Analysis Group, hinted that the vulnerability was leveraged by the same actor that abused CVE-2021-33742, an actively exploited remote code execution flaw in Windows MSHTML platform that was addressed by Microsoft as part of its Patch Tuesday update on June 8.

The two zero-days are said to have been provided by a commercial exploit broker to a nation-state actor, which used them in limited attacks against targets in Eastern Europe and the Middle East, Huntley said.

More technical details about the nature of the attacks are to be released in the coming weeks so as to allow a majority of the users to install the update and prevent other threat actors from creating exploits targeting the flaw.

With the latest fix, Google has addressed a total of seven zero-days in Chrome since the start of the year —

• CVE-2021-21148 - Heap buffer overflow in V8
• CVE-2021-21166 - Object recycle issue in audio
• CVE-2021-21193 - Use-after-free in Blink
• CVE-2021-21206 - Use-after-free in Blink
• CVE-2021-21220 - Insufficient validation of untrusted input in V8 for x86_64
• CVE-2021-21224 - Type confusion in V8

Chrome users can update to the latest version (91.0.4472.101) by heading to Settings > Help > About Google Chrome to mitigate the risk associated with the flaw.

Read More

New TLS Attack Lets Attackers Launch Cross-Protocol Attacks Against Secure Sites

 

Researchers have disclosed a new type of attack that exploits misconfigurations in transport layer security (TLS) servers to redirect HTTPS traffic from a victim's web browser to a different TLS service endpoint located on another IP address to steal sensitive information.

The attacks have been dubbed ALPACA, short for "Application Layer Protocol Confusion - Analyzing and mitigating Cracks in tls Authentication," by a group of academics from Ruhr University Bochum, Münster University of Applied Sciences, and Paderborn University.

"Attackers can redirect traffic from one subdomain to another, resulting in a valid TLS session," the study said. "This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise the other at the application layer."

TLS is a cryptographic protocol underpinning several application layer protocols like HTTPS, SMTP, IMAP, POP3, and FTP to secure communications over a network with the goal of adding a layer of authentication and preserving integrity of exchanged data while in transit.

ALPACA attacks are possible because TLS does not bind a TCP connection to the intended application layer protocol, the researchers elaborated. The failure of TLS to protect the integrity of the TCP connection could therefore be abused to "redirect TLS traffic for the intended TLS service endpoint and protocol to another, substitute TLS service endpoint and protocol."

Given a client (i.e., web browser) and two application servers (i.e., the intended and substitute), the goal is to trick the substitute server into accepting application data from the client, or vice versa. Since the client uses a specific protocol to open a secure channel with the intended server (say, HTTPS) while the substitute server employs a different application layer protocol (say, FTP) and runs on a separate TCP endpoint, the mix-up culminates in what's called a cross-protocol attack.

Source: https://thehackernews.com/2021/06/new-tls-attack-lets-attackers-launch.html

Read More