https://github.com/zeyad-azima/offensive-resources
A Huge Learning Resources with Labs For Offensive Security Players
https://github.com/zeyad-azima/offensive-resources
api api-security cloud-security cybersecurity hack hacking infrastructure learning mobile mobile-security offensive offensive-security owasp owasp-top-10 red-team red-teaming redteam security web web-security
Last synced: 3 months ago
JSON representation
A Huge Learning Resources with Labs For Offensive Security Players
- Host: GitHub
- URL: https://github.com/zeyad-azima/offensive-resources
- Owner: Zeyad-Azima
- Created: 2021-02-14T17:00:27.000Z (about 5 years ago)
- Default Branch: main
- Last Pushed: 2022-07-13T19:58:03.000Z (almost 4 years ago)
- Last Synced: 2025-07-11T22:32:07.363Z (10 months ago)
- Topics: api, api-security, cloud-security, cybersecurity, hack, hacking, infrastructure, learning, mobile, mobile-security, offensive, offensive-security, owasp, owasp-top-10, red-team, red-teaming, redteam, security, web, web-security
- Homepage:
- Size: 20.6 MB
- Stars: 973
- Watchers: 35
- Forks: 218
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Offensive-Resources V4
((اللَّهُمَّ انْفَعْنِي بِمَا عَلَّمْتَنِي، وَعَلِّمْنِي مَا يَنْفَعُنِي، وَزِدْنِي عِلْمًا))
# A Huge Learning Resources with Labs For Offensive Security Players.
> EveryBody is welcome to pull requests and add new resources, fix false-positives and more. "Every update will be added to the website:.
Now You can visit the website and explore all the resources: https://offensive-resources.github.io/
# What is new in V4 ?
# Content
- Infrastructure
- Wireless
- IoT & Hardware
- ICS and SCADA
- Exploit Development
- Web Applications
- Mobile Applications
- API
- Cloud
- Reverse Engineering
- Social Engineering
- Offensive Programming
- Blockchain
- Car Hacking
- Game Hacking
- Source Code Review
- Telecom
- Malware Development
- VOIP
- RFID & SDR
- ATM Hacking
- Aircraft Hacking
- AI Hacking
- DevSecOps
- Linux Exploit Development
- Windows Exploit Development
- Android Exploit Development
- iOS Exploit Development
- Browser Exploitation
- Hypervisor Exploitation
- Drones Hacking
- MedTech Hacking
- CPU Exploitation
- GPU Exploitation
- macOS Exploitation
- Satellite Hacking
- Robots Hacking
- Vending Machine Hacking
- OSINT
# Infrastructure
- Books
- The Hacker's Handbook
- Advanced Infrastructure Penetration testing
- Hacker playbook series
- The Art of Network Penetration Testing
- Mastering Kali Linux for Advanced Penetration Testing
- Advanced Penetration Testing for Highly-Secured Environments
- Advanced Penetration Testing
- Hands-On Penetration Testing on Windows
- Mastering Wireless Penetration Testing for Highly Secured Environments
- Cybersecurity - Attack and Defense Strategies
- RTFM: Red Team Field Manual
- Penetration Testing: A Hands-on Introduction to Hacking
- Hacking: Hacking Firewalls & Bypassing Honeypot
- Red Team Development and Operations: A practical guide
- Hands-On Red Team Tactics
- Courses
- OSCP
- OSEP
- eCPPT
- eCPTX
- SEC560
- SEC660
- SEC564
- Practical Ethical Hacking
- Windows Privilege Escalation for Beginners
- Linux Privilege Escalation for Beginners
- Movement, Pivoting, and Persistence
- The External Pentest Playbook
- CRTP
- CRTE
- PACES
- CPEH
- CPTE
- Labs
- Building Virtual Pentesting Labs for Advanced Penetration Testing>
- Hack The Box: Pro Labs
- Red Team Attack Lab
- Capsulecorp Pentest
- Building a Lab
- Pentest Lab
- Local PentestLab Management Script
- Pentest-lab
- Offensive Security Lab
- Pentesteracademy Labs
- Hack The Box
- Vulnhub
- Offensive Security Proving Grounds
- TryHackMe
# Wireless
- Books
- BackTrack 5 Wireless Penetration Testing Beginner's Guide
- Kali Linux Wireless Penetration Testing Cookbook
- Mastering Wireless Penetration Testing for Highly Secured Environments
- Courses
- OSWP
- Wi-Fi Security and Pentesting
- Wi-Fi Hacking and Wireless Penetration Testing Course
- SEC617: Wireless Penetration Testing and Ethical Hacking
- Labs
- Building a Pentesting Lab for Wireless Networks
- The Courses and Books have explained how to build a lab
# IoT & Hardware
- Books
- Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things
- The IoT Hacker's Handbook: A Practical Guide to Hacking the Internet of Things
- IoT Penetration Testing Cookbook: Identify Vulnerabilities and Secure Your Smart Devices
- The Hardware Hacking Handbook: Breaking Embedded Security with Hardware Attacks
- Practical Hardware Pentesting: A Guide to Attacking Embedded Systems and Protecting Them Against the Most Common Hardware Attacks
- Courses
- SEC556: IoT Penetration Testing
- Offensive IoT Exploitation
- Securing IoT: From Security to Practical Pentesting on IoT
- Applied Physical Attacks Series
- Labs
- The Courses and Books have explained how to build a lab
# ICS and SCADA
- Books
- Hacking Exposed Industrial Control Systems: ICS and SCADA Security Secrets & Solutions
- Hacking SCADA/Industrial Control Systems: The Pentest Guide
- Handbook of SCADA/Control Systems Security
-
- Courses
- ICS/SCADA Cybersecurity (Ec council)
- ICS410: ICS/SCADA Security Essentials
- Labs
- The Courses and Books have explained how to build a lab
# Exploit Development
- Books
- Penetration Testing with Shellcode
- The Shellcoder's Handbook
- Hacking: The Art of Exploitation
- Attacking Network Protocols: A Hacker's Guide to Capture, Analysis, and Exploitation
- A Bug Hunter's Diary
- Buffer Overflow Attacks: Detect, Exploit, Prevent
- Linux Exploit Development for Beginners
- Fuzzing: Brute Force Vulnerability Discovery
- Fuzzing for Software Security Testing and Quality Assurance
- The Fuzzing Book
- Open Source Fuzzing Tools
- A Guide to Kernel Exploitation
- Courses
- OSCE
- OSEE
- eCXD
- SEC760
- Exploit-Development Repo
- Nightmare
- x86 Assembly Language and Shellcoding on Linux
- CNIT 127: Exploit Development
- x86_64 Assembly Language and Shellcoding on Linux
- Reverse Engineering Win32 Applications
- Reverse Engineering Linux 32-bit Applications
- Exploiting Simple Buffer Overflows on Win32
- Reverse Engineering and Exploit Development
- Exploit Development for Linux (x86)
- Exploit Development for Linux x64
- Introduction to Exploit/Zero-Day Discovery and Development
- Exploit Development From Scratch
- Hands-on Fuzzing and Exploit Development(Part 1)
- Hands-on Fuzzing and Exploit Development(Part 2)
- ZDResearch Exploit Development
- Labs
- Analyize previous and new zero-days vulnerabilities will dive you deep into the real-world
- PWN collage
- Pwnable
- Vulnserver
- BlazeDVD 5 Professional
- DVDx Player
- Easy CD DVD
- Easy Chat Server 3.1
- Easy File Sharing FTP Server 3.5
- Easy File Management Web Server 5.3
- Easy File Sharing Web Server 7.2
- Easy RM to MP3 Converter 2.7.3.7
- Eureka
- FreeFTP 1.0.8
- FreeFloat
- KarjaSoft Sami FTP Server 2.0.1
- KnFTP Server 1.0.0
- Kolibri v2.0 HTTP Server
- Millenium MP3 Studio
- Minialic HTTP
- Minishare
- ProSysInfo TFTP Server TFTPDWIN 0.4.2
- QuickZip 4.60
- R v3.4.4
- Ricoh DC Software DL-10 FTP Server
- SolarFTP
- Soritong MP3 Player 1.0
- Xitami Webserver 2.5
- Vulnhub
- Hack the box
# Web Applications
- Books
- Web Application Hacker's Handbook
- Portswigger learning materials
- Owasp web Testing Guide
- Real World Bug Hunting
- Bug Bounty playbook part 1 & 2
- Mastering Modern Web Penetration Testing
- Mastering Kali Linux for Web Penetration Testing
- Kali Linux Web Penetration Testing Cookbook
- Bug Bounty Bootcamp
- Courses
- OSWE
- eWAPT
- eWAPTX
- SEC542
- SEC642
- Offensive bug bounty hunter part 1 &2 hackersera
- Web Application Attacks and API Hacking (W51)
- Labs
- bWAPP
- penlab
- Portswigger labs
- Hack me
- OWASP Juice shop
- Owasp Broken Web Apps
- Pentesterlab
- root-me
# Mobile Applications
- Books
- OWASP Mobile Security Testing Guide
- Mobile application penetration testing
- Mobile applicatons hacker's handbook
- Android hacker's handbook/
- iOS Hacker's Handbook
- Courses
- eMAPT
- SEC575
- Offensive AndroHunter
- ANDROID Hacking & Penetration Testing
- Hacking and Pentesting iOS Applications
- Labs
- Damn Vulnerable iOS Application (DVIA)
- List of intentionally vulnerable Android apps
- ExploitMe Mobile iPhone Labs
- ExploitMe Mobile Android Labs
# API
- Books
- OWASP API Security Project
- Hacking APIs
- Api Secuirty in Action
- Understanding Api Security
- Courses
- OAES Offensive API Exploitation and Security
- OWASP Top 10: API Security Playbook
- Offensive Api penetration testing
- Web Application Attacks and API Hacking (W51)
- API Security: Offence and Defence (W35)
- Labs
- Tiredful API
- vulnerable-api
- websheep
# Cloud
- Books
- AWS Penetration Testing
- Hands-On AWS Penetration Testing with Kali Linux
- Pentesting Azure Applications
- Mastering Cloud Penetration Testing
- Courses
- SEC588
- Labs
- AWS Pen-Testing Laboratory
- Create Your own lab from the books
# Reverse Engineering
- Books
- Reversing: Secrets of Reverse Engineering
- Mastering Reverse Engineering
- Reverse Engineering for Beginners
- The Ghidra Book: The Definitive Guide
- The IDA Pro Book, 2nd Edition
- Practical Reverse Engineering
- Courses
- eCRE
- FOR610: Reverse-Engineering Malware
- Reverse Engineering Deep Dive
- Reverse Engineering: IDA For Beginners
- Expert Malware Analysis and Reverse Engineering
- Reverse Engineering 1: x64dbg Debugger for Beginners
- Reverse Engineering: Ghidra For Beginners
- Reverse Engineering 6: Reversing .NET with dnSpy
- Reverse Engineering For Beginners (Youtube)
- Labs
- CTF101: Reverse Engineering
- CyberTalents: Reverse Engineering CTF
- Reverse Engineering CTF List
# Social Engineering
- Books
- Social Engineering: The Science of Human Hacking
- Social Engineering: The Art of Human Hacking
- The Social Engineer's Playbook
- Social Engineering: Hacking Systems, Nations, and Societies
- Learn Social Engineering
- Courses
- Learn Social Engineering From Scratch
- The Complete Social Engineering: Phishing & Malware
- Advanced Social Engineering Training
- Social Engineering (Cybrary)
- Labs
- Bro, it's about human hacking. Just hack yourself xD
# Offensive Programming
- Books
- Hands-On Penetration Testing with Python
- Python Penetration Testing Cookbook
- Python for Offensive PenTest
- Black Hat Python
- Gray Hat C#: A Hacker's Guide to Creating and Automating Security Tools
- Black Hat Go: Go Programming For Hackers and Pentesters
- Security with Go
- Penetration Testing with PerL
- Black Hat Ruby
- Courses
- I encourage you to read the books, cause there are a lot of courses for offensive programming but the most are using python.
- Learn Python & Ethical Hacking From Scratch
- The Complete Python Hacking Course: Beginner to Advanced!
- Offensive Bash Scripting
- Powershell for Pentesters
- Labs
- First of all try to create automation tools for your tasks. also you can search for offensive tools and try to write one on your own way.
- Tools:
- Subdomain Enumeration
- Directory Bruteforcing
- Live Subdomain checker
- Google Dorking
- Extract javascript urls using page source
- Reverse & Bind Shells
- Protocol Enumeration
- Port Scanner (TCP & UDP)
- Hash & Password Cracking
- Fuzzer
- Malware ( Keylogger, Spyware, CryptoMalware, etc)
- Packet Sniffer
- Wifi Scanner or Bruteforcer
- Vulnerability Scanner ( Web, Network & System Vulnerabilities, etc )
- Exploition Tool ( Try to write an exploition tool for known vulnerability [e.x: Vsftpd backdoor exploition tool] )
- Network Sniffer
- MAC address Changer
- Network Scanner
# Blockchain
- Books
- Bitcoin and Blockchain Security
- Blockchain Technology And Hacking
- Hands-On Cybersecurity with Blockchain
- Courses
- Certified Blockchain Security Professional (CBSP)
- SEC554: Blockchain and Smart Contract Security
- Blockchain Security Expert (CBSE)
- Attack and Defence in Blockchain Technologies (W39)
- Decentralized Application Security Project
- Labs
- smart contract security best practices
- GOATCasino
- Ethernaut
# Car Hacking
- Books
- The Car Hacker's Handbook
- Hacking Connected Cars
- Courses
- CAR HACKING 101
- Automotive hacking for Beginners
- Car Hacking Training: Automotive Cybersecurity and In-Vehicle Networks for Beginners
- Practical car hacking
- Labs
- Setup your lab from the courses & books
# Game Hacking
- Books
- Exploiting Online Games
- Game Hacking: Developing Autonomous Bots for Online Games
- Hacking Video Game Consoles
- Game Console Hacking: Xbox, PlayStation, Nintendo, Game Boy, Atari and Sega
- Hacking the Xbox: An Introduction to Reverse Engineering
- Courses
- CS420 Game Hacking Course
- Learn How To Code a Hack For ANY Game! - Game Hacking
- Game Hacking: Cheat Engine Game Hacking Basics
- Game Hacking Shenanigans - Game Hacking Tutorial Series
- Game Hacking Tutorial
- Labs
- Setup your lab from the courses & books
# Source Code Review
- Books
- SECURE COMPUTER SOFTWARE DEVELOPMENT: INTRODUCTION TO VULNERABILITY DETECTION TOOLS
- Software Vulnerability Guide
- ecure Programming with Static Analysis: Getting Software Security Right with Static Analysis
- OWASP Code Review Guide v2
- The ultimate guide to code reviews - Edition I
- Courses (Tutorials)
- SAST
- How to do Code Review - The Offensive Security Way
- How to find vulnerabilities by source code review
- Finding Security Vulnerabilities through Code Review - The OWASP way
- OWASP DevSlop Show: Security Code Review 101 with Paul Ionescu!
- How to Analyze Code for Vulnerabilities
- Labs
- Pentesterlab Code Review
- Damn Vulnerable Source Code
- SVCP4CDataset
# Telecom
- Books
- Security for Telecommunications Networks
- Courses
- Mobile Network Hacking, IP Edition
- New Era in Telecom Hacking by Ali Abdollahi at BSides Toronto 2020
- Labs
- Setup your lab from the courses & books
# Malware Development
- Books
- You can read malware analysis books to get a deep understanding of malwares
- Courses
- RED TEAM Operator: Malware Development Essentials Course
- RED TEAM Operator: Malware Development Intermediate Course
- Build Undetectable Malware Using C Language: Ethical Hacking
- Practical Malware Development For Beginners
- Coding Botnet & Backdoor In Python For Ethical Hacking
- Ethical Hacking Foundations: Malware Development in Windows
- Labs
- No need for online labs you need to write a malicious code
# VOIP
- Books
- Hacking VoIP: Protocols, Attacks, and Countermeasures
- Hacking Exposed VoIP: Voice Over IP Security Secrets & Solutions
- Hacking Exposed Unified Communications & VoIP Security Secrets & Solutions, Second Edition
- Courses
- VoIP Pentesting (W47)
- VoIP Hacking & Penetration Testing Training
- VoIP pentest and SIP hacking
- Labs
- Setup your lab from the courses & books
# RFID & SDR
- Books
- RFID Security
- Inside Radio: An Attack and Defense Guide
- Courses
- Ethical RFID Hacking
- SDR Exploitation
- SDR for Ethical Hackers and Security Researchers
- Advance SDR for Ethical Hackers Security Researchers 2.0
- SDR for Ethical Hackers and Security Researchers 3.0
- Labs
- Setup your lab from the courses & books
# ATM Hacking
A curated collection of resources covering ATM security research, penetration testing, malware analysis, and defensive strategies.
