Welcome to the May edition of the ProjectDiscovery Community Newsletter. With Summer fast approaching, the PD team has already been heating up with work behind the scenes - especially when it comes to building out our cloud platform.
This month we’ve released a few tool updates and fixes, had some amazing contributions to our templates from the community, and seen ourselves featured in articles and videos across the web.
Read on to discover more about what we’ve been up to over the last few weeks, and of course keep looking out for the latest news and developments in vulnerability and cybersecurity technology as we continue to share them with you. We’ll also keep highlighting contributions from our incredible community who, as always, bring fresh new ideas and innovations to our tools. And of course, don’t forget to join us on GitHub and Discord to share your thoughts and be part of the discussion!
Release notes
Nuclei v3.2.8
Nuclei received a couple of updates this month. in v3.2.6, an issue with goroutine leaks causing a spike in memory uses was fixed, as well as some fuzzing output enhancements and a new addition of the -profile
and -profile-list
options to run a template using the template profile. v3.2.7 saw added support for multiple search queries in templates to run with the -uncover
option, and -scan-name
input support for PDCP results upload added as well.
We’d also like to highlight our first-time Nuclei contributors this month, @socialsister and @rsrdesarrollo. We really value your input, and look forward to your future contributions!
shuffledns v1.1.0
This release added a feature update and addressed some maintenance issues, such as adding multi-domain wildcard filtering and basic callback.
Nuclei Templates
May stats
This month’s Nuclei Templates update includes some exciting contributions - 65 new templates were added in this release, along with 41 new CVEs, and the input of 3 first-time contributors. In v9.8.6, we’ve added several CVEs that address critical issues: a vulnerability for the Email Subscribers plugin for WordPress and WooCommerce making it susceptible to SQL Injection, a path traversal vulnerability in the Java version of CData API Server, and modoboa prior to 2.1.0 sending a GET request to the endpoint /api/v2/parameters/core/
, which returns sensitive information without any authentication or authorization.
In v9.8.7 we included 62 new templates were added, 16 CVEs, and 3 new contributors, fixing critical and high priority issues such as an unsafe reflection vulnerability identified in the GitHub Enterprise Server that could lead to reflection injection, Path Traversal in Sonatype Nexus Repository 3 allowing an unauthenticated attacker to read system files, and a vulnerability in the function FunctionService.saveFunction
of the file src/main/java/org/spiderflow/controller/FunctionController.java leading to code injection.
Huge thanks to our contributors on this release - @lstatro, @rxerium, @righettod, @t3l3machus, @Kazgangap and @mastercho. And, congratulations to our first-time contributors: @theMiddleBlue, @userdehghani, @jason3e7, @x676f64, @Ahsraeisi and @jmac774!
Other news
Articles
How did two of ProjectDiscovery’s own research team ethically hack into Apple? Take a look at this Forbes article, detailing the steps that were taken - and how this led to a vulnerability being fixed after just two hours.
Read the article
Over on Medium, Serhat Çiçek laid out their process for using Nuclei to to detect Boolean-based SQLi, going into detail about how the tool works and makes use of our new fuzzing feature.
Read the article
Social
Looking for an effective way to crawl endpoints? coffinxp7 shared their process on using Katana for exactly that purpose.
View the post
Ben-Hur Santos Ott shared an awesome video explaining and reviewing AWS cloud configurations using Project Discovery’s own cloud templates. If you’d like to understand more about how companies and pentesters can use these tools, this is a must-watch!
Watch the video
Join our community
Our diverse community spans members from full-time bug bounty hunters to Fortune 500 security engineers.
Thanks,
The ProjectDiscovery Team
If you have any feedback or ideas for our Community Newsletter, please share them by filling out this form. You can provide links or suggestions for content that you would like to see in the newsletter.