[Updated 20250331]Centrality: how we actually perceive the severity of a bug

Info ...

February 23, 2025 · updated March 31, 2025 · 7 min ·  security

Unity Game Reversing(1): Setup

Introduction Recently I am trying to reverse engineering a simple Windows desktop game made with Unity. I took a look on some reference but found that the setup can be a bit frustrating. This post is attempting to make the setup clearer and more followable. Reference links are listed below. Tools Our target is to decompile and debug the Assembly-CSharp.dll inside the folder <game root folder>\<GANE_NAME>_Data\Managed\, which contains custom code the game developer wrote, not the code of Unity or other frameworks. It is written in C#. We need the below tools: ...

April 17, 2023 · updated February 23, 2025 · 2 min ·  security

LOTS Project - Paypal

Introduction LOTS project, founded by mrd0x, is a collection of websites which is likely be trusted but can be used to evade detection when conducting phishing, C&C, exfiltration and downloading tools. In this post I will introduce a way to abusing PayPal and hopefully will be contributing to the LOTS project. This series is (intentively) for my ideas on novel exfiltration/ C&C channels. Exfiltraftion by Paypal In Paypal, one can dispute an order and upload his/ her evidence. This feature can be used as data exfiltration channel. ...

October 2, 2022 · updated February 23, 2025 · 1 min ·  security

Prisma Cloud Defenders

Tl;dr - unfixed information disclosure in Prisma Cloud defenders This post is about how to abuse a agent of a cloud security solution to get information which you should not know, like what security controls are applied, what assets the victim owns and the owners of the assets. Introduction A few months ago I was examining the Prisma Cloud configuration of my workplace and accidentally discovered an information disclosure issue of Prisma Cloud defender (the agent). This issue has been reported to Palo Alto as security disclosure, however Palo Alto declared that this is an expected behavior. ...

July 20, 2022 · updated August 3, 2022 · 2 min ·  security