---
- Books
- Digital Robbery: ATM Hacking and Implications
- The Security Analysis, Hacking of Banking EMV Cards, ATM, CHIP, PIN & Attacks
- Cashing in on ATM Malware (Trend Micro / Europol)
- The ATM Hacking Case (SpringerLink Chapter)
- Academic Paper on ATM Security (CEUR-WS)
- Hacking Next-Gen ATMs: From Capture to Cashout (Black Hat 2016)
- Applied Cash Eviction through ATM Exploitation (DEF CON 28)
- Cobalt - Logical Attacks on ATMs (Group-IB Threat Report)
- Academic Paper on ATM Security (University of South Florida)
- ATM Use Case Analysis Example (RIT)
- ATM Hacking (Scribd)
- ATM Hacking 101 (Scribd)
- ATM Hacking ISC Beijing 2018 (Scribd)
- ATM Jackpotting (Scribd)
- ATM Hack to Get Much More Money (Scribd)
- ATM Hack (Scribd)
- Hacking an ATM Machine (Scribd)
- Courses
- ATM Hacking and Penetration Testing Training (CyberFox)
- ATM Security Training (ATMIA Academy)
- ATM Training Courses (ATMIA)
- Hacking in Practice 2 (includes ATM module)
- Introduction to ATM Penetration Testing (Ekoparty)
- Labs
- Global ATM Malware Wall (Malware Samples)
- HSBC&L ATM CTF Challenge
- CEN/XFS SDK & Development Environment
- Skimer ATM Malware Sample
- Blogs/Series
- Tyupkin: Manipulating ATM Machines with Malware (Kaspersky)
- ATM Malware from Latin America to the World (Kaspersky)
- ATM Malware is Being Sold on Darknet Market (Kaspersky)
- ATM/PoS Malware Landscape 2020-2022 (Kaspersky)
- Criminals, ATMs and a Cup of Coffee - ATMJaDi (Kaspersky)
- ATM Infector - Skimer (Kaspersky)
- Malware and Non-Malware Ways for ATM Jackpotting (Kaspersky)
- ATM/PoS Malware Landscape 2017-2019 (Kaspersky)
- ATM Vulnerabilities 2018 Report (Positive Technologies)
- ATMs Can Be Hacked in Minutes (Positive Technologies)
- NCR Patches ATM Vulnerabilities (Positive Technologies)
- 10 Years of Virtual Dynamite: ATM Malware Retrospective (Cisco Talos)
- ATM Penetration Testing (Infosec Institute)
- Tyupkin ATM Malware Analysis (Infosec Institute)
- Hacking ATMs: New Wave of Malware (Infosec Institute)
- Jackpotting Malware (Infosec Institute)
- Adventures in ATM Hacking (Trustwave SpiderLabs)
- 9 Pen Testing Essentials for Making ATMs Less Hackable (Trustwave)
- Jackpotting ATM Attack: A Technical Breakdown (Komodo)
- Advanced ATM Penetration Testing Methods (GBHackers)
- ATM Hacking: Advanced Methods for Finding Security Vulnerabilities
- Analyzing ATM Malwares (XFS Analysis)
- ATM Hacking Wiki (French)
- KrebsOnSecurity - ATM Jackpotting
- Tyupkin ATM Malware: Banks Give Away Cash
- ATM Malware Tyupkin Spreads to U.S. (SC Magazine)
- Everything You Need to Know About ATM Attacks - Part 1 (Malwarebytes)
- ATM Attacks and Fraud - Part 2 (Malwarebytes)
- Cracking the Code: ATM Hacking Series - Part 1 (Medium)
- Cracking the Code: ATM Hacking Series - Part 2 (Medium)
- Cracking the Code: XFS Integrity Controls - Part 3 (Medium)
- Cracking the Code: Escaping Kiosk Mode - Part 4 (Medium)
- ATM Security (Hacking Lab CZ)
- ATM Replay Attack Audit (Hacking Lab CZ)
- UNC2891 Bank Heist Analysis (Group-IB)
- ATM Jackpotting Whitepaper (Sepio Cyber)
- Dark Web and ATM Hacking (CloudSEK)
- Presentations/Conferences/Papers
- Buy Hack ATM - OWASP London (2018)
- ATM Security Publication (CyberTrends)
- ATM Security Video Presentation (TIB AV-Portal)
- Jackpotting Automated Teller Machines Redux - Barnaby Jack (Black Hat 2010)
- DEF CON 18 Archive - Barnaby Jack Presentation
- Hacking Next-Gen ATMs: From Capture to Cash-Out - Weston Hecker (Black Hat 2016)
- ATM Hacking - Frank Boldewin (ISC Beijing 2018)
- ATM Security: A Case Study of Emerging Threats (ResearchGate)
- Capability Analysis of ATM Malware Using CAPA (ResearchGate 2023)
- ATM Hacking/Jackpotting – A Case Study (IRJET)
- Malware Analysis and Detection Using Reverse Engineering (ResearchGate)
- A Risk Assessment of Logical Attacks on CEN/XFS (JKU)
- Positive Research 2019 (ATM Section)
- ATM Hacking Video - Barnaby Jack Black Hat 2010 (SecurityWeek)
- Watch the ATM Hacker at Work (MIT Technology Review)
- Throwback: Barnaby Jack Jackpotting ATMs (Threatpost)
- Barnaby Jack Hits ATM Jackpot at Black Hat (Computerworld)
- Hackers Say Jackpotting Flaws Tricked ATMs Into Spitting Out Cash (TechCrunch)
- Barnaby Jack Hits The Jackpot With ATM Hack (Dark Reading)
- Jackpotting, The Wrong Type of Jackpot (UH West Oahu)
- Notes
- ATM Hacking Wiki / Notes (French)
- Analyzing ATM Malwares Guide
- CEN/XFS Official Specification & SDK
- CEN/XFS Overview (Wikipedia)
- XFS4IoT - Next-Gen Standard (KAL)
- NJCCIC ATM Malware Threat Profiles
- CutletMaker Malware Profile (NJCCIC)
- Advanced ATM Hacking Methods (Archived)
- Advanced ATM Penetration Testing Methods (Archived)
- ATM Hacking Article (Archive.is)
- Misc
- Awesome ATM Hacking - Curated List (GitHub)
- ATM-Hacking-ISC2018 (GitHub)
- KAL-ATM-Software / XFS4IoT Framework (GitHub)
- CTI Report Collection - ATM Malware Reports (GitHub)
- Hacking-Security-Ebooks (GitHub)
- PoC-Fake-Msxfs (GitHub)
- XFS.Net - .NET Wrapper for CEN/XFS (GitHub)
- XFS4NET (GitHub)
- CoreXfs (GitHub)
- ATM Topic on GitHub
- UNC2891 Threat Intelligence Overview (Google Cloud)
- ATMIA (ATM Industry Association)
- NetSPI ATM Penetration Testing
- Sepio ATM Jackpotting Whitepaper
- ATM Hacking Report: Scenarios from 2018 ATM Hacks
- Positive Technologies ATM Vulnerabilities Report
- A Decade of ATM Malware Evolution and Deployment
- Videos
- ATM Hacking Presentation
- ATM Security Analysis
- ATM Exploitation Techniques
- ATM Malware Analysis
- ATM Jackpotting Demo
- ATM Security Research
- ATM Hacking Talk
- ATM Penetration Testing
# AirCraft Hacking
## Books & Whitepapers
* [Aviation Cybersecurity: Foundations, Principles, and Applications](https://www.amazon.com/Aviation-Cybersecurity-Foundations-principles-applications/dp/1839533218)
* [Cyber-Security Challenges in Aviation Industry: A Review of Current and Future Trends (MDPI 2022)](https://www.mdpi.com/2078-2489/13/3/146)
* [Assessing Aircraft Security: A Comprehensive Survey and Methodology for Evaluation (ACM 2023)](https://dl.acm.org/doi/10.1145/3610772)
* [Building an Avionics Laboratory for Cybersecurity Testing (Martin Strohmeier PDF)](https://lenders.ch/publications/conferences/cset22.pdf)
* [A Review on Cybersecurity Vulnerabilities for Urban Air Mobility (NASA PDF)](https://ntrs.nasa.gov/api/citations/20205011115/downloads/A Review of Cybersecurity Vulnerabilities for UAM Final Draft.pdf)
* [Cyber-Security Challenges in Aviation Industry Survey (arXiv PDF)](https://arxiv.org/pdf/2107.04910)
* [A Framework for Aviation Cybersecurity (ResearchGate)](https://www.researchgate.net/publication/329477408_A_Framework_for_Aviation_Cybersecurity)
* [Cyber Security Challenges in Aviation Communication, Navigation, and Surveillance (ScienceDirect)](https://www.sciencedirect.com/science/article/abs/pii/S0167404821003400)
* [Aviation Cybersecurity: An Overview (Craiger & Kessler, Embry-Riddle 2018)](https://commons.erau.edu/cgi/viewcontent.cgi?article=1191&context=ntas)
* [ARINC 429 Cyber-vulnerabilities and Voltage Data in Hardware-in-the-Loop Simulator (2024)](https://ui.adsabs.harvard.edu/abs/2024arXiv240816714T/abstract)
* [Cyber Risk Landscape of the Global Aviation Industry 2024 (SecurityScorecard)](https://securityscorecard.com/company/press/cyber-risk-landscape-of-the-global-aviation-industry-2024/)
* [Commercial Aviation Cybersecurity Threats in 2025 (Airways Magazine)](https://www.airwaysmag.com/new-post/aviation-cybersecurity-threats-in-2025)
* [The Types of Hackers and Cyberattacks in the Aviation Industry (Journal of Transportation Security 2024)](https://link.springer.com/article/10.1007/s12198-024-00281-9)
* [FAA Penetration Testing Training & Outreach (PDF)](https://www.faa.gov/sites/faa.gov/files/air_traffic/technology/cas/ct/ct2.pdf)
* [Hugo Teso: Aircraft Hacking - Practical Aero Series (HITB 2013 PDF)](https://conference.hitb.org/hitbsecconf2013ams/materials/D1T1 - Hugo Teso - Aircraft Hacking - Practical Aero Series.pdf)
* [Simulating ADS-B and CPDLC Messages with SDR (DiVA Portal PDF)](https://www.diva-portal.org/smash/get/diva2:1442163/FULLTEXT01.pdf)
* [Connected Aircraft: Cyber-Safety Risks, Insider Threat (University of Hawaii PDF)](https://scholarspace.manoa.hawaii.edu/bitstream/10125/59759/1/0319.pdf)
* [Phil Polstra: Cyber-hijacking Airplanes - Truth or Fiction (DEF CON 22 PDF)](https://defcon.org/images/defcon-22/dc-22-presentations/Polstra/DEFCON-22-Phil-Polstra-Cyber-hijacking-Airplanes-Truth-or-Fiction-Updated.pdf)
* [Brad RenderMan Haines: Hackers + Airplanes (DEF CON 20 PDF)](https://defcon.org/images/defcon-20/dc-20-presentations/Renderman/DEFCON-20-RenderMan-Hackers-plus-Airplanes.pdf)
* [UAV Exploitation: A New Domain for Cyber Power (CCDCOE PDF)](https://ccdcoe.org/uploads/2018/10/Art-13-UAV-Exploitation-A-New-Domain-for-Cyber-Power.pdf)
* [Unmanned Aircraft Systems (UAS) in the Cyber Domain (New Prairie Press PDF)](https://newprairiepress.org/cgi/viewcontent.cgi?filename=3&article=1021&context=ebooks&type=additional)
* [Cyber Threats to US Aviation (Homeland Security Perspectives Journal PDF)](https://hnspjournal.org/wp-content/uploads/2023/01/jhnsp-7.1-final-draft-cyber-threats-us-aviation-schafer-january-2023-3.pdf)
* [GAO Report: Aviation Cybersecurity - FAA Should Fully Implement Key Practices (PDF)](https://www.gao.gov/assets/gao-21-86.pdf)
* [Cybersecurity in Aviation: Addressing Cybersecurity Challenges (Critical Software PDF)](https://criticalsoftware.com/multimedia/common/UXqMH8QWb-CSW_WhitePaper_Aviation_Cybersecurity_in_Aviation.pdf)
* [Aviation Cybersecurity: Scoping the Challenge (Atlantic Council PDF)](https://www.atlanticcouncil.org/wp-content/uploads/2019/12/AVIATION-CYBERSECURITY-12-19-.pdf)
* [Civil Aviation and CyberSecurity (National Academies PDF)](https://sites.nationalacademies.org/cs/groups/depssite/documents/webpage/deps_084768.pdf)
* [SAE Standards on Cybersecurity - Aviation Framework (PDF)](https://www.sae.org/binaries/content/assets/cm/content/attend/2017/aerospace-standards-summit/standards_on_cybersecurity.pdf)
* [Avionics Cybersecurity Research Test Bed (INL Factsheet PDF)](https://factsheets.inl.gov/FactSheets/Avionics%20Cybersecurity%20Research%20Test%20Bed.pdf)
* [Avionics Cyber Test and Evaluation (ITEA PDF)](https://itea.org/images/pdf/conferences/2016 Symposium/2016_Sym_Proceedings/Nichols Avionics Cyber TE.pdf)
* [Safety vs. Security: Attacking Avionic Systems with Humans in the Loop (arXiv PDF)](https://lenders.ch/publications/reports/arxiv19.pdf)
* [Vulnerability Assessment for Security in Aviation Cyber-Physical Systems (ResearchGate PDF)](https://www.researchgate.net/profile/Sathish-Kumar-26/publication/318669860_Vulnerability_Assessment_for_Security_in_Aviation_Cyber-Physical_Systems/links/59f139c2aca272cdc7ce0a44/Vulnerability-Assessment-for-Security-in-Aviation-Cyber-Physical-Systems.pdf)
* [FAA Aircraft Systems Information Security/Protection (ASISP) R&D (PDF)](https://www.faa.gov/sites/faa.gov/files/2022-08/nopsSC-Sep2020-AircraftSystemsInformationSecurityProtection(ASISP)R&D.pdf)
* [Airport Security Vulnerability Assessments Guidebook (PARAS PDF)](https://www.sskies.org/images/uploads/subpage/PARAS_0016.SVAGuidebook__.Final__.pdf)
* [ICAO Aviation Cybersecurity Strategy (PDF)](https://www.icao.int/sites/default/files/Meetings/a42/Documents/AVIATION-CYBERSECURITY-STRATEGY.EN_.pdf)
* [IATA Cyber Security Presentation (PDF)](https://www.aaco.org/Library/Assets/Cyber Security by Shawn Goudge - IATA-103603.pdf)
* [Deep Learning for Large-Scale Real-World ACARS and ADS-B Radio Signal Classification (arXiv PDF)](https://arxiv.org/pdf/1904.09425)
* [On the Security of Satellite-Based Air Traffic Control (ADS-C) (NDSS 2024 PDF)](https://www.ndss-symposium.org/wp-content/uploads/spacesec2024-22-paper.pdf)
* [ADS-B and ADS-C Communication in the Light of Digitalisation (SKYbrary PDF)](https://skybrary.aero/sites/default/files/bookshelf/4871.pdf)
* [Securing the Air-Ground Link in Aviation (Oxford PDF)](https://www.cs.ox.ac.uk/files/13226/chapter-revision.pdf)
* [Evaluating the Security of Aircraft Systems (arXiv PDF)](https://arxiv.org/pdf/2209.04028)
* [Economy Class Crypto: Exploring Weak Cipher in Aviation (Oxford PDF)](http://www.cs.ox.ac.uk/files/9693/fc-paper.pdf)
* [On the Implications of Spoofing and Jamming Aviation Datalink Applications (ACSAC PDF)](https://aanjhan.com/assets/sathaye22_acsac.pdf)
* [The ADS-B Protocol and Its Weaknesses (DiVA Portal PDF)](http://www.diva-portal.org/smash/get/diva2:1464430/FULLTEXT01.pdf)
## Courses
* [DEF CON Aerospace Village (Annual)](https://www.aerospacevillage.org/)
* [IATA Aviation Cyber Security (Classroom)](https://www.iata.org/en/training/courses/aviation-cyber-security/tscs59/en/)
* [IATA Aviation Cyber Security (Virtual Classroom)](https://www.iata.org/en/training/courses/aviation-cyber-security-virtual/tscs59/en/)
* [IATA Aviation Cyber Security Management Diploma](https://www.iata.org/en/training/courses/diploma_programs/aviation-cyber-security-management-diploma/142/)
* [Tonex Aviation Cybersecurity Training Bootcamp](https://www.tonex.com/training-courses/aviation-cybersecurity-training-bootcamp/)
* [ICAO Foundations of Aviation Cybersecurity Leadership and Technical Management](https://igat.icao.int/ated/trainingCatalogue/Course/5131)
* [AIAA Aviation Cybersecurity Management Course](https://aiaa.org/courses/aviation-cybersecurity/)
* [UK CAA Aviation Cybersecurity Oversight Training](https://caainternational.com/course/aviation-cybersecurity-oversight/)
* [Aviation Cybersecurity Training (Airline-Cybersecurity.ch)](https://www.airline-cybersecurity.ch/Airline_Cybersecurity_Training.html)
* [Aviation eLearning: Cyber Security in Aviation](https://ael.aero/courses/general/cyber-security-in-aviation/)
* [JAA TO Aviation Cyber Security](https://jaato.com/courses/1013/aviation-cyber-security/)
## Labs
* [DEF CON Aerospace Village: Drone Hacking Activity](https://www.aerospacevillage.org/defcon-32-activites)
* [DEF CON Aerospace Village: ADS-B Receiver Building Workshop (Raspberry Pi + RTL-SDR)](https://www.aerospacevillage.org/defcon-32-workshop-schedule)
* [DEF CON Aerospace Village: Aviation Infrastructure Cyber Defense Challenges](https://www.aerospacevillage.org/defcon-33/def-con-33-activites)
* [DEF CON Aerospace Village: Offensive Cybersecurity in Space Workshop](https://www.aerospacevillage.org/defcon-31-activities)
* [RTL-SDR Tutorial: Receiving Airplane Data with ACARS](https://www.rtl-sdr.com/rtl-sdr-radio-scanner-tutorial-receiving-airplane-data-with-acars/)
* [ACARS Decoding Guide (thebaldgeek)](https://thebaldgeek.github.io/vhf-acars.html)
* [Lightweight ACARS Decoders for RTL-SDR (One Transistor)](https://www.onetransistor.eu/2018/04/lightweight-acars-decoders-for-rtl-sdr.html)
* [Decoding ADSC, ADSB, ACARS, VDL2, Iridium, HF-DL Messages](https://thebaldgeek.github.io/)
## Blogs & Series
* [ACARS Under the Hacker's Magnifier: Aviation Security, SDR Fun (Medium 2025)](https://medium.com/@Cid_Kagenou/acars-under-the-hackers-magnifier-aviation-security-sdr-fun-and-why-encryption-matters-part-84c4cfbd35dc)
* [RTL-SDR ACARS Tag Articles](https://www.rtl-sdr.com/tag/acars/)
* [Frugal Radio: How To Decode L-band Satellite ACARS and CPDLC Messages](https://www.rtl-sdr.com/frugal-radio-how-to-decode-l-band-satellite-acars-and-cpdlc-messages-with-jaero-and-your-sdr/)
* [More on Chris Roberts and Avionics Security (Schneier on Security)](https://www.schneier.com/blog/archives/2015/05/more_on_chris_r.html)
* [Greatest Cyber Threats to Aircraft Come from the Ground (CSO Online)](https://www.csoonline.com/article/644636/greatest-cyber-threats-to-aircraft-come-from-the-ground.html)
* [Skyhacked (Flight Safety Australia 2017)](https://www.flightsafetyaustralia.com/2017/11/skyhacked/)
* [Hacker Uses Android to Remotely Attack and Hijack an Airplane (Computerworld)](https://www.computerworld.com/article/1499332/hacker-uses-an-android-to-remotely-attack-and-hijack-an-airplane.html)
* [Boeing, IFE Experts Hit Back at Hacker Claims (Runway Girl Network)](https://runwaygirlnetwork.com/2015/05/boeing-ife-experts-hit-back-at-hacker-claims-in-fbi-report/)
* [The Serious Threat of GPS Spoofing: An Analysis (Aviation Week)](https://aviationweek.com/business-aviation/safety-ops-regulation/serious-threat-gps-spoofing-analysis)
* [Intel Brief on GPS Spoofing and Jamming in Aviation (Dyami Services)](https://www.dyami.services/post/intel-brief-on-gps-spoofing-and-jamming-in-aviation)
* [What is GPS Spoofing in Aviation (APG)](https://flyapg.com/blog/what-is-gps-spoofing)
* [GNSS Jamming and Spoofing (SKYbrary)](https://skybrary.aero/articles/gnss-jamming-and-spoofing)
* [GPS Spoofing: Should Operators Be Concerned? (NBAA 2024)](https://nbaa.org/news/business-aviation-insider/2024-03/gps-spoofing-should-operators-be-concerned/)
* [GPS Spoofing - A Growing Risk for Flight Safety (EASA Community)](https://www.easa.europa.eu/community/topics/gps-spoofing-growing-risk-flight-safety-thomas-hytten-caa-norway)
* [GPS Spoofing and Jamming: Can We Keep Aviation On Track?](https://www.airtraffictechnologyinternational.com/content/in-depth/gps-spoofing-and-jamming-can-we-keep-aviation-on-track)
* [Mitigating the Effects on Aircraft of GNSS Jamming and Spoofing (AIN 2025)](https://www.ainonline.com/aviation-news/air-transport/2025-01-03/mitigating-effects-gnss-jamming-and-spoofing)
* [Manipulated GNSS Signals: Implications for Pilots (ECA)](https://www.eurocockpit.eu/news/manipulated-gnss-signals-implications-pilots)
* [Inertial Reference Systems - GPS Spoofing/Jamming Solutions (Honeywell)](https://aerospace.honeywell.com/us/en/about-us/blogs/spoofing-and-jamming)
* [The Cybersecurity Challenges of Modern Aviation Systems (NXLog Blog)](https://nxlog.co/news-and-blog/posts/the-cybersecurity-challenges-of-modern-aviation-systems)
* [Aviation and Aerospace Sectors Face Skyrocketing Cyber Threats (Resecurity)](https://www.resecurity.com/blog/article/the-aviation-and-aerospace-sectors-face-skyrocketing-cyber-threats)
* [Advancing Aviation Cybersecurity Through Collective Action (TAC)](https://thetac.tech/together-against-threats-advancing-aviation-cybersecurity-through-collective-action/)
## Presentations & Conferences
* [DEF CON 32 Aerospace Village Activities](https://www.aerospacevillage.org/defcon-32-activites)
* [DEF CON 33 Aerospace Village Activities (2025)](https://www.aerospacevillage.org/def-con-33/def-con-33-activites)
* [DEF CON 31 Aerospace Village Talk Schedule](https://www.aerospacevillage.org/defcon-31-talks)
* [DEF CON 29 Aerospace Village Videos (Space & Cybersecurity)](https://www.spacesecurity.info/en/def-con-29-aerospace-village-videos/)
* [Hugo Teso: Aircraft Hacking - Practical Aero Series (HITB 2013)](https://pdfslide.net/documents/d1t1-hugo-teso-aircraft-hacking-practical-aero-series.html)
* [Aviation Cybersecurity Conference September 2025 London (Cyber Senate)](https://cybersenate.com/aviation-cybersecurity-conference-cyber-senate/)
* [RSA Conference: Securing Aviation Systems with Cybersecurity](https://www.rsaconference.com/library/blog/securing-aviation-systems-with-cybersecurity)
* [Black Hat USA 2024 & DEF CON 32 August 2025 Las Vegas](https://blackhat.com/us-24/defcon.html)
* [Vulnerability Assessment for Security in Aviation Cyber-Physical Systems (IEEE)](https://ieeexplore.ieee.org/document/7987190)
* [Pen Test Partners Events & Speaking](https://www.pentestpartners.com/events-and-speaking/)
* [EASA Compilation of Aviation Cybersecurity Videos](https://www.easa.europa.eu/community/topics/compilation-aviation-cybersecurity-videos)
## Videos
* [EASA Aviation Cybersecurity Videos Compilation](https://www.easa.europa.eu/community/topics/compilation-aviation-cybersecurity-videos)
* [Mentour Pilot: Can Aircraft be Hacked?!](https://www.youtube.com/results?search_query=mentour+pilot+aircraft+hacked)
* [ICAO Secretary General: Cyber-Security in Aviation](https://www.youtube.com/results?search_query=ICAO+cybersecurity+aviation)
* [TomoNews US: Aircraft Hacking Vulnerabilities](https://www.youtube.com/results?search_query=TomoNews+aircraft+hacking)
* [Aviation Cybersecurity Tutorial Series](https://www.youtube.com/results?search_query=aviation+cybersecurity+tutorial)
## Tools & Frameworks
**ADS-B Reception & Decoding:**
* [dump1090: Mode S Decoder for RTLSDR Devices](https://github.com/antirez/dump1090)
* [dump1090-fa: FlightAware's Fork of dump1090](https://github.com/flightaware/dump1090)
* [PiAware: FlightAware's Raspberry Pi Flight Tracking Software](https://flightaware.com/adsb/piaware/)
* [FlightAware Ground Station Network](https://flightaware.com/)
* [tar1090: Web Interface for dump1090](https://github.com/wiedehopf/tar1090)
* [Virtual Radar Server: Aircraft Tracking Web Interface](https://www.virtualradarserver.co.uk/)
**ACARS Decoders:**
* [acarsdec: Multi-Channel ACARS Decoder with RTL-SDR Support](https://github.com/TLeconte/acarsdec)
* [AcarsDeco2: ACARS Decoder for Windows/Linux/Raspberry Pi/OS X](https://www.acarsd.org/)
* [JAERO: L-band Satellite ACARS Decoder](https://github.com/jontio/JAERO)
* [dumpvdl2: VDL Mode 2 Message Decoder](https://github.com/szpajder/dumpvdl2)
