June 2025 – HackMag

OAuth from top to bottom. Examining protocol features and basic attacks targeting OAuth

Date: 23/06/2025

Most modern websites have an authentication form, and in its lower part you can often see buttons enabling you to sign in via various social networks. This login mechanism is based on the OAuth protocol, and today you’ll learn its structure and main vulnerabilities. At the end, you’ll solve two laboratory tasks to solidify the newly-gained knowledge.

Read full article →

Puzzle solving. Writing custom JavaScript deobfuscator

Date: 17/06/2025

Author: JaboHack

Today, I am going to demonstrate that JavaScript obfuscation can be removed even in situations when sophisticated deobfuscators are useless. You will learn an effective research technique that can be applied to obfuscated code and write your own deobfuscator.

Read full article →

Self-defense for hackers. Catching intruders at the network level

Date: 14/06/2025

Author: s0i37

This article presents a number of simple but effective computer self-defense techniques that will help you to detect hackers who have penetrated into your local network. You will learn to identify penetration traces and catch intruders using special scripts. Let’s start with the very first level: the network.

Read full article →

Dumping at nanolevel. How I reinvented SafetyKatz to dump LSASS with NanoDump

Date: 13/06/2025

Author: snovvcrash

This article discusses the covert use of the NanoDump utility from memory (i.e. the simulated attacker doesn’t have a C&C ‘beacon’ on the attacked network node) and compares such an application of NanoDump with the use of SafetyKatz.

Read full article →

Multistep SQL injection attacks: Operating principle and impact

Date: 13/06/2025

Author: N3tn1la

SQL injections (SQLi) are among the most popular vulnerabilities in the pentesting community. Too bad, such attacks are increasingly rare nowadays since modern security tools easily detect them. By contrast, an injection triggered when data transfer occurs between services is much more difficult to detect. This article discusses SQLi that are triggered not immediately, but somewhere in the middle of business logic.

Read full article →

Victory over “bads”: using Victoria to recover data and reset disk password

Date: 04/06/2025

Author: 84ckf1r3

Recovering deleted files is not a problem; there are dozens of utilities for this. But what if the drive is damaged, has an erroneous geometry description, or is password protected at the controller level? Then the Victoria utility comes to the rescue. It is written in assembler, takes up a few kilobytes and works directly with the controller.

Read full article →

Console Android. 50 ADB Commands Everyone Should Know

Date: 04/06/2025

Author: Dmitry 'BRADA' Podkopaev

There are many tools available for working with a smartphone connected via USB cable or Wi-Fi. Advanced tools allow you to move files, install and uninstall software, view contacts, take screenshots, and even send SMS, but no graphical tool can match the power that the Android console can provide. In this article, we will talk about ADB (Android Debug Bridge) – a standard tool for debugging and working with the Android console from a computer.

Read full article →