* [dumphfdl: HF Data Link Protocol Decoder](https://github.com/szpajder/dumphfdl)
**SDR Hardware:**
* [RTL-SDR Blog V3: USB DVB-T Software Defined Radio](https://www.rtl-sdr.com/buy-rtl-sdr-dvb-t-dongles/)
* [FlightAware Pro Stick Plus: Optimized ADS-B USB Receiver](https://flightaware.com/adsb/prostick/)
* [Airspy: High Performance SDR](https://airspy.com/)
* [HackRF One: Software Defined Radio Platform](https://greatscottgadgets.com/hackrf/)
* [BladeRF: Software Defined Radio Platform](https://www.nuand.com/)
**Aircraft Tracking Platforms:**
* [FlightRadar24: Real-Time Flight Tracking](https://www.flightradar24.com/)
* [ADS-B Exchange: Unfiltered Flight Tracking](https://www.adsbexchange.com/)
* [OpenSky Network: Open Air Traffic Data](https://opensky-network.org/)
* [RadarBox: Live Flight Tracker](https://www.radarbox.com/)
**Analysis & Research Tools:**
* [GNU Radio: Software Defined Radio Framework](https://www.gnuradio.org/)
* [SDR#: Popular SDR Software for Windows](https://airspy.com/download/)
* [GQRX: SDR Software for Linux/Mac](https://gqrx.dk/)
* [Wireshark: Network Protocol Analyzer (with aviation protocol dissectors)](https://www.wireshark.org/)
**Aviation Security Testing:**
* [Metasploit Pro: Penetration Testing Framework](https://www.metasploit.com/)
* [BackTrack Tools: Vulnerability Assessment Tools](https://www.backtrack-linux.org/)
## Notes
* **2024-2025 Statistics:** Cyberattacks on aviation increased by 74% since 2020; aviation industry experienced 24% increase in cyber attacks with 55 reported incidents in 2022
* **Global Threat Landscape:** Aviation industry averages a "B" cybersecurity rating; organizations with B rating are 2.9x more likely to suffer data breaches than those with A rating
* **Major Incidents (2024-2025):** Arab Civil Aviation Organization (ACAO) breach in February 2025; ICAO data breach with 42,000 documents exposed; Japan Airlines attack in December 2024 disrupting baggage services; Seattle-Tacoma Airport Rhysida ransomware attack in 2024
* **Breach Statistics:** In global aviation systems, breaches caused by hacking or information leakage increased from 4% in 2010 to 81% in 2024
* **Attack Vectors:** DDoS attacks represent 25% of cyber incidents targeting airlines and airports; GPS spoofing exploits weaknesses in aircraft navigation systems; malicious acts from hostile operators on ground or flight operations
* **ACARS Vulnerabilities:** ACARS transmits at 131.550 MHz unencrypted; has no encryption (messages sent in plain sight), no authentication (receiver can't verify sender), no integrity (no signature or hash)
* **ADS-B Security Issues:** ADS-B broadcasts detailed aircraft information (position, velocity, identity) over unencrypted data links; susceptible to eavesdropping, spoofing, and injection attacks
* **ARINC 429 Protocol:** Ubiquitous data bus for civil avionics lacks any form of encryption or authentication; inherently insecure communication protocol vulnerable to denial-of-service attacks
* **GPS Spoofing/Jamming:** GPS jamming prevents receivers from locking onto satellite signals; spoofing broadcasts counterfeit signals causing false positioning; particularly affects conflict zones (Black Sea, Middle East)
* **Effects on Aircraft Systems:** GPS spoofing can disable Inertial Reference System (IRS), cause failures in GPS Clock, Weather Radar, ADS-B, and Terrain Warning Systems; FMS can show aircraft more than 60nm off-track
* **Detection Indicators:** GPS position suddenly 100+ nm from FMS position; abnormally low groundspeed readings; significant difference between GPS altitude and actual altitude
* **Notable Researchers:** Hugo Teso (n.runs Professionals) demonstrated aircraft hacking via FMS computers and ACARS at HITB 2013; Chris Roberts (One World Labs) claimed IFE system hacks on 15-20 flights between 2011-2014
* **Industry Response:** Boeing and Airbus state IFE systems are isolated from flight and navigation systems; third-party penetration testing allowed during aircraft development; grey-box testing mimics malicious passenger actions
* **DEF CON Aerospace Village:** Annual gathering featuring drone hacking workshops, ADS-B receiver building using Raspberry Pi + RTL-SDR, aviation infrastructure cyber defense challenges, offensive space cybersecurity sessions
* **Lab Setup:** Use RTL-SDR ($20-$30) with dump1090/PiAware for ADS-B reception; acarsdec/JAERO for ACARS decoding; GNU Radio for signal analysis; Raspberry Pi for portable tracking stations
* **Countermeasures:** Signal strength monitoring, time-of-arrival analysis, cryptographic authentication, multiple satellite navigation systems for cross-verification, enhanced pilot training, backup navigation systems
* **Regulatory Bodies:** FAA provides penetration testing training; ICAO offers cybersecurity leadership courses; EASA publishes aviation cybersecurity guidance; IATA provides industry-standard training programs
* **Research Institutions:** Embry-Riddle's Center for Aerospace Resilient Systems (CARS) researches AI/ML for aviation cybersecurity defense; SecurityScorecard conducts industry-wide cybersecurity assessments
* **Legal Warning:** Unauthorized access to aircraft systems, jamming GPS signals, or interfering with aviation communications is illegal and dangerous. All research must be conducted in authorized lab environments with proper permissions
* **Testing Limitations:** Conducting penetration tests on live aviation systems could impact operations and present safety risks; testing must use controlled environments with simulated systems
* **Ethical Considerations:** Aviation security research should be conducted responsibly with coordinated disclosure to manufacturers and regulatory bodies; focus on defensive understanding and improving aviation safety
* **Hardware Requirements:** RTL-SDR V3 or FlightAware dongles for VHF ACARS (blue dongles filtered for 1090 MHz ADS-B will not work on VHF-ACARS); appropriate antennas for 1090 MHz (ADS-B) and 131.550 MHz (ACARS)
* **Best Practices:** Build receiving stations for passive monitoring only; never transmit on aviation frequencies; contribute data to open networks (FlightAware, ADS-B Exchange, OpenSky) for research purposes
* **Future Trends:** AI integration in aviation cybersecurity defense; quantum-resistant cryptography for aviation communications; enhanced authentication protocols for ACARS/ADS-B replacement systems
# AI Hacking
## Books & Whitepapers
* [Not with a Bug, But with a Sticker (Book)](https://www.google.com/search?q=https://www.wiley.com/en-us/Not%2Bwith%2Ba%2BBug,%2BBut%2Bwith%2Ba%2BSticker:%2BAttacks%2Bon%2BMachine%2BLearning%2BSystems%2Band%2BWhat%2BTo%2BDo%2BAbout%2BThem-p-9781119883982)
* [Hacking Artificial Intelligence (Book)](https://www.google.com/search?q=https://www.amazon.com/Hacking-Artificial-Intelligence-Deepfakes-Learning/dp/1538155083)
* [Redefining Hacking (Book)](https://www.amazon.com/-/he/Redefining-Hacking-Comprehensive-Teaming-AI-driven/dp/0138363617)
* [Large Language Models in Cybersecurity (Book)](https://www.practical-devsecops.com/best-ai-security-books/)
* [Hands-On Large Language Models (Book)](https://www.practical-devsecops.com/best-ai-security-books/)
* [Jailbreaking Large Language Models via Logic Chain Injection (Arxiv)](https://arxiv.org/html/2409.09493v2)
* [Arxiv Paper 2508.21669](https://arxiv.org/pdf/2508.21669)
* [LLM Agents can Autonomously Hack Websites (Whitepaper)](https://medium.com/@danieldkang/llm-agents-can-autonomously-hack-websites-ab33fadb3062)
* [NIST AI 100-2e2025: Adversarial Machine Learning Taxonomy (Updated 2025)](https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.100-2e2023.pdf)
* [CISO's GenAI Security Blueprint: 2025 OWASP Top 10 LLM Risks (Securiti Whitepaper)](https://securiti.ai/whitepapers/ciso-genai-security-owasp-top-10-llm-risks/)
* [Securing AI Systems: A Guide to Known Attacks and Impacts (Arxiv 2025)](https://arxiv.org/html/2506.23296v1)
* [A Comprehensive Review of Adversarial Attacks and Defense Strategies (MDPI 2025)](https://www.mdpi.com/2227-7080/13/5/202)
* [Dataset & Lessons: 2024 SaTML LLM CTF (Arxiv)](https://arxiv.org/html/2406.07954v1)
* [Prompt Injection Attacks in Defended Systems (Arxiv)](https://arxiv.org/html/2406.14048v1)
* [Multi-Chain Prompt Injection Attacks (WithSecure Labs)](https://labs.withsecure.com/publications/multi-chain-prompt-injection-attacks)
* [Adversarial Machine Learning and Cybersecurity (Georgetown CSET)](https://cset.georgetown.edu/publication/adversarial-machine-learning-and-cybersecurity/)
* [Prompt Hacking in LLMs 2024-2025 Literature Review](https://www.rohan-paul.com/p/prompt-hacking-in-llms-2024-2025)
## Courses
* [HTB Academy: AI Red Teamer Path](https://academy.hackthebox.com/path/preview/ai-red-teamer)
* [HTB Academy: Introduction to Red Teaming AI](https://academy.hackthebox.com/course/preview/introduction-to-red-teaming-ai)
* [Antisyphon: Hacking AI/LLM Applications Workshop](https://www.antisyphontraining.com/product/workshop-hacking-ai-llm-applications-with-brian-fehrman-joff-thyer-and-derek-banks/)
* [Udemy: Hands-on AI LLM Red Teaming](https://www.udemy.com/course/hands-on-ai-llm-red-teaming/)
* [Udemy: OWASP Top 10 for LLM Applications 2025](https://www.udemy.com/course/owasp-top-10-for-llm-applications-2025/?couponCode=CP251118G4)
* [SANS SEC545: GenAI and LLM Application Security](https://www.sans.org/cyber-security-courses/genai-llm-application-security/)
* [TCM Security: AI Hacking 101](https://academy.tcm-sec.com/p/ai-hacking-101)
* [Microsoft AI Red Team Training Series](https://learn.microsoft.com/en-us/security/ai-red-team/training)
* [NVIDIA: Exploring Adversarial Machine Learning (Self-Paced)](https://developer.nvidia.com/blog/ai-red-team-machine-learning-security-training/)
* [DeepLearning.AI: Red Teaming LLM Applications](https://www.deeplearning.ai/short-courses/red-teaming-llm-applications/)
* [Learn Prompting: AI Red Teaming and AI Security Masterclass](https://maven.com/learn-prompting-company/ai-red-teaming-and-ai-safety-masterclass)
* [OffSec: LLM & AI Training for Red Teams](https://www.offsec.com/learning/paths/llm-red-teaming/)
* [Practical DevSecOps: Certified AI Security Professional (CAISP)](https://www.practical-devsecops.com/best-ai-security-books/)
* [Tonex: Certified AI Penetration Tester – Red Team (CAIPT-RT)](https://www.tonex.com/training-courses/certified-ai-penetration-tester-red-team-caipt-rt/)
## Labs
* [TryHackMe: Output Handling and Privacy Risks](https://tryhackme.com/room/outputhandlingandprivacyrisks)
* [PortSwigger: Web LLM Attacks](https://portswigger.net/web-security/learning-paths/llm-attacks)
* [Gandalf by Lakera](https://gandalf.lakera.ai/)
* [Dreadnode Crucible](https://dreadnode.io/)
* [OWASP FinBot CTF](https://genai.owasp.org/)
* [Microsoft AI Red Teaming Playground](https://github.com/microsoft/AI-Red-Teaming-Playground-Labs)
* [SaTML 2024 LLM CTF Competition](https://ctf.spylab.ai/)
* [Bishop Fox's Local LLM CTF Lab](https://bishopfox.com/blog/ready-to-hack-an-llm-our-top-ctf-recommendations)
* [WithSecure Workout Planner CTF Challenge](https://myllmdoc.com)
* [CTF Prompt Injection (GitHub Lab)](https://github.com/CharlesTheGreat77/ctf-prompt-injection)
* [Steve's Chat Playground (Browser-Based Sandbox)](https://labs.withsecure.com/publications/multi-chain-prompt-injection-attacks)
* [Wild LLaMa (Prompt Engineering Mini-Game)](https://bishopfox.com/blog/ready-to-hack-an-llm-our-top-ctf-recommendations)
* [Damn Vulnerable LLM Agent](https://bishopfox.com/blog/ready-to-hack-an-llm-our-top-ctf-recommendations)
## Blogs & Series
* [LLM Security Best Practices (VIEH Group)](https://medium.com/@viehgroup/llm-security-best-practices-af5cf9d3a668?source=rss------hacking-5)
* [Getting Started with AI Hacking Part 2 (BHIS)](https://www.blackhillsinfosec.com/getting-started-with-ai-hacking-part-2/)
* [LLM Jailbreaking: Advanced Attack Techniques (JIN)](https://ai.plainenglish.io/llm-jailbreaking-advanced-attack-techniques-and-defense-strategies-unpacked-7c17b31ff1de?source=rss------hacking-5)
* [LLM Pentest Agent Hacking (Blaze Infosec)](https://www.blazeinfosec.com/post/llm-pentest-agent-hacking/)
* [From Prompt to Pwn: How I Pen-Tested a LLM](https://abhishekml.medium.com/from-prompt-to-pwn-how-i-pen-tested-and-broke-a-llm-25471e1b22f3?source=rss------ethical_hacking-5)
* [Stanford's 8-Word Hack (Medium)](https://medium.com/@akshayamary/stanfords-8-word-hack-that-unlocked-ai-s-lost-creativity-fcdd8ab1e0a0?source=rss------hacking-5)
* [Understanding LLM Attacks and Prompt Injections](https://medium.com/@anmol.sh/hacking-ai-understanding-llm-attacks-and-prompt-injections-9354f26a8353?source=rss------bug_bounty-5)
* [Six Key Adversarial Attacks and Their Consequences (Mindgard)](https://mindgard.ai/blog/ai-under-attack-six-key-adversarial-attacks-and-their-consequences)
* [LLM Security in 2025: Risks, Examples, and Best Practices (Oligo Security)](https://www.oligo.security/academy/llm-security-in-2025-risks-examples-and-best-practices)
* [Securing AI/LLMs in 2025: A Practical Guide (Software Analyst)](https://softwareanalyst.substack.com/p/securing-aillms-in-2025-a-practical)
* [AI Under the Microscope: OWASP Top 10 for LLMs 2025 (Qualys)](https://blog.qualys.com/vulnerabilities-threat-research/2024/11/25/ai-under-the-microscope-whats-changed-in-the-owasp-top-10-for-llms-2025)
* [Safeguarding Generative AI LLMs and Agentic AI (ISACA)](https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2025/safeguarding-the-future-strategies-for-protecting-generative-ai-llms-and-agentic-ai)
* [Security Roundup: Top AI Stories in 2024 (IBM)](https://www.ibm.com/think/insights/security-roundup-top-ai-stories-in-2024)
* [SaTML 2024 LLM CTF Write-up](https://jacoporepossi.github.io/learningq/posts/2024-06-29-satml-llm-ctf/)
* [CTFs on AI - Part 1: LLM Prompt Injection Attacks](https://defjm.github.io/hemb/posts/20240127_ctf-llm-part1/)
* [Adversarial Machine Learning (UC Berkeley CLTC)](https://cltc.berkeley.edu/aml/)
**Darshan Naresh Naik Series:**
* [Part 2: Prompt Injection](https://medium.com/@darshannnaik1234/ai-llm-hacking-part-2-prompt-injection-13030a731e15?source=rss------hacking-5)
* [Part 3: Sensitive Data Disclosure](https://medium.com/@darshannnaik1234/ai-llm-hacking-part-3-sensitive-data-disclosure-5417f57b778b?source=rss------hacking-5)
* [Part 4: Supply Chain & Poisoning](https://medium.com/@darshannnaik1234/ai-llm-hacking-part-4-supply-chain-data-model-poisoning-vulnerabilities-4c9bcc358055?source=rss------hacking-5)
* [Part 6: Excessive Agency & Plugins](https://infosecwriteups.com/ai-llm-hacking-part-6-excessive-agency-insecure-plugin-6c83013c6806?source=rss------hacking-5)
* [Part 7: System Prompt Leakage](https://blog.gopenai.com/ai-llm-hacking-part-7-system-prompt-leakage-vector-embedding-weakness-68bca76d9dd4?source=rss------ethical_hacking-5)
* [Part 8: Misinformation & DoS](https://infosecwriteups.com/ai-llm-hacking-part-8-misinformation-overreliance-unbounded-consumption-mdos-model-d1cee7d625d2?source=rss------hacking-5)
## Presentations & Conferences
* [DEF CON 32: Hacker vs AI perspectives from an ex spy](https://www.youtube.com/watch?v=WC-tY-gEIPc)
* [DEF CON 32: On Your Ocean's 11 Team, I'm the AI Guy](https://www.youtube.com/watch?v=pTSEViCwAig)
* [TEDx: The Rise of AI Hackbots](https://www.youtube.com/watch?v=Y_x6KXV1y_0)
* [YouTube: AI Hacking Resource](https://www.youtube.com/watch?v=tiwx7WPW8Jc)
## Notes & Misc
* [Walkthrough: TryHackMe EvilGPT (Medium)](https://motasemhamdan.medium.com/llm-ai-hacking-how-ai-is-being-exploited-by-hackers-tryhackme-evilgpt-1-2-5fda60114a5a)
* [The Best AI for Ethical Hacking (Tools List)](https://systemweakness.com/the-best-ai-for-ethical-hacking-911c92de3b37?source=rss------bug_bounty-5)
* [Hacking with AI SASTs (Reddit Discussion)](https://ift.tt/LKo0WFS)
* [Awesome-AI-Security (GitHub)](https://github.com/ottosulin/awesome-ai-security)
* [Awesome AI for Security (GitHub)](https://github.com/AmanPriyanshu/Awesome-AI-For-Security)
* [Awesome AI Cybersecurity (GitHub)](https://github.com/ElNiak/awesome-ai-cybersecurity)
* [Awesome-AI-Security by TalEliyahu (GitHub)](https://github.com/TalEliyahu/Awesome-AI-Security)
* [MITRE ATLAS Framework](https://atlas.mitre.org/)
* [OWASP LLM Top 10](https://llmtop10.com/)
* [OWASP Gen AI Security Project](https://genai.owasp.org/)
* [Google's Secure AI Framework (SAIF)](https://cloud.google.com/security/ai)
* [What Are Adversarial AI Attacks? (Palo Alto Networks)](https://www.paloaltonetworks.com/cyberpedia/what-are-adversarial-attacks-on-AI-Machine-Learning)
* [NIST: Types of Cyberattacks That Manipulate AI Systems](https://www.nist.gov/news-events/news/2024/01/nist-identifies-types-cyberattacks-manipulate-behavior-ai-systems)
## Tools & Frameworks
* [Cybersecurity AI (CAI) Framework (GitHub)](https://github.com/aliasrobotics/cai)
* [LLM Guard by Protect AI (GitHub)](https://github.com/protectai/llm-guard)
* [LlamaFirewall (GitHub)](https://github.com/llamafirewall/llamafirewall)
* [Garak - LLM Security Probing Tool (GitHub)](https://github.com/leondz/garak)
* [Llamator - LLM Vulnerability Testing Framework (GitHub)](https://github.com/llamator/llamator)
* [Foolbox - Adversarial Examples Toolbox (GitHub)](https://github.com/bethgelab/foolbox)
* [Counterfit - ML Security Assessment Tool (GitHub)](https://github.com/Azure/counterfit)
* [TenSEAL - Homomorphic Encryption for Tensors (GitHub)](https://github.com/OpenMined/TenSEAL)
* [dstack - Confidential AI Framework (GitHub)](https://github.com/dstack-group/dstack)
* [AI Security Analyzer (GitHub)](https://github.com/xvnpw/ai-security-analyzer)
* [SaTML LLM CTF Codebase (GitHub)](https://github.com/ethz-spylab/satml-llm-ctf)
# DevSecOps
## **Books & Whitepapers**
**Books**
- [The DevOps Handbook: How to Create World-Class Agility, Reliability, and Security](https://www.amazon.com/DevOps-Handbook-World-Class-Reliability-Organizations/dp/1942788002)
- [DevSecOps: A leader’s guide to producing secure software](https://www.amazon.com/DevSecOps-producing-compromising-continuous-improvement/dp/1781335028)
- [Learning DevSecOps: A Practical Guide to Processes and Tools](https://www.amazon.com/Learning-DevSecOps-Practical-Guide-Processes/dp/1098144864)
- [Securing DevOps: Security in the Cloud](https://www.amazon.com/Securing-DevOps-Security-Julien-Vehent/dp/1617294136)
- [The DevSecOps Playbook: Deliver Continuous Security at Speed](https://www.amazon.com/DevSecOps-Playbook-Deliver-Continuous-Security/dp/1394169795)
- [Implementing DevSecOps Practices](https://www.amazon.com/Implementing-DevSecOps-Practices-Supercharge-excellence/dp/1803231491)
- [Hands-On Security in DevOps](https://www.amazon.com/Hands-Security-DevOps-continuous-deployment/dp/1788995503)
- [Container Security: Fundamental Technology Concepts](https://www.amazon.com/Container-Security-Fundamental-Technology-Containerized/dp/1492056707)
- [Software Supply Chain Security](https://www.amazon.com/Software-Supply-Chain-Security-End/dp/1098133706)
- [Security as Code: DevSecOps Patterns with AWS](https://www.amazon.com/Security-Code-DevSecOps-Patterns-AWS/dp/1492081124)
- [Epic Failures in DevSecOps](https://www.amazon.com/Epic-Failures-DevSecOps-Mark-Miller/dp/1728806992)
- [Alice and Bob Learn Application Security](https://www.wiley.com/en-gb/Alice+and+Bob+Learn+Application+Security-p-9781119687405)
- [Microservices Security in Action](https://www.google.com/search?q=https://www.amazon.com/Microservices-Security-Action-Prabath-Siriwardena/dp/1617295922)
- [DevSecOps in Oracle Cloud](https://www.oreilly.com/library/view/devsecops-in-oracle/9780138029777/)
- [DevSecOps for Azure](https://www.amazon.com/DevSecOps-Azure-End-end-security/dp/1837631115)
- [Mastering DevSecOps](https://www.amazon.com/Mastering-DevSecOps-Comprehensive-Become-Expert/dp/B0CGYQ1QCJ)
- [DevSecOps for .NET Core](https://www.amazon.com/DevSecOps-NET-Core-Securing-Applications/dp/1484258495)
- [Practical Security Automation and Testing](https://www.amazon.com/Practical-Security-Automation-Testing-techniques/dp/1789802024)
**Whitepapers**
- [DoD Enterprise DevSecOps Reference Design v2.0 (PDF)](https://dodcio.defense.gov/Portals/0/Documents/Library/DevSecOpsReferenceDesign.pdf)
- [MITRE: DevSecOps Security Test Automation Briefing (PDF)](https://www.mitre.org/sites/default/files/2021-11/prs-19-0769-devsecops-security-test-automation-briefing.pdf)
- [NIST SP 800-204: Security Strategies for Microservices (PDF)](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-204.pdf)
- [CSA: The Six Pillars of DevSecOps](https://cloudsecurityalliance.org/artifacts/six-pillars-of-devsecops)
- [CSA: DevSecOps Automated Security Testing](https://www.google.com/search?q=https://cloudsecurityalliance.org/artifacts/devsecops-automated-security-testing)
- [Integrating Security into CI/CD Pipelines: A DevSecOps Approach with SAST, DAST, and SCA Tools (ResearchGate)](https://www.researchgate.net/publication/390459514_Integrating_Security_into_CICD_Pipelines_A_DevSecOps_Approach_with_SAST_DAST_and_SCA_Tools)
## **Courses**
- [SANS SEC540: Cloud Native Security and DevSecOps Automation](https://www.sans.org/cyber-security-courses/cloud-native-security-devsecops-automation/)
- [Practical DevSecOps: Certified DevSecOps Professional (CDP)](https://www.practical-devsecops.com/certified-devsecops-professional/)
- [OffSec: DevSecOps Essentials (OS-210)](https://www.offsec.com/learning/paths/devsecops-essentials/)
- [Linux Foundation: Implementing DevSecOps (LFS262)](https://training.linuxfoundation.org/training/implementing-devsecops-lfs262/)
- [Linux Foundation: Developing Secure Software (LFD121)](https://training.linuxfoundation.org/training/developing-secure-software-lfd121/)
- [Coursera: IBM DevOps and Software Engineering Professional Certificate](https://www.coursera.org/professional-certificates/devops-and-software-engineering)
- [Coursera: Cybersecurity in the Cloud Specialization (Univ. of Minnesota)](https://www.google.com/search?q=https://www.coursera.org/specializations/cyber-security-cloud)
- [Udemy: DevSecOps & DevOps with Jenkins, Kubernetes, Terraform & AWS](https://www.udemy.com/course/devsecops-with-terraform-kubernetes-jenkins-aws/)
- [Udemy: Ultimate DevSecOps Bootcamp by School of Devops](https://www.udemy.com/course/ultimate_devsecops_bootcamp/)
- [Pluralsight: DevSecOps - The Big Picture](https://www.pluralsight.com/courses/devsecops-big-picture)
- [LinkedIn Learning: DevSecOps - Automated Security Testing](https://www.linkedin.com/learning/devsecops-automated-security-testing)
- [Codecademy: DevSecOps Principles](https://www.codecademy.com/learn/ext-courses/devsecops-principles-from-devops-to-devsecops)
- [EC-Council: Certified DevSecOps Engineer (E|CDE)](https://www.eccouncil.org/programs/certified-devsecops-engineer-ecde/)
- [DevOps Institute: DevSecOps Foundation (DOF)](https://www.devopsinstitute.com/certifications/devsecops-foundation/)
- [DevOps Institute: DevSecOps Practitioner (DOP)](https://www.devopsinstitute.com/certifications/devsecops-practitioner/)
- [EXIN: DevSecOps Professional](https://www.exin.com/certifications/exin-devsecops-professional-exam)
- [NotSoSecure: DevSecOps Training](https://notsosecure.com/security-training/devsecops-training)
- [Udemy: DevSecOps - Kubernetes DevOps & Security](https://www.udemy.com/course/kubernetes-devsecops/)
- [IGM Guru: DevSecOps Training with Certification](https://www.igmguru.com/cloud-computing/devsecops-training)
- [Security Compass: DevSecOps Training](https://www.securitycompass.com/blog/top-devsecops-training-courses/)
## **Labs**
- [TryHackMe: DevSecOps Path](https://tryhackme.com/path/outline/devsecops)
- [OWASP Juice Shop](https://owasp.org/www-project-juice-shop/)
- [Kontra: DevSecOps Interactive Training](https://application.security/free-application-security-training)
- [SecureFlag](https://www.secureflag.com/)
- [Punk Security DevSecOps CTF](https://punksecurity.co.uk/ctf/2024/)
- [DevSecOps Home Lab (DevSecBlueprint)](https://www.devsecblueprint.com/projects/devsecops-home-lab/)
- [Practical DevSecOps Platform Labs](https://portal.practical-devsecops.training/)
- [OWASP WebGoat](https://owasp.org/www-project-webgoat/)
- [DVWA (Damn Vulnerable Web Application)](https://github.com/digininja/DVWA)
- [Kubernetes Goat](https://github.com/madhuakula/kubernetes-goat)
- [CI/CD Goat](https://github.com/cider-security-research/cicd-goat)
## **Blogs & Series**
- [Red Hat Developer: DevSecOps Topics & Resources](https://developers.redhat.com/topics/devsecops#devsecops)
- [RSA Conference Blog: Combining DAST with SAST for Holistic Coverage](https://www.rsaconference.com/library/blog/combining-dast-with-sast-for-holistic-application-security-coverage)
- [AWS Security Blog](https://aws.amazon.com/blogs/security/)
- [Google Cloud Security Blog](https://cloud.google.com/blog/products/identity-security)
- [GitLab Blog: DevSecOps](https://about.gitlab.com/blog/categories/devsecops/)
- [Snyk Blog](https://snyk.io/blog/)
- [Practical DevSecOps: Top 15 DevSecOps Best Practices for 2025](https://www.practical-devsecops.com/devsecops-best-practices/)
- [GeeksforGeeks: 10 DevSecOps Best Practices for 2025](https://www.geeksforgeeks.org/devops/devsecops-best-practices/)
- [Pynt.io: DevSecOps Principles, Tools, and Best Practices [2025 Guide]](https://www.pynt.io/learning-hub/devsecops/devsecops-principles-tools-and-best-practices-2025-guide)
- [Codefresh: Top 10 DevSecOps Best Practices for 2025](https://codefresh.io/learn/devsecops/devsecops-best-practices/)
- [Check Point: Top 10 DevSecOps Best Practices](https://www.checkpoint.com/cyber-hub/cloud-security/devsecops/10-devsecops-best-practices/)
- [Tigera: 5 DevSecOps Best Practices You Must Implement](https://www.tigera.io/learn/guides/devsecops/devsecops-best-practices/)
- [DevSecOps Guides: Simple Guide for Development and Operation](https://www.devsecopsguides.com/)
- [ChaosSearch: 5 DevSecOps Checklists for Advanced Techniques in 2025](https://www.chaossearch.io/blog/checklists-for-advanced-devsecops-techniques)
- [AWS DevOps Blog: Building End-to-End AWS DevSecOps CI/CD Pipeline](https://aws.amazon.com/blogs/devops/building-end-to-end-aws-devsecops-ci-cd-pipeline-with-open-source-sca-sast-and-dast-tools/)
- [Medium: Mastering DevSecOps - Building a Secure End-to-End Pipeline](https://medium.com/@mayankarya837/mastering-devsecops-building-a-secure-end-to-end-modern-pipeline-security-with-sast-dast-sca-4469117cd5c2)
- [Wiz Academy: 11 DevSecOps Tools and Top Use Cases in 2025](https://www.wiz.io/academy/devsecops-tools)
- [StationX: 25 Top DevSecOps Tools - Ultimate Guide for 2025](https://www.stationx.net/top-devsecops-tools/)
- [Codefresh: 15 DevSecOps Tools to Know in 2025](https://codefresh.io/learn/devsecops/15-devsecops-tools-to-know-in-2025/)
- [Spacelift: 21 Best DevSecOps Tools and Platforms for 2025](https://spacelift.io/blog/devsecops-tools)
- [Atlassian: DevSecOps Tools Guide](https://www.atlassian.com/devops/devops-tools/devsecops-tools)
- [Escape: Top 10 DAST Tools for DevSecOps - Tested in CI/CD (2025)](https://escape.tech/blog/top-dast-tools/)
- [Jit: Top 10 DAST Tools for 2025](https://www.jit.io/resources/appsec-tools/top-dast-tools-for-2024)
- [Kiuwan: Application Security Tools Comparison](https://www.kiuwan.com/blog/application-security-tools-comparison/)
- [TechTarget: Compare SAST vs. DAST vs. SCA for DevSecOps](https://www.techtarget.com/searchsecurity/tip/Understanding-3-key-automated-DevSecOps-tools)
## **Presentations & Conferences**
- [Black Hat USA 2019: DevSecOps - What, Why, And How (PDF)](https://i.blackhat.com/USA-19/Thursday/us-19-Shrivastava-DevSecOps-What-Why-And-How.pdf)
- [RSAC 2025: DevSecOps Revolution - Unleashing Generative AI](https://www.rsaconference.com/library/presentation/usa/2025/devsecops%20revolution%20unleashing%20generative%20ai%20for%20automated%20excellence)
- [RSAC 2024: DevSecOps Next - Navigating the Next Era](https://www.rsaconference.com/library/presentation/usa/2024/devsecops%20next%20navigating%20the%20next%20era%20with%20industry%20titans)
- [RSAC Innovation Showcase: DevSecOps](https://www.rsaconference.com/library/innovation%20showcase/25-devsecops)
- [DevSecCon](https://www.devseccon.com/)
- [All Day DevOps](https://www.alldaydevops.com/)
- [OWASP AppSec Days](https://owasp.org/events/)
- [KubeCon + CloudNativeCon](https://www.youtube.com/c/cloudnativefdn)
## **Tools & Frameworks**
**Static Application Security Testing (SAST)**
- [SonarQube](https://www.sonarqube.org/) - Continuous code quality and security inspection
- [Checkmarx](https://checkmarx.com/) - Enterprise SAST platform
- [Veracode](https://www.veracode.com/) - Application security testing platform
- [Semgrep](https://semgrep.dev/) - Lightweight static analysis for many languages
- [Horusec](https://horusec.io/) - Open-source security analysis tool
- [Bandit](https://github.com/PyCQA/bandit) - Security linter for Python
**Dynamic Application Security Testing (DAST)**
- [OWASP ZAP](https://www.zaproxy.org/) - Web application security scanner
- [Burp Suite](https://portswigger.net/burp) - Web vulnerability scanner
- [Acunetix](https://www.acunetix.com/) - Automated web application security testing
- [Nuclei](https://github.com/projectdiscovery/nuclei) - Fast vulnerability scanner
- [w3af](http://w3af.org/) - Web application attack and audit framework
**Software Composition Analysis (SCA)**
- [Snyk](https://snyk.io/) - Developer-first security platform
- [Dependabot](https://github.com/dependabot) - Automated dependency updates
- [OWASP Dependency-Check](https://owasp.org/www-project-dependency-check/) - SCA tool
- [Syft](https://github.com/anchore/syft) - SBOM generation tool
- [Grype](https://github.com/anchore/grype) - Vulnerability scanner for container images
**Container Security**
- [Trivy](https://github.com/aquasecurity/trivy) - Comprehensive security scanner
- [Clair](https://github.com/quay/clair) - Vulnerability static analysis for containers
- [Anchore](https://anchore.com/) - Container security and compliance platform
- [Falco](https://falco.org/) - Cloud-native runtime security
**Infrastructure as Code (IaC) Security**
- [Checkov](https://www.checkov.io/) - Static code analysis for IaC
- [tfsec](https://github.com/aquasecurity/tfsec) - Security scanner for Terraform
- [Terrascan](https://github.com/tenable/terrascan) - Static code analyzer for IaC
- [KICS](https://kics.io/) - Find security vulnerabilities in IaC
**Secrets Management**
- [Gitleaks](https://github.com/gitleaks/gitleaks) - Detect hardcoded secrets
- [TruffleHog](https://github.com/trufflesecurity/trufflehog) - Find credentials in git repositories
- [detect-secrets](https://github.com/Yelp/detect-secrets) - Preventing secrets in code
- [HashiCorp Vault](https://www.vaultproject.io/) - Secrets management platform
- [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/) - Manage secrets for AWS
- [git-secrets](https://github.com/awslabs/git-secrets) - Prevent committing secrets to git
**CI/CD Security & Orchestration**
- [Jenkins](https://www.jenkins.io/) - Automation server with security plugins
- [GitLab CI/CD](https://about.gitlab.com/solutions/continuous-integration/) - Built-in CI/CD with security features
- [GitHub Actions](https://github.com/features/actions) - Workflow automation
- [CircleCI](https://circleci.com/) - Continuous integration platform
- [Tekton](https://tekton.dev/) - Cloud-native CI/CD framework
**Security Orchestration & Vulnerability Management**
- [DefectDojo](https://www.defectdojo.org/) - Security vulnerability management
- [Archery](https://github.com/archerysec/archerysec) - Vulnerability assessment and management
- [Faraday](https://github.com/infobyte/faraday) - Multiuser penetration test IDE
- [OpenVAS](https://www.openvas.org/) - Full-featured vulnerability scanner
**Policy as Code & Compliance**
- [Open Policy Agent (OPA)](https://www.openpolicyagent.org/) - Policy-based control for cloud native
- [Conftest](https://www.conftest.dev/) - Test configuration files using OPA
- [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/) - OPA policy language
- [InSpec](https://community.chef.io/tools/chef-inspec) - Infrastructure testing framework
**API Security**
- [42Crunch](https://42crunch.com/) - API security platform
- [Postman](https://www.postman.com/) - API testing with security scanning
- [OWASP API Security Top 10](https://owasp.org/www-project-api-security/) - API security standard
**Monitoring & Observability**
- [Prometheus](https://prometheus.io/) - Monitoring and alerting toolkit
- [Grafana](https://grafana.com/) - Observability platform
- [ELK Stack](https://www.elastic.co/elastic-stack) - Elasticsearch, Logstash, Kibana
- [Splunk](https://www.splunk.com/) - Security information and event management
## **Notes**
- [OWASP DevSecOps Guideline](https://owasp.org/www-project-devsecops-guideline/)
- [SANS DevSecOps Cheat Sheet](https://www.sans.org/posters/cloud-security-and-devops-cheat-sheet/)
- [Start Here - DevSecOps (Roadmap)](https://www.google.com/search?q=https://start.jcolemorrison.com/devsecops-start-here/)
- [Hacking the Cloud](https://hackingthe.cloud/)
- [Periodic Table of DevOps Tools](https://digital.ai/periodic-table-of-devops-tools/)
- [Practical DevSecOps: DevSecOps Roadmap - Top Certifications List for 2025](https://www.practical-devsecops.com/devsecops-roadmap/)
- [Practical DevSecOps: Best DevSecOps Tools List for 2025](https://www.practical-devsecops.com/devsecops-tools/)
- [Upwind: Top 13 Open-Source DevSecOps Tools for 2025](https://www.upwind.io/glossary/13-best-devsecops-tools-2025s-best-open-source-options-sorted-by-use-case)
- [Bytebase: Top DevSecOps Tools for 2025](https://www.bytebase.com/blog/top-devsecops-tool/)
## **Misc (GitHub Repos, Videos, Reports)**
**GitHub Repos**
- [Awesome DevSecOps (The Source)](https://github.com/JakobTheDev/awesome-devsecops)
- [DefectDojo](https://github.com/DefectDojo/django-DefectDojo)
- [Trivy](https://github.com/aquasecurity/trivy)
- [Gitleaks](https://github.com/gitleaks/gitleaks)
- [Checkov](https://github.com/bridgecrewio/checkov)
- [GHA-DevSecOps: DevSecOps Pipeline using SAST + DAST and SCA](https://github.com/magnologan/gha-devsecops)
- [TruffleHog](https://github.com/trufflesecurity/trufflehog)
- [Semgrep](https://github.com/semgrep/semgrep)
- [Nuclei](https://github.com/projectdiscovery/nuclei)
- [tfsec](https://github.com/aquasecurity/tfsec)
- [Terrascan](https://github.com/tenable/terrascan)
- [KICS (Keeping Infrastructure as Code Secure)](https://github.com/Checkmarx/kics)
- [Bandit - Python Security Linter](https://github.com/PyCQA/bandit)
- [Syft - SBOM Generator](https://github.com/anchore/syft)
- [Grype - Vulnerability Scanner](https://github.com/anchore/grype)
- [GitGuardian - Secrets Detection](https://github.com/GitGuardian/ggshield)
- [CI/CD Goat - Deliberately Insecure CI/CD](https://github.com/cider-security-research/cicd-goat)
- [Kubernetes Goat](https://github.com/madhuakula/kubernetes-goat)
- [DVWA - Damn Vulnerable Web Application](https://github.com/digininja/DVWA)
**Videos & Podcasts**
- [Podcast: RSAC DevSecOps Insights and Exciting Horizons](https://www.rsaconference.com/library/podcast/2024-devsecops-insights-and-exciting-horizons)
- [Video: DevSecOps - What, Why and How (Black Hat)](https://www.youtube.com/watch?v=DzX9Vi_UQ8o)
- [Video Series: DevSecOps Training Academy (Playlist)](https://www.youtube.com/watch?v=4WCLHKHDM_M&list=PLv7wrBcQXrGLifEQhN5OvRG_V4KtvIhZN)
- [Video: DevSecOps Course for Beginners – API Security](https://www.youtube.com/watch?v=JfiWi8RjN-8)
- [Video: DevSecOps FULL 8 Hours Course](https://www.youtube.com/watch?v=7tcX_ndqD68)
- [Video: DevSecOps Full Course](https://www.youtube.com/watch?v=D7Nhna43ztg)
- [YouTube: KubeCon + CloudNativeCon Channel](https://www.youtube.com/c/cloudnativefdn)
- [Podcast: All Day DevOps](https://www.alldaydevops.com/)
- [Video: Punk Security DevSecOps CTF 2024 Writeup](https://inv1nc.github.io/punk-security-devsecopsctf-2024-writeup)
**Reports & Industry Resources**
- [Sonatype: State of the Software Supply Chain Report](https://www.sonatype.com/state-of-the-software-supply-chain)
- [GitLab: Global DevSecOps Report](https://about.gitlab.com/developer-survey/)
- [SANS Institute: Application Security & API Survey](https://www.sans.org/white-papers/sans-2024-application-security-api-survey-protecting-our-applications-apis)
- [CIO Influence: DevSecOps Tools for CIOs in 2024](https://cioinfluence.com/it-and-devops/devsecops-tools-for-cios-in-2024/)
- [Zymr: 10 DevOps and DevSecOps Trends and Predictions 2024](https://www.zymr.com/blog/devops-and-devsecops-trends-and-predictions-2024)
- [CloudDefense.AI - DevSecOps Platform](https://www.clouddefense.ai/)
- [Aqua Security - Cloud Native Security Platform](https://www.aquasec.com/)
- [Palo Alto Networks Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud)
- [Fortify - Application Security Solutions](https://www.microfocus.com/en-us/cyberres/application-security/fortify-on-demand)
# Linux Exploit Development
## Books & Whitepapers
* [Linux Exploit Development for Beginners (PDF)](https://edu.anarcho-copy.org/GNU Linux - Unix-Like/Linux Exploit Development for Beginners.pdf)
* [Exploit Development Student Version 1 (eLearnSecurity PDF)](https://dsxte2q2nyjxs.cloudfront.net/Syllabus_XDSV1.pdf)
* [Automatic Generation of Control Flow Hijacking Exploits (GitHub PDF)](https://github.com/hardenedlinux/linux-exploit-development-tutorial/blob/master/chapter1/Automatic Generation of Control Flow Hijacking Exploits for Software Vulnerabilities.pdf)
* [Linux Exploit Development Part 3 - ret2libc (PDF)](https://github.com/everettjf/Papers/blob/master/Linux exploit development part 3 - ret2libc.pdf)
* [Linux Exploit Development Part 4 - Bypass (Packet Storm PDF)](https://packetstormsecurity.com/files/101426/lewt4-bypass.pdf)
* [Playing for K(H)eaps: Understanding and Improving Linux Kernel Exploit Reliability (USENIX Security 2022)](https://www.usenix.org/system/files/sec22fall_zeng.pdf)
* [Unleashing Use-After-Free Vulnerabilities in Linux Kernel (ACM 2015)](https://dl.acm.org/doi/10.1145/2810103.2813637)
* [A Systematic Study of Elastic Objects in Kernel Exploitation (ELOISE Paper)](https://zplin.me/papers/ELOISE.pdf)
* [Take a Step Further: Understanding Page Spray in Linux Kernel Exploitation (arXiv 2024)](https://arxiv.org/html/2406.02624v3)
* [GREBE: Unveiling Exploitation Potential for Linux Kernel Bugs (Research Paper)](https://zplin.me/papers/GREBE.pdf)
* [An In-Depth Survey of Bypassing Buffer Overflow Mitigation Techniques (MDPI 2022)](https://www.mdpi.com/2076-3417/12/13/6702)
* [Bypassing ASLR/DEP Whitepaper (Exploit-DB)](https://www.exploit-db.com/docs/english/17914-bypassing-aslrdep.pdf)
* [Cueing up a Calculator: An Introduction to Exploit Development on Linux (GitHub Blog)](https://github.blog/security/vulnerability-research/cueing-up-a-calculator-an-introduction-to-exploit-development-on-linux/)
* [A Practical Approach to Learning Linux Vulnerabilities (Journal of Computer Virology 2022)](https://link.springer.com/article/10.1007/s11416-022-00455-w)
* [Understanding Binary Protections (and How to Bypass) with a Dumb Example](https://mdanilor.github.io/posts/memory-protections/)
## Courses
* [SANS SEC760: Advanced Exploit Development for Penetration Testers](https://www.sans.org/cyber-security-courses/advanced-exploit-development-penetration-testers)
* [OffensiveCon: Exploiting the Linux Kernel (2024)](https://www.offensivecon.org/trainings/2024/exploiting-the-linux-kernel.html)
* [Pentester Academy: SLAE - SecurityTube Linux Assembly Expert (32-bit)](https://www.pentesteracademy.com/course?id=3)
* [Pentester Academy: SLAE64 - SecurityTube Linux Assembly Expert (64-bit)](https://www.pentesteracademy.com/video?id=130)
* [Duasynt: Linux Kernel Exploitation Techniques](https://duasynt.com/training-intro-kernel-exploit-dev)
* [Pluralsight: Exploit Development Learning Path (2025 Updated)](https://www.pluralsight.com/paths/exploit-development)
* [Udemy: Exploit Development for Linux (x86)](https://www.udemy.com/course/exploit-development/)
* [Udemy: Exploit Development for Linux x64](https://www.udemy.com/course/64bit-linux-exploit-development/)
* [Udemy: Exploit Development Tutorial for Hackers and Pentesters](https://www.udemy.com/course/exploit-development-tutorial-for-hackers-and-pentesters/)
* [CyberWarfare Labs: Certified Exploit Development Professional (CEDP)](https://cyberwarfare.live/product/certified-exploit-development-professional-cedp/)
* [City College of San Francisco: CNIT 127 - Exploit Development (Free)](https://www.classcentral.com/course/independent-cnit-127-exploit-development-10432)
* [OpenSecurityTraining: Exploits 1](https://opensecuritytraining.info/Exploits1.html)
* [Class Central: 300+ Exploit Development Online Courses for 2025](https://www.classcentral.com/subject/exploit-development)
* [Hack The Box Academy: Stack-Based Buffer Overflows](https://academy.hackthebox.com/course/preview/stack-based-buffer-overflows-on-windows-x86)
## Labs & Tools
**Debugging & Analysis Tools:**
* [pwndbg - GDB Plugin for Exploit Development](https://github.com/pwndbg/pwndbg)
* [GEF (GDB Enhanced Features) - Multi-Architecture GDB Plugin](https://github.com/hugsy/gef)
* [PEDA (Python Exploit Development Assistance for GDB)](https://github.com/longld/peda)
* [pwntools - CTF Framework and Exploit Development Library](https://github.com/Gallopsled/pwntools)
* [Ropper - ROP Gadget Finder and Binary Information Tool](https://github.com/sashs/Ropper)
* [ROPgadget - ROP Chain Builder](https://github.com/JonathanSalwan/ROPgadget)
* [one_gadget - Magic Gadget Finder for libc](https://github.com/david942j/one_gadget)
* [radare2 - Reverse Engineering Framework](https://github.com/radareorg/radare2)
* [Binary Ninja - Reverse Engineering Platform](https://binary.ninja/)
* [IDA Pro - Interactive Disassembler](https://www.hex-rays.com/products/ida/)
* [Ghidra - NSA Reverse Engineering Tool](https://ghidra-sre.org/)
**Exploitation Frameworks & Resource Collections:**
* [GitHub: linux-exploitation-course - Intermediate Level Linux Exploitation](https://github.com/nnamon/linux-exploitation-course)
* [GitHub: xairy/linux-kernel-exploitation - Comprehensive Kernel Security Resources](https://github.com/xairy/linux-kernel-exploitation)
* [GitHub: martinradev/linux-kernel-exploitation-1 - Kernel Exploit Links Collection](https://github.com/martinradev/linux-kernel-exploitation-1)
* [GitHub: bcoles/kernel-exploits - Various Linux Kernel Exploits](https://github.com/bcoles/kernel-exploits)
* [GitHub: xairy/kernel-exploits - Proof-of-Concept Linux Kernel Exploits](https://github.com/xairy/kernel-exploits)
* [GitHub: Lazenca/Kernel-exploit-tech - Linux Kernel Exploitation Tutorial](https://github.com/Lazenca/Kernel-exploit-tech)
* [GitHub: ww9210/Linux_kernel_exploits - Real World Kernel Vulnerability Exploits](https://github.com/ww9210/Linux_kernel_exploits)
* [GitHub: ByteHackr/Kernel-Exploits - Curated Linux Exploitation Resources](https://github.com/ByteHackr/Kernel-Exploits)
* [GitHub: Linux Kernel VR Exploitation - Kernel Vulnerability Research](https://github.com/IdanBanani/Linux-Kernel-VR-Exploitation)
* [GitHub: linux-exploit-development-tutorial by HardenedLinux](https://github.com/hardenedlinux/linux-exploit-development-tutorial)
**Practice & CTF Resources:**
* [pwn.college - Computer Security Practice Challenges](https://pwn.college/)
* [Nightmare - Binary Exploitation Tutorial](https://guyinatuxedo.github.io/)
* [Exploit Education - Vulnerable VMs for Learning](https://exploit.education/)
* [ROP Emporium - ROP Challenge Collection](https://ropemporium.com/)
* [CTF101 - Binary Exploitation Handbook](https://ctf101.org/binary-exploitation/)
* [Phoenix - Exploit Education Challenges](https://exploit.education/phoenix/)
* [Protostar - Stack/Heap Exploitation Challenges](https://exploit.education/protostar/)
## Blogs & Series
* [CVE-2024-1086: Linux Kernel Privilege Escalation Actively Exploited (CrowdStrike)](https://www.crowdstrike.com/en-us/blog/active-exploitation-linux-kernel-privilege-escalation-vulnerability/)
* [CVE-2024-1086: Critical Linux Kernel Flaw Exploited in Ransomware Attacks (SOC Prime)](https://socprime.com/blog/cve-2024-1086-vulnerability/)
* [CVE-2025-21756: Critical Linux Kernel Flaw Allows Privilege Escalation (GBHackers)](https://gbhackers.com/critical-linux-kernel-flaw/)
* [2025: 7 Linux Kernel Vulnerabilities Exploited in the Wild (LinuxSecurity)](https://linuxsecurity.com/news/security-vulnerabilities/7-linux-kernel-vulnerabilities-exploited-in-2025)
* [Easy Privilege Escalation Exploit Lands for Linux Kernels (The Register March 2024)](https://www.theregister.com/2024/03/29/linux_kernel_flaw/)
* [Linux Kernel Vulnerability Let Attackers Escalate Privilege - PoC Released (CyberSecurityNews)](https://cybersecuritynews.com/linux-kernel-vulnerability-escalate-privilege/)
* [Bypassing DEP & ASLR in Linux (BorderGate)](https://www.bordergate.co.uk/dep-aslr-bypass/)
* [How to Bypass Basic Exploit Mitigation - Part 0x00: Vanilla Buffer Overflow (Andy's Cave 2025)](https://andy.codes/blog/security-articles/2025-10-15-exploit-mitigation-vanilla-buffer-overflow.html)
* [How to Bypass Basic Exploit Mitigation - Part 0x01: DEP/NX (Andy's Cave 2025)](https://andy.codes/blog/security-articles/2025-10-20-exploit-mitigation-dep-nx-rop.html)
* [How to Bypass Basic Exploit Mitigation - Part 0x03: ASLR (Andy's Cave 2025)](https://andy.codes/blog/security-articles/2025-11-02-exploit-mitigation-aslr.html)
* [Linux Exploitation: Evading Exploit Protection (MCSI Library)](https://library.mosse-institute.com/articles/2022/06/linux-exploitation-evading-exploit-protection/linux-exploitation-evading-exploit-protection.html)
* [Introduction to x64 Linux Binary Exploitation - Part 3: RoP Chains (Medium)](https://valsamaras.medium.com/introduction-to-x64-linux-binary-exploitation-part-3-rop-chains-3cdcf17e8826)
* [ROP - Return Oriented Programming (hackndo)](https://en.hackndo.com/return-oriented-programming/)
* [Linux - ELF64 ROP Leaks (InfoSec Notes)](https://notes.qazeer.io/binary-exploitation/elf64_rop_leaks)
* [ROP Exploitation on x32 Linux (Buffer Overflows)](https://bufferoverflows.net/rop-manual-exploitation-on-x32-linux/)
* [Heap Exploitation Part 1: Understanding the Glibc Heap Implementation (Azeria Labs)](https://azeria-labs.com/heap-exploitation-part-1-understanding-the-glibc-heap-implementation/)
* [Heap Exploitation - Nightmare Tutorial](https://guyinatuxedo.github.io/25-heap/index.html)
* [Heap Overflow with Stack-Pivoting, Format String and ROP (MBE LAB7A)](https://hackingiscool.pl/heap-overflow-with-stack-pivoting-format-string-leaking-first-stage-rop-ing-to-shellcode-after-making-it-executable-on-the-heap-on-a-statically-linked-binary-mbe-lab7a/)
* [Balsn's Lazyhouse Exploit Analysis: ROP on the Heap in GLIBC 2.29](https://faraz.faith/2019-10-24-hitconctf-lazyhouse-balsn-exploit-analysis/)
* [Exploit Development with AFL, PEDA and PwnTools (DeepCode)](https://www.deepcode.ca/index.php/2017/07/28/exploit-development-with-afl-peda-and-pwntools/)
* [PEDA, GEF, and PWNDBG—Which GDB Extension Should You Use in 2025? (Medium)](https://medium.com/@elpepinillo/peda-gef-and-pwndbg-which-gdb-extension-should-you-use-in-2025-67033ddd8459)
* [Speed Up Your Binary Exploits! An Introduction to GEF and Pwntools (ParzelseSec)](https://parzelsec.de/posts/speed-up-your-exploits)
## Presentations & Conferences
* [USENIX Security: Linux Kernel Exploitation Research](https://www.usenix.org/conference/usenixsecurity)
* [Black Hat: Linux Exploit Development Presentations](https://www.blackhat.com/)
* [DEF CON: Linux Security and Exploitation Talks](https://www.defcon.org/)
* [OffensiveCon: Linux Kernel Exploitation Training](https://www.offensivecon.org/)
* [PwnSec: Linux Binary Exploitation Challenges](https://pwn.college/)
* [HITCON CTF: Advanced Linux Exploitation Challenges](https://ctf.hitcon.org/)
* [Google Project Zero: Linux Kernel Security Research](https://googleprojectzero.blogspot.com/)
## Videos
* [YouTube: Linux Exploit Development Tutorials](https://www.youtube.com/results?search_query=linux+exploit+development+tutorial)
* [YouTube: Linux Kernel Exploitation](https://www.youtube.com/results?search_query=linux+kernel+exploitation)
* [YouTube: ROP Chain Exploitation Linux](https://www.youtube.com/results?search_query=rop+chain+linux)
* [YouTube: Linux Heap Exploitation](https://www.youtube.com/results?search_query=linux+heap+exploitation)
* [YouTube: pwntools Tutorial](https://www.youtube.com/results?search_query=pwntools+tutorial)
## Notes
* **Primary Architectures:** x86 (32-bit), x86-64 (64-bit), ARM, MIPS, RISC-V
* **Exploitation Techniques:** Stack overflow, heap overflow, use-after-free, double-free, format string, integer overflow, race conditions, ROP chains, ret2libc, ret2plt, SROP (Sigreturn-Oriented Programming)
* **Kernel Exploitation:** Privilege escalation, SMEP/SMAP bypass, page spray, elastic objects, heap feng shui, kernel ROP, race conditions (TOCTOU), arbitrary read/write primitives
* **2024-2025 Critical CVEs:** CVE-2024-1086 (netfilter UAF - actively exploited in ransomware, CISA KEV), CVE-2024-53141 (IP sets bitmap privilege escalation), CVE-2025-21756 ("Attack of the Vsock"), CVE-2025-38727 (Netlink interface)
* **Exploit Mitigations:** NX/DEP (No-Execute), ASLR (Address Space Layout Randomization), PIE (Position Independent Executable), RELRO (Relocation Read-Only), stack canaries, FORTIFY_SOURCE, SMEP (Supervisor Mode Execution Prevention), SMAP (Supervisor Mode Access Prevention), KASLR (Kernel ASLR)
* **Mitigation Bypass Techniques:** ROP chains for DEP bypass, information leaks for ASLR bypass, partial RELRO exploitation, GOT/PLT overwrite, stack pivoting, heap spray, brute forcing (partial ASLR)
* **Memory Allocators:** glibc malloc/ptmalloc2, tcache, fastbins, unsorted bins, small bins, large bins; kernel allocators: SLUB, SLAB, SLOB, buddy allocator
* **Common Bug Classes:** Buffer overflow (stack/heap), use-after-free (UAF), double-free, type confusion, integer overflow/underflow, uninitialized memory, race conditions, format string vulnerabilities
* **Stack Exploitation:** Buffer overflow to overwrite return address, stack canary bypass, frame pointer overwrite, saved instruction pointer corruption, shellcode injection (when DEP disabled)
* **Heap Exploitation:** Fastbin attack, tcache poisoning, unsorted bin attack, house of force, house of spirit, overlapping chunks, chunk consolidation abuse, heap spray
* **ROP Techniques:** ret2libc (return to libc functions), ret2plt (return to PLT), ret2syscall, SROP (sigreturn-oriented programming), JOP (jump-oriented programming), stack pivoting for ROP chains
* **Kernel Specific:** Credential struct overwrite, modprobe_path overwrite, commit_creds + prepare_kernel_cred combo, pipe spray, msg_msg spray, seq_operations exploitation, userfaultfd for race condition exploitation
* **Information Leaks:** Stack/heap leaks via format strings, partial overwrites, uninitialized memory disclosure, /proc filesystem leaks, timing side-channels, speculative execution vulnerabilities
* **Shellcode Development:** x86/x64 assembly, syscall invocation, null-byte avoidance, alphanumeric shellcode, polymorphic shellcode, egg hunters, staged payloads, reverse shells, bind shells
* **SLAE Certification:** SecurityTube Linux Assembly Expert focuses on x86 (32-bit) and x86-64 (64-bit) assembly, shellcoding techniques, encoder/decoder development, custom shellcode creation, exam requires 7 assignments + blog writeups
* **Development Tools:** GCC, NASM/YASM assemblers, objdump, readelf, strace, ltrace, checksec, seccomp-tools, qemu for kernel debugging, GDB with Python scripting
* **GDB Extensions Comparison:** Pwndbg (best for exploit dev, pwntools integration, Python 3), GEF (multi-arch support, rich features, Python 3), PEDA (legacy x86 only, Python 2)
* **Pwntools Features:** Process/remote interaction, ROP chain building, shellcode assembly, ELF parsing, format string exploitation helpers, cyclic pattern generation, integer packing/unpacking
* **Lab Setup:** Isolated VM environment (Ubuntu/Kali), kernel source compilation for debugging, QEMU for kernel exploitation, Docker containers for controlled testing, disable ASLR for initial learning
* **CTF Platforms:** pwn.college, Nightmare, Exploit Education (Phoenix, Protostar, Fusion), ROP Emporium, picoCTF, HTB (Hack The Box), pwnable.kr, pwnable.tw
* **Debugging Workflow:** GDB with pwndbg/GEF, attach to process, set breakpoints, examine registers/memory, single-step through execution, analyze crash dumps, automate with pwntools
* **Kernel Debugging:** QEMU with GDB stub, /proc/kallsyms for symbol resolution, dmesg for kernel logs, ftrace for tracing, SystemTap/eBPF for dynamic instrumentation
* **CISA KEV Catalog:** 7 Linux kernel vulnerabilities added to Known Exploited Vulnerabilities in 2025, primarily netfilter subsystem flaws, require immediate patching for government systems
* **Exploitation Trends 2025:** 159 CVEs exploited in Q1 2025, focus on kernel netfilter/network stack, device driver vulnerabilities, local privilege escalation chains, ransomware using kernel exploits
* **Legal Warning:** Unauthorized exploitation is illegal. All research must be conducted in authorized lab environments, on systems you own, or with explicit permission
* **Responsible Disclosure:** Report vulnerabilities to vendors (kernel.org security team, distro security teams), coordinate disclosure timelines (typically 90 days), never weaponize exploits for unauthorized use
* **Best Practices:** Start with basic stack overflows before moving to kernel, understand assembly and C deeply, practice on CTF challenges, read exploit writeups, study CVE patches, contribute to security community
* **Career Paths:** Penetration tester, exploit developer, vulnerability researcher, security engineer, red team operator, CTF competitor, bug bounty hunter, security consultant
* **Certifications:** OSCP (Offensive Security Certified Professional), OSCE (Offensive Security Certified Expert), SLAE/SLAE64, CEDP (Certified Exploit Development Professional), GXPN (GIAC Exploit Researcher and Advanced Penetration Tester)
* **Research Institutions:** Google Project Zero, Linux Kernel Security Team, university research labs (Georgia Tech, MIT, UC Berkeley), commercial security firms (CrowdStrike, Trend Micro ZDI)
* **Key Researchers:** PaX Team (grsecurity), Spender, Jon Oberheide, Dan Rosenberg, Brad Spengler, Andrey Konovalov (xairy), Will Drewry, Kees Cook
* **Future Trends:** Increased adoption of memory-safe languages (Rust in kernel), hardware-based security (Intel CET, ARM PAC/BTI), eBPF security hardening, confidential computing, automated exploit generation
# Windows Exploit Development
## Books & Whitepapers
* [Bypassing ASLR/DEP Whitepaper (Exploit-DB)](https://www.exploit-db.com/docs/english/17914-bypassing-aslrdep.pdf)
* [Taking Windows 10 Kernel Exploitation to the Next Level (Black Hat 2017 PDF)](https://blackhat.com/docs/us-17/wednesday/us-17-Schenk-Taking-Windows-10-Kernel-Exploitation-To-The-Next-Level%E2%80%93Leveraging-Write-What-Where-Vulnerabilities-In-Creators-Update-wp.pdf)
* [Identifying and Exploiting Windows Kernel Race Conditions (Google Research PDF)](https://research.google.com/pubs/archive/42189.pdf)
* [Windows Kernel Hijacking Is Not an Option: MemoryRanger (JDFSL 2021)](https://commons.erau.edu/jdfsl/vol16/iss1/4/)
* [Windows 10 NT Heap Exploitation (SlideShare PDF)](https://www.slideshare.net/AngelBoy1/windows-10-nt-heap-exploitation-english-version)
* [History and Current State of Heap Exploit (FFRI PDF)](https://www.ffri.jp/assets/files/monthly_research/MR201312_History and Current State of Heap Exploit_ENG.pdf)
* [Heap Overflow Exploitation on Windows 10 Explained (Rapid7)](https://www.rapid7.com/blog/post/2019/06/12/heap-overflow-exploitation-on-windows-10-explained/)
* [Advanced Exploit Development - Heap Exploitation Techniques (UncleSp1d3r Blog 2024)](https://unclesp1d3r.github.io/posts/2024/05/advanced-exploit-development-heap-exploitation-techniques/)
* [Windows Heap Exploitation: From Heap Overflow to Arbitrary R/W](https://mrt4ntr4.github.io/Windows-Heap-Exploitation-dadadb/)
* [Windows CVE-2024-21302 Secure Kernel Mode Vulnerability (Qualys)](https://blog.qualys.com/vulnerabilities-threat-research/2024/08/12/understanding-the-new-windows-secure-kernel-mode-elevation-of-privilege-vulnerability-cve-2024-21302)
* [Windows Exploit Development - The Basics (Security Sift)](https://www.securitysift.com/windows-exploit-development-part-1-basics/)
* [Windows Exploit Development - The Basics (Mike Czumak)](https://mikeczumak.com/blog/windows-exploit-development-part-1-basics/)
## Courses
* [Offensive Security: EXP-301 - Windows User Mode Exploit Development (OSED)](https://www.offsec.com/courses/exp-301/)
* [Offensive Security: EXP-401 - Advanced Windows Exploitation (OSEE)](https://www.offsec.com/courses/exp-401/)
* [SANS SEC760: Advanced Exploit Development for Penetration Testers](https://www.sans.org/cyber-security-courses/advanced-exploit-development-penetration-testers)
* [OffensiveCon: Windows Exploit Engineering Foundation (2024)](https://www.offensivecon.org/trainings/2024/windows-exploit-engineering-foundation.html)
* [Udemy: Windows Exploit Development Megaprimer](https://www.udemy.com/course/windows-exploit-development-megaprimer/)
* [Udemy: Exploit Development Tutorial for Hackers and Pentesters](https://www.udemy.com/course/exploit-development-tutorial-for-hackers-and-pentesters/)
* [City College of San Francisco: CNIT 127 - Exploit Development (Free)](https://www.classcentral.com/course/independent-cnit-127-exploit-development-10432)
* [Corelan: Heap Masterclass - BruCON 2024](https://archive.brucon.org/2024/brucon-2024-training/corelan-heap-masterclass/)
* [Applied Technology Academy: OffSec EXP-301 OSED Training](https://appliedtechnologyacademy.com/offsec-training/offsec-exp-301-osed-training/)
* [QA: Offensive Security Windows User Mode Exploit Development](https://www.qa.com/en-us/course-catalogue/products/offsec-exp-301-osed-online-90-days-qaosed90/)
* [Phoenix TS: EXP-301 Windows User Mode Exploit Development](https://phoenixts.com/training-courses/exp-301-windows-user-mode-exploit-development/)
## Labs & Tools
**Debuggers & Analysis Tools:**
* [WinDbg - Windows Debugger (Microsoft)](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/)
* [WinDbg Preview - Modern Windows Debugger with Time Travel Debugging](https://www.microsoft.com/en-us/p/windbg-preview/9pgjgd53tn86)
* [IDA Pro - Interactive Disassembler](https://www.hex-rays.com/products/ida/)
* [Immunity Debugger - Free Windows Debugger](https://www.immunityinc.com/products/debugger/)
* [x64dbg - Open Source x64/x32 Debugger for Windows](https://x64dbg.com/)
* [OllyDbg - 32-bit Assembler Level Debugger](http://www.ollydbg.de/)
* [Ghidra - NSA Reverse Engineering Framework](https://ghidra-sre.org/)
* [Binary Ninja - Reverse Engineering Platform](https://binary.ninja/)
* [Cutter - Free and Open-Source RE Platform powered by rizin](https://cutter.re/)
* [Radare2 - UNIX-like Reverse Engineering Framework](https://rada.re/n/)
**Exploitation Tools & Plugins:**
* [Mona.py - Immunity Debugger Plugin for Exploit Development](https://github.com/corelan/mona)
* [rp++ - Full-CPP ROP Gadget Finder](https://github.com/0vercl0k/rp)
* [Ropper - ROP Gadget Finder and Binary Information Tool](https://github.com/sashs/Ropper)
* [Exploit Pattern Tools - Metasploit Pattern Create/Offset](https://github.com/rapid7/metasploit-framework)
* [pyDbg - Pure Python Debugger](https://github.com/OpenRCE/pydbg)
**Resource Collections:**
* [GitHub: WindowsExploitDev - Windows Exploit Development Tutorial Series](https://github.com/Flerov/WindowsExploitDev)
* [GitHub: WindowsExploitationResources - Curated Resources for Windows Exploitation](https://github.com/FULLSHADE/WindowsExploitationResources)
* [GitHub: WindowsKernelExploitationResources - Kernel & Driver Exploitation](https://github.com/MustafaNafizDurukan/WindowsKernelExploitationResources)
* [GitHub: Awesome-Advanced-Windows-Exploitation-References](https://github.com/yeyintminthuhtut/Awesome-Advanced-Windows-Exploitation-References)
* [GitHub: awesome-windows-kernel-security-development - Kernel Security & Exploitation](https://github.com/ExpLife0011/awesome-windows-kernel-security-development)
* [GitHub: windows-kernel-exploits - Windows Kernel LPE Exploits Collection](https://github.com/SecWiki/windows-kernel-exploits)
* [GitHub: ByteHackr/WindowsExploitation - Curated Windows Exploitation List](https://github.com/ByteHackr/WindowsExploitation)
* [GitHub: gavz/awesome-windows-exploitation - Comprehensive Windows Exploit Resources](https://github.com/gavz/awesome-windows-exploitation)
* [GitHub: FabioBaroni/awesome-exploit-development - Books, Tutorials, Tools](https://github.com/FabioBaroni/awesome-exploit-development)
* [GitHub: Exploit-Development - Learning Resources](https://github.com/wtsxDev/Exploit-Development)
* [GitHub: windows-exploitation - Collection of Resources](https://github.com/sathwikch/windows-exploitation)
**Practice Environments:**
* [Exploit Exercises - Vulnerable Windows Binaries](https://exploit.education/)
* [Metasploitable - Intentionally Vulnerable Windows VMs](https://github.com/rapid7/metasploitable3)
* [FuzzySecurity Tutorials - Heap Overflows For Humans](https://fuzzysecurity.com/tutorials/)
## Blogs & Series
* [CVE-2025-62215: Windows Kernel Race Condition - CISA Warning (2025)](https://gbhackers.com/cisa-warns-of-active-exploitation-of-windows-kernel-0-day/)
* [CVE-2025-24990: Windows Agere Modem Driver Privilege Escalation (2025)](https://thehackernews.com/2025/10/two-new-windows-zero-days-exploited-in.html)
* [CVE-2025-59230: Windows RasMan Privilege Escalation (2025)](https://thehackernews.com/2025/10/two-new-windows-zero-days-exploited-in.html)
* [CVE-2025-29824: Windows CLFS Driver Zero-Day Exploited (Microsoft April 2025)](https://www.microsoft.com/en-us/security/blog/2025/04/08/exploitation-of-clfs-zero-day-leads-to-ransomware-activity/)
* [CVE-2025-32701: Windows CLFS Zero-Day Privilege Escalation (ZeroPath)](https://zeropath.com/blog/windows-clfs-zero-day-cve-2025-32701)
* [CVE-2025-21293: Active Directory Domain Services Privilege Escalation (Picus Security)](https://www.picussecurity.com/resource/blog/microsoft-active-directory-domain-services-cve-2025-21293-vulnerability-explained)
* [CVE-2025-8069: AWS Client VPN Windows Client Local Privilege Escalation](https://aws.amazon.com/security/security-bulletins/AWS-2025-014/)
* [The September 2025 Security Update Review (Zero Day Initiative)](https://www.zerodayinitiative.com/blog/2025/9/9/the-september-2025-security-update-review)
* [A Step-by-Step Introduction to ROP Gadgets to Bypass DEP (Cyber Geeks)](https://cybergeeks.tech/a-step-by-step-introduction-to-the-use-of-rop-gadgets-to-bypass-dep/)
* [Defeating Windows DEP With A Custom ROP Chain (NCC Group)](https://www.nccgroup.com/research-blog/defeating-windows-dep-with-a-custom-rop-chain/)
* [Bypassing ASLR and DEP using WriteProcessMemory (Ian's Blog)](https://ian.nl/blog/wpm-quotedb)
* [Exploit Development: Rippity ROPpity - Full ASLR and DEP Bypass on Windows 10 x64 (Connor McGarr)](https://connormcgarr.github.io/eko2019-exe/)
* [A Gentle Intro to ROP and Bypassing DEP (cwinfosec)](https://cwinfosec.org/Intro-ROP-DEP-Bypass/)
* [Windows Exploit Development Part I (NutCrackersSecurity)](https://nutcrackerssecurity.github.io/posts/windows-exploit-dev-part-1/)
* [Windows Kernel Exploitation - Debugging Environment and Stack Overflow (Connor McGarr)](https://connormcgarr.github.io/Kernel-Exploitation-1/)
* [Windows Kernel Exploitation (Network Intelligence)](https://www.networkintelligence.ai/blogs/windows-kernel-exploitation/)
* [Exploit Writing Tutorial Part 5: How Debugger Modules & Plugins Speed Up Exploit Development (Corelan)](https://www.corelan.be/index.php/2009/09/05/exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-basic-exploit-development/)
* [ASLR Bypass Lab (MIT CSG)](https://csg.csail.mit.edu/6.S983/labs/aslr/)
* [Reversing and Exploiting with Free Tools: Part 11 (CoreLabs)](https://www.coresecurity.com/core-labs/articles/reversing-and-exploiting-free-tools-part-11)
* [The Maddest Vulnerability of 2024 (DARKNAVY)](https://www.darknavy.org/darknavy_insight/the_maddest_vulnerability_of_2024/)
## Presentations & Conferences
* [Black Hat: Windows Kernel Exploitation Presentations](https://www.blackhat.com/)
* [DEF CON: Windows Security and Exploitation Talks](https://www.defcon.org/)
* [Zero Day Initiative: Windows Vulnerability Research](https://www.zerodayinitiative.com/)
* [OffensiveCon: Windows Exploitation Training](https://www.offensivecon.org/)
* [BruCON: Corelan Heap Masterclass](https://www.brucon.org/)
* [Microsoft Security: Windows Vulnerability Disclosures](https://www.microsoft.com/en-us/security/blog/)
* [CISA: Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
## Videos
* [YouTube: Windows Exploit Development Tutorials](https://www.youtube.com/results?search_query=windows+exploit+development)
* [YouTube: OSED Certification Study Guide](https://www.youtube.com/results?search_query=osed+certification)
* [YouTube: Windows Kernel Exploitation](https://www.youtube.com/results?search_query=windows+kernel+exploitation)
* [YouTube: ROP Chain Windows Exploitation](https://www.youtube.com/results?search_query=rop+chain+windows)
* [YouTube: Windows Heap Exploitation](https://www.youtube.com/results?search_query=windows+heap+exploitation)
## Notes
* **Primary Architectures:** x86 (32-bit), x86-64 (64-bit), ARM64 (Windows on ARM)
* **2025 Actively Exploited Zero-Days:** CVE-2025-62215 (kernel race condition), CVE-2025-24990 (Agere modem driver - affects all Windows versions), CVE-2025-59230 (RasMan), CVE-2025-29824 (CLFS driver), CVE-2025-32701 (CLFS UAF), CVE-2025-21293 (Active Directory)
* **2024 Zero-Days:** CVE-2024-21302 (Secure Kernel Mode), multiple CLFS vulnerabilities, kernel privilege escalation flaws
* **Exploitation Techniques:** Stack overflow, heap overflow, use-after-free, double-free, type confusion, integer overflow, SEH overwrite, ROP chains, ret2libc, heap spray, pool spray, arbitrary read/write primitives
* **Kernel Exploitation:** Token stealing, EPROCESS manipulation, pool overflow, arbitrary kernel write, PTE manipulation, kernel ROP, SMEP/SMAP bypass, arbitrary kernel read for KASLR bypass
* **Exploit Mitigations:** DEP/NX (Data Execution Prevention), ASLR (Address Space Layout Randomization), CFG (Control Flow Guard), ACG (Arbitrary Code Guard), SEHOP (SEH Overwrite Protection), stack cookies/canaries, SafeSEH, KASLR (Kernel ASLR), SMEP (Supervisor Mode Execution Prevention), SMAP (Supervisor Mode Access Prevention)
* **Mitigation Bypass Techniques:** ROP chains for DEP bypass, information leaks for ASLR bypass, partial overwrite techniques, heap spray to defeat ASLR, VirtualAlloc/VirtualProtect ROP chains, WriteProcessMemory exploitation, return to non-ASLR modules
* **Memory Allocators:** NT Heap (default through Windows 7/8), Segment Heap (Windows 10+ default for modern apps), Low Fragmentation Heap (LFH), Frontend allocators (LFH, Variable Size), Backend allocator
* **Common Bug Classes:** Buffer overflow (stack/heap), use-after-free (UAF), pool corruption, type confusion, integer overflow/underflow, uninitialized memory, race conditions (TOCTOU), arbitrary pointer dereference
* **Stack Exploitation:** Buffer overflow to overwrite return address, SEH overwrite (Structured Exception Handler), stack cookie bypass, frame pointer overwrite, saved instruction pointer corruption
* **Heap Exploitation:** LFH exploitation (deterministic chunk locations), heap overflow, chunk coalescing, freelist manipulation, heap spray, heap feng shui, pool overflow (kernel), lookaside list exploitation
* **SEH Exploitation:** SEH chain overwrite, SafeSEH bypass, SEHOP bypass, pop/pop/ret gadgets, exception handler registration record corruption
* **ROP Techniques:** VirtualAlloc ROP chain (make memory executable), VirtualProtect ROP chain, WriteProcessMemory abuse, return to ZwProtectVirtualMemory, stack pivoting, JOP (jump-oriented programming)
* **Kernel Specific:** Token swapping (PsInitialSystemProcess), EPROCESS credential manipulation, HAL dispatch table overwrite (legacy), HalDispatchTable + 0x4 pointer swap, arbitrary kernel write exploitation, PTE manipulation for arbitrary R/W
* **Information Leaks:** Stack/heap leaks, kernel pool leaks via NtQuerySystemInformation, partial pointer overwrites, timing side-channels, speculative execution vulnerabilities (Spectre variants)
* **Shellcode Development:** x86/x64 assembly, Windows API calls, PEB/TEB walking, null-byte avoidance, alphanumeric shellcode, position-independent code (PIC), egg hunters, staged payloads, reverse shells via Winsock
* **OSED Certification:** Windows User Mode Exploit Development (EXP-301) covers reverse engineering, DEP/ASLR bypass, custom ROP chains, SEH exploitation, egghunters, format string vulnerabilities, 48-hour hands-on exam
* **OSEE Certification:** Advanced Windows Exploitation (EXP-401) covers kernel debugging, pool exploitation, arbitrary kernel write, KASLR bypass, modern mitigation bypasses, 72-hour hands-on exam
* **Development Tools:** Visual Studio, WinDbg/WinDbg Preview (kernel debugging), IDA Pro/Ghidra (disassembly), x64dbg/Immunity Debugger (usermode debugging), Mona plugin (ROP gadget finding), Process Monitor/Process Explorer
* **WinDbg Extensions:** Mona for WinDbg, !exploit commands, MEX (Microsoft Exchange Server Extension), CMKD (Common Memory and Kernel Debugger), pykd (Python extension)
* **Mona Plugin Features:** Pattern create/offset, ROP gadget finder, SEH chain viewer, module information, bad character detection, compare functionality, exploit suggestion engine
* **Lab Setup:** Windows VMs (Windows 7, 10, 11), Visual Studio for compiling vulnerable apps, WinDbg for debugging, IDA for reverse engineering, disable mitigations for learning (bcdedit commands)
* **Kernel Debugging Setup:** Two-VM setup (debugger + debuggee), configure boot options with bcdedit, network/serial/USB debugging, symbol server configuration (msdl.microsoft.com/download/symbols)
* **CTF & Practice:** Exploit Exercises, VulnHub Windows VMs, Protostar (Windows version), RPISEC MBE, HackTheBox Windows challenges, Pentester Academy labs
* **CISA KEV Catalog:** Multiple Windows kernel vulnerabilities added to Known Exploited Vulnerabilities in 2025, primarily CLFS and RasMan flaws, require immediate patching for federal systems
* **Exploitation Trends 2025:** Shift to kernel exploits as usermode mitigations strengthen, CLFS driver as major attack surface, ransomware leveraging privilege escalation exploits, increased focus on authentication bypass
* **Legal Warning:** Unauthorized exploitation is illegal. All research must be conducted in authorized lab environments, on systems you own, or with explicit permission
* **Responsible Disclosure:** Report to Microsoft Security Response Center (MSRC), coordinate disclosure timelines (typically 90 days with Microsoft), participate in bug bounty programs, never weaponize for malicious use
* **Bug Bounty Programs:** Microsoft Bug Bounty (up to $250K+), ZDI (Pwn2Own competitions), HackerOne programs, rewards for critical vulnerabilities, bonus for exploit chains
* **Best Practices:** Start with basic stack overflows on Windows 7, progress to modern Windows 10/11, understand x86/x64 assembly deeply, practice reversing Microsoft patches, study public CVE exploits, contribute to security community
* **Career Paths:** Exploit developer, vulnerability researcher, red team operator, penetration tester, security engineer, reverse engineer, malware analyst, offensive security specialist
* **Certifications:** OSED (OffSec Exploit Developer), OSEE (OffSec Exploitation Expert), GXPN (GIAC Exploit Researcher), OSCE³ (combines OSED + OSEP + OSWE)
* **Research Institutions:** Microsoft Security Response Center (MSRC), Google Project Zero, Zero Day Initiative (ZDI), CERT/CC, security firms (NCC Group, Rapid7, Qualys)
* **Key Researchers:** Alex Ionescu, Mateusz "j00ru" Jurczyk, Tarjei Mandt, Nikita Tarakanov, Connor McGarr, Corelan Team (Peter Van Eeckhoutte)
* **Future Trends:** Increased CET (Control-flow Enforcement Technology) adoption, hardware-based security (Intel CET, VBS), kernel-mode CFG, memory tagging (ARM MTE), automated exploit generation, ML-based exploit detection
# Android Exploit Development
## Books & Whitepapers
* [Android Hacker's Handbook by Joshua J. Drake, Zach Lanier, Collin Mulliner, Pau Oliva Fora, Stephen A. Ridley, Georg Wicherski](https://www.wiley.com/en-us/Android+Hacker%27s+Handbook-p-9781118608647)
* [Android Security Internals: An In-Depth Guide to Android's Security Architecture by Nikolay Elenkov](https://nostarch.com/androidsecurity)
* [The Mobile Application Hacker's Handbook by Dominic Chell, Tyrone Erasmus, Shaun Colley, Ollie Whitehouse](https://www.wiley.com/en-us/The+Mobile+Application+Hacker%27s+Handbook-p-9781118958506)
* [Android Internals: A Confectioner's Cookbook (Volumes I & II) by Jonathan Levin](http://newosxbook.com/AndroidInternals/)
* [Learning Android Application Penetration Testing by Aditya Gupta](https://www.packtpub.com/product/learning-android-application-penetration-testing/9781785282485)
* [Android Exploitation Handbook (OWASP Research)](https://owasp.org/www-project-mobile-security/)
* [Project Zero: Attacking the Android Kernel](https://googleprojectzero.blogspot.com/search/label/Android)
* [Qualcomm Security Bulletins: Android Kernel & Baseband Vulnerabilities](https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2024-bulletin.html)
* [Android Security: Attacks and Defenses (CRC Press) by Anmol Misra & Abhishek Dubey](https://www.routledge.com/Android-Security-Attacks-and-Defenses/Misra-Dubey/p/book/9781439896464)
* [Fuzzing the Android Kernel (Blackhat 2020 Whitepaper)](https://i.blackhat.com/USA-20/Wednesday/us-20-GonzalezCabrera-Dif-Fuzzing-The-Android-Kernel.pdf)
* [Exploiting Android Kernel Vulnerabilities (Phrack Magazine)](http://phrack.org/issues/68/6.html)
* [Advanced Android Exploitation Techniques (SyScan 2014)](https://www.slideshare.net/i0n1c/syscan-2014-advanced-android-exploitation)
* [Bypassing Android Security Mechanisms (USENIX Security 2023)](https://www.usenix.org/conference/usenixsecurity23/presentation/android)
* [Android Binder Exploitation: Attacking Inter-Process Communication (Google Project Zero)](https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html)
* [Exploiting Qualcomm WLAN & GPU Drivers on Android (Tencent Blade Team 2019)](https://blade.tencent.com/en/advisories/qualpwn/)
* [Return to Controlled: Exploit Mitigation Bypasses in Android (NCC Group Research)](https://research.nccgroup.com/2021/03/15/android-kernel-exploit-mitigation-bypasses/)
* [Android Kernel Heap Exploitation (Black Hat Asia 2022)](https://www.blackhat.com/asia-22/briefings/schedule/#android-kernel-heap-exploitation-25994)
* [Exploiting Samsung Trusted Execution Environment (TEE) Vulnerabilities](https://github.com/comaeio/Android_TEE_POC)
* [A Survey on Android Kernel Security (arXiv 2023)](https://arxiv.org/pdf/2301.08281)
* [Android Baseband Exploitation: Hacking Modems for Fun & Profit (OffensiveCon 2023)](https://www.offensivecon.org/trainings/2023/android-baseband-exploitation.html)
## Courses
* [SANS SEC575: Mobile Device Security and Ethical Hacking](https://www.sans.org/cyber-security-courses/mobile-device-security-ethical-hacking/)
* [Pentester Academy: Attacking and Defending Android Applications](https://www.pentesteracademy.com/course?id=2)
* [NowSecure: Mobile App Security Training (Android Focus)](https://www.nowsecure.com/training/)
* [Hacker101: Android Security 101 (Free HackerOne Course)](https://www.hacker101.com/playlists/mobile_hacking)
* [Zero Day Engineering: Advanced Android Exploitation](https://zerodayengineering.com/)
* [Exodus Intelligence: Android Vulnerability Research & Exploitation Training](https://www.exodusintel.com/training/)
* [Azeria Labs: ARM Assembly & Android Reverse Engineering](https://azeria-labs.com/writing-arm-assembly-part-1/)
* [eLearnSecurity Mobile Application Penetration Tester (eMAPT)](https://elearnsecurity.com/product/emapt-certification/)
* [Maddie Stone (Google Project Zero): Android Exploitation Course Materials](https://github.com/maddiestone/ConPresentations)
## Labs & Tools
**GitHub Resource Collections:**
* [GitHub: IamAlch3mist/Awesome-Android-Vulnerability-Research](https://github.com/IamAlch3mist/Awesome-Android-Vulnerability-Research)
* [GitHub: SecWiki/android-kernel-exploits - Android Kernel Exploits Collection](https://github.com/SecWiki/android-kernel-exploits)
* [GitHub: cloudfuzz/android-kernel-exploitation - Android Kernel Exploitation Workshops](https://github.com/cloudfuzz/android-kernel-exploitation)
* [GitHub: Fuzion24/AndroidKernelExploitationPlayground - Kernel Exploitation Guide](https://github.com/Fuzion24/AndroidKernelExploitationPlayground)
**Kernel Exploits:**
* [GitHub: Markakd/bad_io_uring - CVE-2022-20409 Android Kernel Exploit](https://github.com/Markakd/bad_io_uring)
* [GitHub: polygraphene/DirtyPipe-Android - Dirty Pipe Root Exploit for Android](https://github.com/polygraphene/DirtyPipe-Android)
* [GitHub: ozkanbilge/Android-Kernel-Exploits](https://github.com/ozkanbilge/Android-Kernel-Exploits)
**Testing & Analysis Tools:**
* [Android Debug Bridge (ADB) - Official Android Debugging Tool](https://developer.android.com/tools/adb)
* [Frida - Dynamic Instrumentation for Android](https://frida.re/)
* [Ghidra - Android Native Binary & Kernel Analysis](https://ghidra-sre.org/)
* [IDA Pro - ARM/ARM64 Disassembly & Debugging for Android](https://hex-rays.com/ida-pro/)
* [Objection - Runtime Mobile Exploration (Android)](https://github.com/sensepost/objection)
* [MobSF (Mobile Security Framework) - Automated Android Analysis](https://github.com/MobSF/Mobile-Security-Framework-MobSF)
* [Drozer - Android Security Assessment Framework](https://github.com/WithSecureLabs/drozer)
* [APKTool - APK Reverse Engineering & Repackaging](https://apktool.org/)
* [JADX - Dex to Java Decompiler](https://github.com/skylot/jadx)
* [Magisk - Root & Module Framework for Android](https://github.com/topjohnwu/Magisk)
* [Android Studio Emulator - Official Android Testing Environment](https://developer.android.com/studio/run/emulator)
* [Genymotion - Fast Android Emulator for Security Testing](https://www.genymotion.com/)
* [Corellium - Virtual Android Devices for Security Research](https://www.corellium.com/)
* [QEMU ARM - Android Kernel Debugging Environment](https://www.qemu.org/)
* [Android Kernel Debugger (KDB/KGDB) Setup](https://source.android.com/docs/core/tests/debug/kdb)
* [Smali/Baksmali - Dalvik Bytecode Assembler/Disassembler](https://github.com/JesusFreke/smali)
* [r2frida - Radare2 + Frida Integration for Android](https://github.com/nowsecure/r2frida)
* [House - Runtime Mobile Application Analysis Toolkit](https://github.com/nccgroup/house)
* [Androguard - Python Tool for Reverse Engineering Android Applications](https://github.com/androguard/androguard)
* [Android Tamer - Virtual Machine for Android Security Professionals](https://androidtamer.com/)
* [Santoku Linux - Mobile Forensics & Security Testing Distro](https://santoku-linux.com/)
## Blogs & Series
* [CVE-2025-0989: Android Kernel Use-After-Free - Critical Privilege Escalation (2025)](https://source.android.com/docs/security/bulletin/2025-02-01)
* [CVE-2024-43093: Android Framework Privilege Escalation - Actively Exploited (2024)](https://source.android.com/docs/security/bulletin/2024-11-01)
* [CVE-2024-32896: Android Kernel Memory Corruption in Pixel Devices (2024)](https://source.android.com/docs/security/bulletin/pixel/2024-06-01)
* [CVE-2024-29745: Qualcomm GPU Driver Exploit - Remote Code Execution (2024)](https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2024-bulletin.html)
* [Google Project Zero: Android Kernel & Driver Exploitation Research](https://googleprojectzero.blogspot.com/search/label/Android)
* [Maddie Stone (Project Zero): In-the-Wild Android Exploitation](https://twitter.com/maddiestone)
* [Android Security Bulletins (Official Google Source)](https://source.android.com/docs/security/bulletin)
* [Qualcomm Security Bulletins: Snapdragon Vulnerabilities](https://docs.qualcomm.com/product/publicresources/securitybulletin.html)
* [Samsung Mobile Security Blog: Android Kernel & Knox Research](https://security.samsungmobile.com/)
* [CENSUS Labs: Android Exploitation Research](https://census-labs.com/news/)
* [NowSecure Blog: Android Mobile Security Research](https://www.nowsecure.com/blog/)
* [Zimperium Blog: Android Mobile Threat Intelligence](https://www.zimperium.com/blog/category/android/)
* [Tencent Blade Team: Android Kernel & GPU Exploitation](https://blade.tencent.com/en/)
* [Lookout Blog: Android Mobile Threat Research](https://www.lookout.com/threat-intelligence/android)
* [HackerOne Disclosed Android Exploits](https://hackerone.com/hackerone/hacktivity?querystring=android&sort_type=latest_disclosable_activity_at&filter=type%3Aall&page=1)
* [Android Exploits Blog: Reverse Engineering & Exploitation](https://androidexploits.com/)
* [JEB Blog: Android Reverse Engineering & Analysis](https://www.pnfsoftware.com/blog/)
* [Exploiting Android: A Blog Series (Azeria Labs)](https://azeria-labs.com/android/)
* [Pegasus for Android: NSO Group's Android Zero-Day Chain (2021)](https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-ios-exploits/)
* [Dirty Pipe (CVE-2022-0847): Linux/Android Kernel Privilege Escalation](https://dirtypipe.cm4all.com/)
* [Bad Binder: Android In-the-Wild Exploit (Google Project Zero 2019)](https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html)
## Presentations & Conferences
* [Black Hat USA: Android Security & Kernel Exploitation Talks](https://www.blackhat.com/html/archives.html)
* [DEF CON: Mobile Hacking Village - Android Research](https://www.defcon.org/)
* [Pwn2Own: Android Kernel & Browser Exploit Demonstrations](https://www.zerodayinitiative.com/Pwn2Own.html)
* [MOSEC (Mobile Security Conference) - Android Research](https://mosec.org/)
* [OffensiveCon: Android Kernel & Baseband Exploitation](https://www.offensivecon.org/)
* [HITB (Hack in The Box): Android Security Research](https://conference.hitb.org/)
* [SyScan: Android Kernel & Application Exploitation Archive](https://www.syscan.org/)
* [REcon: Reverse Engineering & Android Exploitation](https://recon.cx/)
* [INFILTRATE: Android Offensive Security Conference](https://infiltratecon.com/)
* [Android Security Symposium (Annual Google Event)](https://android-developers.googleblog.com/)
## Videos
* [LiveOverflow: Android Hacking & Reverse Engineering Series](https://www.youtube.com/c/LiveOverflow)
* [NowSecure: Android Application Security Testing Videos](https://www.youtube.com/c/NowSecure)
* [OWASP Mobile Security: Android Exploitation Talks](https://www.youtube.com/c/OWASPGLOBAL)
---
## Notes
1. **Android Kernel Exploitation**
- Based on Linux kernel with Android-specific patches (Binder IPC, ashmem, ion allocator)
- Common targets: Binder driver, GPU drivers (Qualcomm Adreno, ARM Mali), Wi-Fi drivers, USB drivers
- Modern mitigations: SELinux, seccomp-bpf, PAN emulation, CFI, SCS, MTE (Android 11+)
- Exploitation techniques: Heap spray, use-after-free, race conditions, arbitrary read/write primitives
- Tools: QEMU, Android Studio Emulator, Corellium, KGDB/KDB, addr2line, crash utility
2. **Android Framework Exploitation**
- Exploiting System Server, Zygote, ActivityManager, PackageManager
- Intent redirection, permission bypass, sandbox escapes
- Common vectors: exported components, custom URI handlers, WebView vulnerabilities
- 2024 Trend: CVE-2024-43093 actively exploited framework privilege escalation
3. **Binder IPC Exploitation**
- Binder is Android's primary inter-process communication mechanism
- Attack surface: use-after-free in transaction handling, type confusion, race conditions
- Notable exploits: Bad Binder (CVE-2019-2215), Stagefright vulnerabilities
- Exploitation challenges: ASLR, seccomp filtering, SELinux policy enforcement
4. **Qualcomm/MediaTek Driver Exploitation**
- Qualcomm Snapdragon chips dominate Android market (60%+ devices)
- Common targets: Adreno GPU driver, WLAN (Wi-Fi) driver, DSP (audio/camera) firmware
- Notable research: QualpWN (Tencent Blade Team), Achilles (Check Point Research)
- MediaTek vulnerabilities: GPU/display driver bugs, Mali GPU exploits
- 2024 Trend: CVE-2024-29745 Qualcomm GPU RCE
5. **Android Application Exploitation**
- Smali/Dalvik bytecode analysis and patching
- Native library exploitation (JNI vulnerabilities)
- WebView exploits (JavaScript bridge attacks, universal XSS)
- Common vulnerabilities: insecure data storage, weak crypto, exported activities/services, deep link hijacking
- Tools: APKTool, JADX, Frida, Objection, Drozer
6. **Rooting & Persistence**
- Exploiting kernel vulnerabilities for privilege escalation
- Magisk: systemless root framework, hiding root from detection
- SafetyNet/Play Integrity API bypass techniques
- Boot image modification, SELinux policy patching
- Modern challenges: Verified Boot, dm-verity, Android Hardware Attestation
7. **Trusted Execution Environment (TEE) Exploitation**
- Qualcomm QSEE (Secure Execution Environment)
- Samsung Knox & Trustzone
- ARM TrustZone exploitation
- Attack vectors: SMC (Secure Monitor Call) vulnerabilities, TA (Trusted Application) bugs
- Research: Gal Beniamini's Qualcomm TrustZone exploits
8. **Baseband Processor Exploitation**
- Baseband is the modem firmware running on a separate ARM processor
- Qualcomm baseband (Hexagon DSP architecture)
- Attack surface: LTE/5G protocol stack, SMS/MMS handling, VoLTE
- Research: Ralf-Philipp Weinmann's baseband research, Project Zero's Titan M analysis
- Remote exploitation potential (over-the-air attacks)
9. **Android Fuzzing & Vulnerability Discovery**
- Syzkaller for kernel fuzzing (Google's coverage-guided fuzzer)
- libFuzzer for native library fuzzing
- AFL++ for Android native code
- Drozer for Android application fuzzing
- Media codec fuzzing (Stagefright bugs in libstagefright)
10. **Notable Android Exploits & Campaigns**
- **Dirty Pipe (CVE-2022-0847)**: Linux/Android kernel privilege escalation affecting Android 12
- **Bad Binder (CVE-2019-2215)**: In-the-wild Android kernel exploit used by NSO Group
- **Stagefright (CVE-2015-1538)**: Remote code execution via MMS (900M+ devices affected)
- **QualpWN**: Qualcomm WLAN driver vulnerability chain (Tencent 2019)
- **Pegasus for Android**: NSO Group's zero-click exploitation chain
- **CVE-2025-0989 (2025)**: Android kernel use-after-free, critical privilege escalation
- **CVE-2024-43093 (2024)**: Framework privilege escalation, actively exploited in the wild
11. **Android Security Mitigations**
- **SELinux (Enforcing Mode)**: Mandatory Access Control for app sandboxing
- **seccomp-bpf**: System call filtering to reduce kernel attack surface
- **ASLR/PIE**: Address Space Layout Randomization for kernel & userspace
- **CFI (Control Flow Integrity)**: Forward-edge protection in kernel (Android 9+)
- **SCS (Shadow Call Stack)**: Backward-edge protection, return address protection (Android 11+)
- **MTE (Memory Tagging Extension)**: Hardware memory safety on ARM v8.5+ (Android 11+, Pixel 8+)
- **PAN Emulation**: Kernel cannot access userspace memory directly
- **Verified Boot**: Cryptographic boot chain validation
- **Hardware-Backed Keystore**: Secure key storage in TEE/Secure Element
12. **Legal & Ethical Considerations**
- Android security research is legal when conducted on your own devices
- Google Vulnerability Reward Program (VRP) offers bounties up to $1.5M for exploits
- Qualcomm, Samsung, and other vendors have bug bounty programs
- Always obtain proper authorization before testing devices you don't own
- Responsible disclosure through vendor security teams or coordinated disclosure platforms
- Never use exploits for unauthorized access, stalkerware, or malicious purposes
13. **2024-2025 Android Exploitation Trends**
- Increased focus on baseband processor exploitation (5G attack surface)
- MTE bypass research on newer Pixel/Samsung devices
- TEE/TrustZone exploitation for full device compromise
- Qualcomm GPU driver vulnerabilities remain prevalent
- Rise in zero-click exploits targeting media codecs and messaging apps
- Android 14-15 hardening: restricted settings, runtime permissions enhancements
- **CVE-2025-0989** and **CVE-2024-43093**: Actively exploited kernel & framework bugs
- Exploitation difficulty increasing due to CFI, SCS, MTE on flagship devices
- Growing interest in MediaTek chipset vulnerabilities (budget device market)
# iOS Exploit Development
## Books & Whitepapers
* [iOS Hacker's Handbook by Charlie Miller, Dion Blazakis, Dino DaiZovi, Stefan Esser, Vincenzo Iozzo, Ralf-Philipp Weinmann](https://www.wiley.com/en-us/iOS+Hacker%27s+Handbook-p-9781118204122)
* [The Mac Hacker's Handbook by Charlie Miller & Dino Dai Zovi (Includes iOS)](https://www.wiley.com/en-us/The+Mac+Hacker%27s+Handbook-p-9780470395363)
* [iOS Application Security: The Definitive Guide for Hackers and Developers by David Thiel](https://nostarch.com/iossecurity)
* [macOS and iOS Internals, Volume III: Security & Insecurity by Jonathan Levin](http://newosxbook.com/index.php)
* [*OS Internals (Volumes I, II, III) by Jonathan Levin - Comprehensive iOS/macOS Internals](http://newosxbook.com/)
* [Attacking iOS Applications: A Brief Introduction (SANS Whitepaper)](https://www.sans.org/reading-room/whitepapers/application/attacking-ios-applications-brief-introduction-35577)
* [iOS Kernel Exploitation - Advances & Techniques (Phrack Magazine)](http://phrack.org/issues/69/6.html)
* [Examining Pointer Authentication on the iPhone XS (Google Project Zero Paper)](https://googleprojectzero.blogspot.com/2019/02/examining-pointer-authentication-on.html)
* [Attacking Objective-C Runtime on iOS (SyScan 2015 Whitepaper)](https://www.slideshare.net/i0n1c/syscan-2015-attacking-objectivec-runtime-on-ios)
* [Exploiting the iOS Kernel (SyScan 2011 - Stefan Esser)](https://census-labs.com/media/ios-kernel-exploitation.pdf)
* [PEGASUS: The iOS 0-Day Exploit Chain (Lookout & Citizen Lab Research)](https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf)
* [Attacking the XNU Kernel in El Capitan (Black Hat 2016 - Liang Chen, Qidan He)](https://www.blackhat.com/docs/us-16/materials/us-16-Chen-Attacking-The-XNU-Kernel-In-El-Capitan.pdf)
* [iOS Kernel Heap Armageddon (SyScan 2012 - Stefan Esser)](https://www.slideshare.net/i0n1c/syscan-singapore-2012-ios-kernel-heap-armageddon)
* [iOS Security Guide (Official Apple Security Documentation)](https://support.apple.com/guide/security/welcome/web)
* [WebKit Exploitation Tutorial (Project Zero Research)](https://googleprojectzero.blogspot.com/2020/01/webkit-exploitation-tutorial.html)
* [A Tale of Two Shellcodes: From iOS 13 to iOS 14 Jailbreak (BlackHat 2021)](https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-A-Tale-Of-Two-Shellcodes-From-IOS-13-To-IOS-14-Jailbreak.pdf)
* [Attacking WebKit & Safari for iOS 15 (RET2 Systems Research)](https://ret2.io/2021/10/06/attacking-webkit/)
* [BlastDoor: Apple's Sandbox for iMessage (Google Project Zero Analysis)](https://googleprojectzero.blogspot.com/2021/01/a-look-at-imessage-in-ios-14.html)
## Courses
* [SANS SEC575: Mobile Device Security and Ethical Hacking](https://www.sans.org/cyber-security-courses/mobile-device-security-ethical-hacking/)
* [Pentester Academy: iOS Security & Exploitation](https://www.pentesteracademy.com/course?id=2)
* [Hacker101: iOS Security 101 (Free HackerOne Course)](https://www.hacker101.com/playlists/mobile_hacking)
* [ZeroNights Training: iOS Kernel Exploitation](https://zeronights.ru/)
* [Exodus Intelligence: iOS & Safari Exploitation Training](https://www.exodusintel.com/training/)
* [Signal Labs: iOS Application Security Assessment](https://www.signal-labs.com/)
* [NowSecure: Mobile App Security Training (iOS Focus)](https://www.nowsecure.com/training/)
* [Azeria Labs: iOS Reverse Engineering & Exploitation](https://azeria-labs.com/)
* [Corellium Training: iOS Kernel Debugging and Exploit Development](https://www.corellium.com/)
## Labs & Tools
**GitHub Resource Collections:**
* [GitHub: kai5263499/osx-security-awesome - iOS Security Resources Collection](https://github.com/kai5263499/osx-security-awesome)
* [GitHub: houjingyi233/macOS-iOS-system-security - macOS/iOS System Security Resources](https://github.com/houjingyi233/macOS-iOS-system-security)
**Jailbreak Tools & Exploits:**
* [Checkra1n Jailbreak - Bootrom Exploit (checkm8)](https://checkra.in/)
* [unc0ver Jailbreak - iOS Jailbreak Tool](https://unc0ver.dev/)
* [GitHub: alfiecg24/Vertex - iOS 14/15 Kernel Exploit](https://github.com/alfiecg24/Vertex)
* [GitHub: potmdehex/multicast_bytecopy - iOS 15.0-15.1.1 Kernel r/w Exploit](https://github.com/potmdehex/multicast_bytecopy)
* [GitHub: 0x36/weightBufs - iOS 15 & macOS 12 ANE Kernel Exploit](https://github.com/0x36/weightBufs)
* [GitHub: doadam/ziVA - iOS Kernel Exploit for iOS <= 10.3.1](https://github.com/doadam/ziVA)
* [GitHub: iFenixx/voucher_swap-Exploit-for-iOS-12.1.2](https://github.com/iFenixx/voucher_swap-Exploit-for-iOS-12.1.2)
**Testing & Analysis Tools:**
* [Corellium - Virtual iOS Devices for Security Research](https://www.corellium.com/)
* [Frida - Dynamic Instrumentation Toolkit for iOS](https://frida.re/)
* [Objection - Runtime Mobile Exploration (Built on Frida)](https://github.com/sensepost/objection)
* [Hopper Disassembler - iOS Binary Analysis Tool](https://www.hopperapp.com/)
* [Ghidra - iOS Kernel & Binary Reverse Engineering](https://ghidra-sre.org/)
* [IDA Pro - iOS ARM64/ARM Disassembly & Debugging](https://hex-rays.com/ida-pro/)
* [lldb - iOS Debugger (Apple's Official Debugger)](https://lldb.llvm.org/)
* [ios-kern-utils - iOS Kernel Debugging Utilities](https://github.com/Siguza/ios-kern-utils)
* [iOSSecuritySuite - iOS Security & Jailbreak Detection Library](https://github.com/securing/IOSSecuritySuite)
* [MobSF (Mobile Security Framework) - iOS Static/Dynamic Analysis](https://github.com/MobSF/Mobile-Security-Framework-MobSF)
* [class-dump - Objective-C Class Dumper for iOS](https://github.com/nygard/class-dump)
* [Cycript - Objective-C++ Runtime Manipulation Tool](http://www.cycript.org/)
* [iProxy - USB Tunneling for iOS Debugging](https://github.com/tcurdt/iProxy)
* [iOS Reverse Engineering Toolkit (iRET)](https://github.com/S3Jensen/iRET)
* [XNU Kernel Source Code (Darwin)](https://github.com/apple/darwin-xnu)
* [iOS Kernel Cache Analysis Tools (JTOOL2)](http://www.newosxbook.com/tools/jtool.html)
## Blogs & Series
* [CVE-2025-24085: iOS Use-After-Free in XNU Kernel - Actively Exploited (2025)](https://support.apple.com/en-us/HT214081)
* [CVE-2025-24200: iOS WebKit Code Execution - Zero-Day in Safari (2025)](https://support.apple.com/en-us/HT214082)
* [CVE-2024-44308: iOS Kernel Memory Corruption - Exploit in the Wild (2024)](https://support.apple.com/en-us/HT214037)
* [CVE-2024-44309: iOS Sandbox Escape via AccessibilityD (2024)](https://support.apple.com/en-us/HT214037)
* [Google Project Zero: iOS Exploits & Research](https://googleprojectzero.blogspot.com/search/label/iOS)
* [Pangu Team Blog: iOS Jailbreak Exploits & Techniques](https://pangu.io/)
* [Pwn20wnd Blog: unc0ver Jailbreak Exploitation Details](https://twitter.com/Pwn20wnd)
* [Stefan Esser (i0n1c) Blog: iOS Kernel & Runtime Exploitation](https://www.sektioneins.de/en/blog/)
* [Jonathan Levin's Blog (*OS Internals & Exploitation)](http://newosxbook.com/articles/)
* [Siguza's Blog: iOS Kernel Research & Exploits](https://siguza.github.io/)
* [Brandon Azad (Google Project Zero) - iOS Kernel Exploitation](https://bazad.github.io/papers/)
* [Ian Beer (Google Project Zero) - iOS 0-Day Exploits](https://bugs.chromium.org/p/project-zero/issues/list?q=reporter:ianbeer@google.com)
* [The iPhone Wiki - iOS Jailbreak & Exploit Database](https://www.theiphonewiki.com/)
* [Zimperium Blog: iOS Mobile Threat Research](https://www.zimperium.com/blog/category/ios/)
* [Lookout Blog: iOS Mobile Security Research](https://www.lookout.com/threat-intelligence/ios)
* [Citizen Lab: iOS Targeted Attacks & Pegasus Research](https://citizenlab.ca/tag/ios/)
* [NSO Group Pegasus Exploits: iOS 14 Zero-Click Exploitation (2021)](https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/)
* [Operation Triangulation: iOS 16 Kernel Exploit Chain (Kaspersky 2023)](https://securelist.com/operation-triangulation/109842/)
* [Checkm8 Bootrom Exploit Explained (axi0mX, 2019)](https://twitter.com/axi0mX/status/1177542201670168576)
* [iOS 15 Safari Universal XSS (CVE-2022-22620) - Active Exploitation](https://blog.ret2.io/2022/03/16/cve-2022-22620-webkit-exploit/)
## Presentations & Conferences
* [Black Hat USA: iOS Security & Exploitation Talks](https://www.blackhat.com/html/archives.html)
* [DEF CON: iOS Hacking Village & Presentations](https://www.defcon.org/)
* [Pwn2Own: iOS Safari & Kernel Exploit Demonstrations](https://www.zerodayinitiative.com/Pwn2Own.html)
* [MOSEC (Mobile Security Conference) - iOS Research](https://mosec.org/)
* [INFILTRATE: iOS Offensive Security Conference](https://infiltratecon.com/)
* [POC (Power of Community) - iOS Kernel Exploitation](https://powerofcommunity.net/)
* [OffensiveCon: iOS Exploitation Workshops](https://www.offensivecon.org/)
* [SyScan: iOS Security & Exploitation Archive](https://www.syscan.org/)
* [HITB (Hack in The Box): iOS Security Research](https://conference.hitb.org/)
* [Jailbreak Security Summit (JSS): Annual iOS Jailbreak Conference](https://twitter.com/JSSConference)
## Videos
* [LiveOverflow: iOS Jailbreak & Exploitation Series](https://www.youtube.com/c/LiveOverflow)
* [Billy Ellis: iOS Security & Reverse Engineering Videos](https://www.youtube.com/c/BillyEllis)
* [NowSecure: iOS Application Security Testing Videos](https://www.youtube.com/c/NowSecure)
---
## Notes
1. **iOS Kernel (XNU) Exploitation**
- XNU is a hybrid kernel (Mach microkernel + BSD components)
- Common targets: IOKit drivers, network stack, file systems
- Modern mitigations: KASLR, kernel PAC (KPAC), zone_require, PPL
- Exploitation techniques: Heap feng shui, OOL (out-of-line) ports, memory corruption
- Tools: lldb with KDK (Kernel Debug Kit), IDA Pro, Ghidra, jtool2
2. **WebKit & Safari Exploitation**
- JavaScriptCore (JSC) engine vulnerabilities
- Type confusion, use-after-free in JIT compiler
- Sandbox escape from WebContent process
- Common attack vectors: Pwn2Own exploits, in-the-wild zero-days
- 2025 Trend: CVE-2025-24200 actively exploited zero-day in Safari
3. **iOS Sandbox Escapes**
- App Sandbox, WebContent Sandbox, BlastDoor (iMessage sandbox)
- Common escape vectors: XPC service vulnerabilities, file access bugs, IOKit drivers
- Notable: CVE-2024-44309 (AccessibilityD sandbox escape)
- Tools: Frida, Objection, SBTool for sandbox analysis
4. **Jailbreak Development**
- Untethered vs. semi-tethered vs. tethered jailbreaks
- Bootrom exploits: checkm8 (unfixable hardware vulnerability in A5-A11 chips)
- Kernel exploits: unc0ver, Taurine, Chimera jailbreaks
- PAC bypass techniques for A12+ devices
- Persistence mechanisms and kernel patch protection bypasses
5. **iOS Application Exploitation**
- Objective-C/Swift runtime manipulation
- Method swizzling, class injection
- Binary patching and code signing bypasses
- IPA file analysis and repackaging
- Common vulnerabilities: insecure data storage, weak crypto, URL scheme hijacking
6. **Pointer Authentication Codes (PAC)**
- Hardware-based code integrity on A12+ chips
- PACIBSP, PACIA instructions for forward/backward-edge CFI
- PAC bypass research: JOP (Jump-Oriented Programming), gadget signing
- 2023-2025: Advanced PAC bypass techniques in Pegasus and Operation Triangulation
7. **iOS Fuzzing & Vulnerability Discovery**
- AFL, LibFuzzer for iOS userland fuzzing
- WebKit fuzzing: Domato, Fuzzilli, JSFuzzer
- IOKit driver fuzzing with Corellium virtual devices
- iMessage/SMS fuzzing (post-BlastDoor hardening)
8. **Notable iOS Exploits & Campaigns**
- **Pegasus (NSO Group)**: Zero-click iMessage exploits, kernel exploits
- **Operation Triangulation (2023)**: iOS 16 exploit chain via iMessage
- **Checkm8 (2019)**: Unfixable bootrom exploit for A5-A11 devices
- **FORCEDENTRY (2021)**: Zero-click iOS 14 exploit using PDF/GIF rendering
- **CVE-2025-24085 (2025)**: XNU kernel use-after-free, actively exploited in the wild
9. **iOS Security Mitigations**
- **PAC (Pointer Authentication)**: A12+ chips, cryptographic pointer signing
- **PPL (Page Protection Layer)**: Hypervisor-enforced memory protection for kernel data
- **BlastDoor**: Sandbox for parsing untrusted iMessage content (iOS 14+)
- **Secure Enclave**: Hardware-isolated processor for cryptographic operations
- **KASLR**: Kernel Address Space Layout Randomization
- **Zone_require**: Kernel heap zone isolation
- **Memory Tagging (MTE)**: Future A-series chips (2025+)
10. **iOS Reverse Engineering**
- Tools: Hopper, IDA Pro, Ghidra, class-dump, Cycript
- Dynamic analysis: Frida, lldb, Objection
- Kernel cache analysis: jtool2, img4tool, Luca Todesco's tools
- Decrypting App Store binaries: Clutch, frida-ios-dump, bfdecrypt
- File system access: SSH over USB (usbmuxd), AFC (Apple File Conduit)
11. **Legal & Ethical Considerations**
- iOS jailbreaking is legal under DMCA exemptions (US)
- Exploit development for research/defensive purposes is legitimate
- Selling iOS exploits to government contractors (e.g., NSO Group, Zerodium) raises ethical concerns
- Always obtain proper authorization before testing iOS devices you don't own
- Bug bounty: Apple Security Bounty offers up to $2 million for critical iOS exploits
12. **2024-2025 iOS Exploitation Trends**
- Increased focus on zero-click exploits (iMessage, FaceTime, SMS)
- Advanced PAC bypass techniques for A14-A17 chips
- Post-BlastDoor iMessage exploitation research
- iOS 17-18 kernel hardening and PPL improvements
- Rise in targeted attacks against high-profile iOS users (journalists, activists, politicians)
- Growing researcher interest in Secure Enclave and SEP firmware exploitation
- **CVE-2025-24085** and **CVE-2025-24200**: Actively exploited zero-days in iOS 18.3.1 and earlier
# Browser Exploitation
## Books & Whitepapers
* [A Methodical Approach to Browser Exploitation (RET2 Systems Pwn2Own 2018)](https://blog.ret2.io/2018/06/05/pwn2own-2018-exploit-development/)
* [Gray Hat Hacking: The Ethical Hacker's Handbook - Browser Exploitation Framework (BeEF)](https://cdn.ttgtmedia.com/rms/pdf/bookshelf_gray_hat_hacking_excerpt.pdf)
* [Compromising the macOS Kernel through Safari by Chaining Six Vulnerabilities (Georgia Tech Pwn2Own 2020)](https://github.com/sslab-gatech/pwn2own2020)
* [WebAssembly and Security: A Review (arXiv 2024)](https://arxiv.org/html/2407.12297v1)
* [Everything Old is New Again: Binary Security of WebAssembly (USENIX Security 2020 PDF)](https://www.usenix.org/system/files/sec20-lehmann.pdf)
* [Discovering Vulnerabilities in WebAssembly with Code Property Graphs (INESC-ID PDF)](https://syssec.dpss.inesc-id.pt/projects/tr-wasmati.pdf)
* [NOJITSU: Locking Down JavaScript Engines (NDSS 2020 PDF)](https://www.ndss-symposium.org/wp-content/uploads/2020/02/24262.pdf)
* [Attacking JS Engines: Fundamentals for Understanding Memory Corruption Crashes (SideChannel Blog)](https://www.sidechannel.blog/en/attacking-js-engines/)
* [A Study on Malicious Browser Extensions in 2025 (arXiv)](https://arxiv.org/html/2503.04292v2)
* [Zero-Day Vulnerabilities in the Browser: A Growing Crisis (Seraphic Security)](https://seraphicsecurity.com/resources/blog/zero-day-vulnerabilities-in-the-browser-a-growing-crisis/)
* [0.0.0.0 Day: 18-Year-Old Browser Vulnerability Impacts MacOS and Linux Devices](https://thehackernews.com/2024/08/0000-day-18-year-old-browser.html)
* [The Browser Security Crisis of 2025: Why Chrome, Safari, and Traditional Browsers Are Failing (Kahana)](https://kahana.co/blog/browser-security-crisis-2025-chrome-safari-oasis-comparison)
* [Memory Corruption in WebAssembly: Native Exploits Inside Your Browser (InstaTunnel)](https://instatunnel.my/blog/memory-corruption-in-webassembly-native-exploits-in-your-browser)
* [The Dark Side of WebAssembly (Virus Bulletin 2018)](https://www.virusbulletin.com/virusbulletin/2018/10/dark-side-webassembly)
* [WebAssembly for Browser-Based RCE Attacks (Medium)](https://medium.com/@RocketMeUpCybersecurity/webassembly-for-browser-based-rce-remote-code-execution-attacks-8c5e84b4f7d0)
* [WebAssembly: How Cybercriminals Exploit WASM Security Vulnerabilities (GeoEdge)](https://www.geoedge.com/webassembly-a-new-attack-uncovered/)
* [JavaScript Engines Explained—Comparing V8, SpiderMonkey, JavaScriptCore (Frontend Dogma 2025)](https://frontenddogma.com/posts/2025/javascript-engines-explained/)
* [Web Browser Best Practices For Security and Privacy in 2024 (PacketLabs)](https://www.packetlabs.net/posts/web-browser-best-practices-for-security-and-privacy-in-2024)
## Courses
* [RET2 Systems: Browser Exploitation Training (Self-Paced Online)](https://browser.training.ret2.systems/welcome)
* [RET2 Systems: Advanced Browser Exploitation (5-Day Course)](https://ret2.io/trainings)
* [Exodus Intelligence: Advanced Browser Exploitation (4-Day Course)](https://exodusintel.com/training.html)
* [OffensiveCon: Browser Exploitation Training](https://www.offensivecon.org/trainings/2019/browser-exploitation.html)
* [OffensiveCon: Web Browser Exploitation by Samuel Gross](https://www.offensivecon.org/trainings/2018/web-browser-exploitation-samuel-gross.html)
* [Ringzer0: Advanced Browser Exploitation](https://ringzer0.training/advanced-browser-exploitation/)
* [Ringzer0: Practical Web Browser Fuzzing (Archive)](https://archive.ringzer0.training/archive/2023-august/trainings/browser-fuzzing.html)
* [OffensiveCon: Practical Browser Fuzzing (2023)](https://www.offensivecon.org/trainings/2023/practical-browser-fuzzing.html)
* [OffensiveCon: Practical Web Browser Fuzzing (2025)](https://www.offensivecon.org/trainings/2025/practical-web-browser-fuzzing.html)
* [Recon Training: Practical Browser Fuzzing by Patrick Ventuzelo](https://recon.cx/2023/trainingPracticalBrowserFuzzing.html)
* [DUASYNT: Exploitation and Reverse Engineering Trainings](https://duasynt.com/trainings)
* [PSEC: Advanced Software Exploitation Course](https://www.psec-courses.com/courses/advanced-software-exploitation)
## Labs & Tools
**Browser Exploitation Frameworks & Resource Collections:**
* [GitHub: m1ghtym0/browser-pwn - Updated Collection of Browser Exploitation Resources](https://github.com/m1ghtym0/browser-pwn)
* [GitHub: Escapingbug/awesome-browser-exploit - Browser Exploitation Tutorials](https://github.com/Escapingbug/awesome-browser-exploit)
* [GitHub: gmh5225/awesome-Browser-Security-Research - Browser Security Research](https://github.com/gmh5225/awesome-Browser-Security-Research)
* [GitHub: security-prince/Browser-Security-Research - Comprehensive Browser Security](https://github.com/security-prince/Browser-Security-Research)
* [GitHub: qazbnm456/awesome-web-security - Web Security Materials](https://github.com/qazbnm456/awesome-web-security)
* [BeEF (Browser Exploitation Framework) Project](https://beefproject.com/)
* [GitHub: Awesome-Browser-Fuzzing - Curated List of Browser Fuzzing Resources](https://github.com/Microsvuln/Awesome-Browser-Fuzzing)
**Fuzzing Tools:**
* [AFL (American Fuzzy Lop) - Security-Oriented Fuzzer](https://github.com/google/AFL)
* [AFL++ - Advanced Fork of AFL](https://github.com/AFLplusplus/AFLplusplus)
* [Google Domato - DOM Fuzzer](https://github.com/googleprojectzero/domato)
* [Fuzzilli - JavaScript Engine Fuzzer Targeting JIT Bugs](https://github.com/googleprojectzero/fuzzilli)
* [Honggfuzz - Security-Oriented Fuzzer](https://github.com/google/honggfuzz)
* [Dharma - Context-Free Grammar Fuzzer](https://github.com/MozillaSecurity/dharma)
* [Mozilla Grizzly - Browser Fuzzing Framework](https://github.com/MozillaSecurity/grizzly)
* [Mozilla Domino - DOM Fuzzing Tool](https://github.com/MozillaSecurity/domino)
* [GitHub: BFuzz - Fuzzing Browsers](https://github.com/RootUp/BFuzz)
**Debugging & Analysis Tools:**
* [Google Chrome DevTools](https://developer.chrome.com/docs/devtools/)
* [Firefox Developer Tools](https://firefox-source-docs.mozilla.org/devtools-user/)
* [rr - Record and Replay Framework for Debugging](https://rr-project.org/)
* [WinDbg - Windows Debugger](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/)
* [GDB - GNU Debugger](https://www.gnu.org/software/gdb/)
* [Lighthouse - Chrome Extension Security Analyzer](https://github.com/GoogleChrome/lighthouse)
**Research & PoC Repositories:**
* [GitHub: sslab-gatech/pwn2own2020 - Safari Kernel Exploit Chain](https://github.com/sslab-gatech/pwn2own2020)
* [Diary of a Reverse-Engineer - Exploitation Resources](https://doar-e.github.io/category/exploitation.html)
## Blogs & Series
* [CVE-2025-6554: Chrome V8 Zero-Day Actively Exploited (July 2025)](https://www.helpnetsecurity.com/2025/07/01/google-patches-actively-exploited-chrome-cve-2025-6554/)
* [CVE-2025-5419: Google Chrome Zero-Day Vulnerability (SOC Prime)](https://socprime.com/blog/cve-2025-5419-zero-day-vulnerability/)
* [CVE-2025-13223: Google Patches Yet Another Exploited Chrome Zero-Day (November 2025)](https://www.helpnetsecurity.com/2025/11/18/chrome-cve-2025-13223-exploited/)
* [CVE-2025-2783: Chrome Mojo Sandbox Bypass (Fidelis Security March 2025)](https://fidelissecurity.com/vulnerabilities/cve-2025-2783/)
* [CVE-2025-2857: Firefox IPC Sandbox Escape (March 2025)](https://fieldeffect.com/blog/critical-flaws-firefox-chrome-patched)
* [CVE-2025-4609: Chromium ipcz Sandbox Escape ($250,000 Bug Bounty - August 2025)](https://www.ox.security/blog/the-aftermath-of-cve-2025-4609-critical-sandbox-escape-leaves-1-5m-developers-vulnerable/)
* [Fooling the Sandbox: A Chrome-atic Escape (STAR Labs 2025)](https://starlabs.sg/blog/2025/07-fooling-the-sandbox-a-chrome-atic-escape/)
* [My Take on Chrome Sandbox Escape Exploit Chain (Medium)](https://medium.com/swlh/my-take-on-chrome-sandbox-escape-exploit-chain-dbf5a616eec5)
* [Escaping the Sandbox: A Bug That Speaks for Itself (Microsoft Edge VR)](https://microsoftedge.github.io/edgevr/posts/Escaping-the-sandbox-A-bug-that-speaks-for-itself/)
* [Chrome Sandbox Escape Earns Researcher $250,000 (SecurityWeek)](https://www.securityweek.com/chrome-sandbox-escape-earns-researcher-250000/)
* [Google Chrome Browser Patches 7th Zero-Day Vulnerability of 2024 (Intego)](https://www.intego.com/mac-security-blog/google-chrome-browser-patches-7th-zero-day-vulnerability-of-2024/)
* [Google Chrome Browser Patches 8th Zero-Day of 2024, 4th in May (Intego)](https://www.intego.com/mac-security-blog/google-chrome-browser-patches-8th-zero-day-of-2024-4th-in-may/)
* [Google Fixes Chrome Zero-Days Exploited at Pwn2Own 2024 (BleepingComputer)](https://www.bleepingcomputer.com/news/security/google-fixes-chrome-zero-days-exploited-at-pwn2own-2024/)
* [Chrome Zero-Day: Why Browser Security Is No Longer Optional (Menlo Security)](https://www.menlosecurity.com/blog/chrome-zero-day-why-browser-security-is-no-longer-optional)
* [Actively Exploited Chromium Zero-Day Affects Chrome, Edge, and Opera (Mondoo)](https://mondoo.com/blog/actively-exploited-chromium-zero-day-cve-2025-6554-affects-chrome-and-edge)
* [Firefox Zero-Day Under Attack: Update Your Browser Immediately (The Hacker News October 2024)](https://thehackernews.com/2024/10/mozilla-warns-of-active-exploitation-in.html)
* [8 Chrome Vulnerabilities that Caused Risk in 2024 (TrueFort)](https://truefort.com/8-dangerous-chrome-vulnerabilities/)
* [Critical Blink Vulnerability Lets Attackers Crash Chromium-Based Browsers (CyberPress)](https://cyberpress.org/critical-blink-vulnerability/)
* [Google and Mozilla Patch Browser Zero-Day Vulnerabilities (FieldEffect)](https://fieldeffect.com/blog/google-mozilla-patch-browser-zero-days)
* [My First Take on Real World Vulnerability Research (wwkenwong Fuzzing Series)](https://wwkenwong.github.io/fuzzing/2021/02/14/fuzzing-1.html)
* [Fuzzing Webkit (inputzero.io)](https://www.inputzero.io/2019/02/fuzzing-webkit.html)
* [Firefox Fuzzing Documentation](https://firefox-source-docs.mozilla.org/tools/fuzzing/index.html)
## Presentations & Conferences
* [Pwn2Own Annual Competition - Browser Exploitation Showcase](https://www.zerodayinitiative.com/Pwn2Own.html)
* [Black Hat USA: Browser Security Presentations (Annual)](https://www.blackhat.com/)
* [DEF CON: Browser Exploitation Talks (Annual)](https://www.defcon.org/)
* [USENIX Security: WebAssembly and JavaScript Engine Security](https://www.usenix.org/conference/usenixsecurity)
* [OffensiveCon: Browser Exploitation Training Track](https://www.offensivecon.org/)
* [RET2 Systems Blog: Pwn2Own Write-ups](https://blog.ret2.io/)
* [Google Project Zero: Browser Security Research](https://googleprojectzero.blogspot.com/)
* [All Major Browsers Fall During Day 2 of Pwn2Own Hacking Contest (KnowBe4)](https://blog.knowbe4.com/bid/379843/All-major-browsers-fall-during-day-2-of-Pwn2Own-hacking-contest)
* [Pwn2Own 2018: Focus Changes To Kernel Exploits As Browsers Get Harder To Hack (Tom's Hardware)](https://www.tomshardware.com/news/pwn2own-2018-kernel-exploits-focus,36679.html)
* [Pwn2Own Researchers Exploit Mozilla Firefox, Microsoft Edge and Tesla (eWeek)](https://www.eweek.com/security/pwn2own-researchers-exploit-mozilla-firefox-microsoft-edge-and-tesla/)
## Videos
* [YouTube: Browser Exploitation Tutorials](https://www.youtube.com/results?search_query=browser+exploitation+tutorial)
* [YouTube: JavaScript Engine Exploitation](https://www.youtube.com/results?search_query=javascript+engine+exploitation)
* [YouTube: WebAssembly Security and Exploitation](https://www.youtube.com/results?search_query=webassembly+exploitation)
* [YouTube: Chrome V8 Exploitation Techniques](https://www.youtube.com/results?search_query=chrome+v8+exploitation)
* [YouTube: Browser Fuzzing Techniques](https://www.youtube.com/results?search_query=browser+fuzzing)
## Notes
* **Major Browsers:** Google Chrome, Mozilla Firefox, Apple Safari, Microsoft Edge, Opera, Brave (most based on Chromium)
* **JavaScript Engines:** V8 (Chrome/Edge/Node.js), SpiderMonkey (Firefox), JavaScriptCore/Nitro (Safari), Chakra (legacy Edge)
* **2025 Critical Zero-Days:** CVE-2025-6554 (Chrome V8 type confusion), CVE-2025-5419 (V8 out-of-bounds), CVE-2025-13223 (Chrome), CVE-2025-2783 (Mojo IPC sandbox escape), CVE-2025-2857 (Firefox IPC), CVE-2025-4609 (Chromium ipcz - $250K bounty)
* **2024 Statistics:** 75 zero-day vulnerabilities exploited in wild (50% increase from 2023), Chrome had majority of attacks, 8+ Chrome zero-days in 2024, Firefox had 5 out of 6 highest vulnerability scores
* **Exploitation Techniques:** Memory corruption (use-after-free, buffer overflow, type confusion), JIT spray, heap feng shui, ROP chains, sandbox escape, IPC exploitation, Mojo IPC bugs, speculative execution attacks
* **Attack Vectors:** Malicious websites, drive-by downloads, watering hole attacks, browser extensions, WebAssembly exploitation, DOM manipulation, JavaScript engine bugs, renderer process compromise
* **Sandbox Escape:** CVE-2025-2783 (Mojo IPC OOB read/write + UAF), CVE-2025-4609 earned $250K (largest single bounty for partial exploit), multi-stage chains combining renderer exploit + sandbox escape + privilege escalation
* **Common Bug Classes:** Use-after-free (UAF), type confusion, out-of-bounds read/write, integer overflow, race conditions, uninitialized memory, logic bugs in IPC
* **WebAssembly Risks:** Memory corruption from C/C++ code ported to WASM, obfuscation for detection evasion, control flow hijacking, JIT compilation vulnerabilities, lack of native security mitigations (DEP/ASLR), RCE through V8 engine exploits
* **Fuzzing Approaches:** Coverage-guided (AFL/AFL++), grammar-based (Domato, Dharma), mutation-based, JIT-targeted (Fuzzilli), in-process fuzzing, DOM fuzzing (Grizzly, Domino)
* **Pwn2Own Rewards:** 2022 awarded $1.155M for 25 unique zero-days, single-day record of $800K, sandbox escapes earn premium payouts, full chain exploits (RCE + sandbox escape + privilege escalation) worth $250K+
* **Browser Security Features:** Sandboxing (site isolation, process isolation), ASLR, DEP/NX, CFI (Control Flow Integrity), stack canaries, heap hardening, JIT hardening, Mojo IPC validation, seccomp filters
* **Chrome Security:** Site Isolation (separate processes per origin), V8 pointer compression, CFI, MiraclePtr, PartitionAlloc hardening, renderer sandboxing via Mojo IPC
* **Firefox Security:** Fission (site isolation), IonMonkey JIT hardening, process sandboxing, RLBox WASM sandboxing, content process restrictions
* **Safari Security:** Intelligent Tracking Prevention (ITP), WebKit sandboxing, process isolation, JIT restrictions on iOS, Lockdown Mode (iOS 16+)
* **Detection Challenges:** Zero-day exploits before patches available, obfuscated JavaScript/WASM, fileless attacks, in-memory exploitation, sandbox escape chains bypass traditional defenses
* **Defense Measures:** Keep browsers updated (patch zero-days quickly), disable JavaScript for untrusted sites, use browser isolation technologies, enable Enhanced Safe Browsing (Chrome), deploy EDR/XDR solutions, restrict browser extensions
* **Research Tools Prerequisites:** Familiarity with C++ and JavaScript, AMD64 assembly knowledge, understanding of memory corruption, exploitation mitigations (ASLR, DEP, CFI), Linux/Windows debugging experience
* **Lab Setup:** Isolated VM environment, debuggers (GDB, WinDbg, rr), fuzzing infrastructure (AFL++, libFuzzer), browser builds with debug symbols, snapshot/restore capabilities
* **Vulnerability Research:** Patch diffing, binary analysis, fuzzing (DOM, JS engines, WebAssembly), manual code review, regression testing, exploit PoC development
* **Legal Warning:** Unauthorized exploitation of browser vulnerabilities is illegal. All research must follow responsible disclosure policies and be conducted in authorized lab environments
* **Responsible Disclosure:** Report to browser vendors (Chrome VRP, Mozilla Bug Bounty, Apple Security Bounty), coordinate disclosure timelines (typically 90 days), never deploy exploits against unauthorized targets
* **Bug Bounty Programs:** Chrome Vulnerability Reward Program (up to $250K+), Mozilla Bug Bounty, Apple Security Bounty, Microsoft Edge Bug Bounty, Pwn2Own competitions
* **Research Institutions:** Google Project Zero, Microsoft Security Response Center (MSRC), Mozilla Security, RET2 Systems, Exodus Intelligence, STAR Labs, Georgia Tech SSLab
* **Key Researchers:** Ivan Fratric (Google Project Zero), Samuel Groß (V8 Security), Exodus Intelligence Team, RET2 Systems Team, Pwn2Own contestants
* **Future Trends:** Increased adoption of memory-safe languages (Rust), enhanced sandboxing (site isolation improvements), AI-powered vulnerability discovery, quantum-resistant crypto in browsers, Zero Trust browser architectures
* **Best Practices:** Multi-layered defense (network isolation + browser hardening + EDR), principle of least privilege, disable unnecessary features, use dedicated browsers for sensitive tasks, implement browser isolation for enterprise
# Hypervisor Exploitation
## Books & Whitepapers
* [Breaking Turtles All the Way Down: An Exploitation Chain to Break out of VMware ESXi (USENIX WOOT 2019 PDF)](https://www.usenix.org/system/files/woot19-paper_zhao.pdf)
* [Exploit Two Xen Hypervisor Vulnerabilities (Black Hat USA 2016 PDF)](https://blackhat.com/docs/us-16/materials/us-16-Luan-Ouroboros-Tearing-Xen-Hypervisor-With-The-Snake-wp.pdf)
* [Determining Forensic Data Requirements for Detecting Hypervisor Attacks (NIST PDF)](https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=927335)
* [Characterizing Hypervisor Vulnerabilities in Cloud Computing Servers (ResearchGate)](https://www.researchgate.net/publication/262273414_Characterizing_hypervisor_vulnerabilities_in_cloud_computing_servers)
* [Hypervisor and Their Vulnerabilities (Medium)](https://medium.com/@mutukusamuel99/hypervisor-and-their-vulnerabilities-f8627cb67c75)
* [Hypervisor Vulnerabilities and Some Defense Mechanisms (IJITEE PDF)](https://www.ijitee.org/wp-content/uploads/papers/v10i2/B82621210220.pdf)
* [A Survey of Fuzzing Open-Source Operating Systems (arXiv 2025)](https://arxiv.org/html/2502.13163v1)
* [Analysis of VirtualBox CVE-2023-21987 and CVE-2023-21991](https://qriousec.github.io/post/vbox-pwn2own-2023/)
* [From Binary Patch to Proof-of-concept: VMware ESXi vmxnet3 Case Study](https://zerodayengineering.com/research/vmware-esxi-vmxnet3-from-patch-to-poc.html)
* [Fire Ant: Hypervisor-Level Espionage Targeting VMware ESXi & vCenter (Sygnia)](https://www.sygnia.co/blog/fire-ant-a-deep-dive-into-hypervisor-level-espionage/)
* [Complete List of Hypervisor Vulnerabilities (HiTech Nectar)](https://hitechnectar.com/blogs/hypervisor-vulnerabilities/)
* [Securing Virtualized Environments - Hypervisor Security Best Practices](https://cybersecuritynews.com/hypervisor-security/)
* [Virtual Machine Escape - Wikipedia](https://en.wikipedia.org/wiki/Virtual_machine_escape)
* [What Is A Virtual Machine Escape? (Twingate)](https://www.twingate.com/blog/glossary/virtual%20machine%20escape)
* [Understanding VM Escape: Risks and Precautions (Spyboy Blog 2024)](https://spyboy.blog/2024/09/17/understanding-vm-escape-risks-and-precautions/)
* [Understanding VM Escape: A Threat to Virtualized Environments (Blue Goat Cyber)](https://bluegoatcyber.com/blog/understanding-vm-escape-a-threat-to-virtualized-environments/)
* [VMScape: Virtualized Speculation Attacks Against TEEs (ACM CCS 2024)](https://dl.acm.org/doi/10.1145/3576915.3623114)
* [VMScape Spectre BTI Attack Breaks VM Isolation on AMD and Intel CPUs (CSO Online)](https://www.csoonline.com/article/4056546/vmscape-spectre-bti-attack-breaks-vm-isolation-on-amd-and-intel-cpus.html)
* [Virtualization Under Siege: VMware's Hypervisor Security Nightmare (CyberSRC March 2025)](https://cybersrcc.com/2025/03/11/virtualization-under-siege-a-deep-dive-into-vmwares-hypervisor-security-nightmare/)
* [Breaking the Virtual Barrier: From Web-Shell to Ransomware (Sygnia)](https://www.sygnia.co/threat-reports-and-advisories/breaking-the-virtual-barrier-web-shell-to-ransomware/)
* [Forensic Analysis Helps Close Gaps in Hypervisor Vulnerabilities (TheServerSide)](https://www.theserverside.com/blog/Coffee-Talk-Java-News-Stories-and-Opinions/Forensic-analysis-helps-close-gaps-in-hypervisor-vulnerabilities)
## Courses
* [Zero Day Engineering: Advanced Hypervisor Exploit Development (4-Day Bootcamp)](https://zerodayengineering.com/training/advanced-hypervisor-exploitation.html)
* [Zero Day Engineering: Hypervisor Vulnerability Research](https://zerodayengineering.com/training/hypervisor-vulnerability-research.html)
* [Signal Labs: Hypervisor Internals 1](https://signal-labs.com/trainings/hypervisor-internals-1/)
* [OffensiveCon: Hypervisor Development for Security Analysis](https://www.offensivecon.org/trainings/2022/hypervisor-development-for-security-analysis.html)
* [Recon Training: Hypervisor Development for Security Analysis by Satoshi Tanda](https://recon.cx/2022/traininghypervisordevelopment.html)
* [SANS SEC760: Advanced Exploit Development for Penetration Testers](https://www.sans.org/cyber-security-courses/advanced-exploit-development-penetration-testers)
* [Winsider Seminars: Hyper-V and Advanced Exploitation Techniques](https://windows-internals.com/pages/training-services/)
* [Class Central: 90+ Hyper-V Online Courses for 2025](https://www.classcentral.com/subject/hyper-v)
## Labs & Tools
**Hypervisor Development Frameworks:**
* [GitHub: SimpleVisor - Simple Intel VT-x Hypervisor by Alex Ionescu](https://github.com/ionescu007/SimpleVisor)
* [GitHub: hvpp - Lightweight Intel x64/VT-x Hypervisor in C++](https://github.com/wbenny/hvpp)
* [GitHub: Hypervisor-From-Scratch - Tutorial Series with Source Code](https://github.com/SinaKarvandi/Hypervisor-From-Scratch/)
* [GitHub: HyperDbg Debugger - Hypervisor-Based Debugger](https://github.com/HyperDbg/HyperDbg)
**Exploitation & Vulnerability Research:**
* [GitHub: Wenzel/awesome-virtualization - Comprehensive Virtualization Resources](https://github.com/Wenzel/awesome-virtualization)
* [GitHub: WinMin/awesome-vm-exploit - VM & QEMU Escape Exploits](https://github.com/WinMin/awesome-vm-exploit)
* [GitHub: xairy/vmware-exploitation - VMware Escape Exploits Collection](https://github.com/xairy/vmware-exploitation)
* [GitHub: shogunlab/awesome-hyper-v-exploitation - Hyper-V Fuzzing & Exploitation](https://github.com/shogunlab/awesome-hyper-v-exploitation)
* [GitHub: husseinmuhaisen/Hypervisor - Comprehensive Hypervisor Resources](https://github.com/husseinmuhaisen/Hypervisor)
* [GitHub: IACapstone - Hypervisor Security Assessment](https://github.com/jhembree/IACapstone)
* [Metasploit VASTO Module - Virtualization Assessment Toolkit](https://www.metasploit.com/)
**Fuzzing Tools:**
* [Red Hat Morphuzz - Hypervisor Fuzzer for QEMU](https://research.redhat.com/blog/article/applying-lessons-from-our-upstream-hypervisor-fuzzer-to-improve-kernel-fuzzing/)
* [AFL++ - Advanced Fuzzing Framework](https://github.com/AFLplusplus/AFLplusplus)
* [libFuzzer - LLVM Coverage-Guided Fuzzer](https://llvm.org/docs/LibFuzzer.html)
* [ClusterFuzz - Google's Fuzzing Infrastructure](https://google.github.io/clusterfuzz/setting-up-fuzzing/libfuzzer-and-afl/)
* [kAFL - Hypervisor-Based Fuzzer](https://github.com/IntelLabs/kAFL)
**Analysis & Debugging Tools:**
* [PulseDBG - Hypervisor Debugger](https://github.com/mandiant/PulseDBG)
* [Windbg - Windows Debugger with Hyper-V Support](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/)
* [GDB with QEMU/KVM Debugging Support](https://www.qemu.org/docs/master/system/gdb.html)
**Vulnerability Scanners:**
* [Nessus - VMware Vulnerability Scanner](https://www.tenable.com/plugins/nessus)
* [OpenVAS - Open Vulnerability Assessment Scanner](https://www.openvas.org/)
## Blogs & Series
* [Ransomware Operators Exploit ESXi Hypervisor Vulnerability (Microsoft Security Blog July 2024)](https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/)
* [Unknown Attackers Exploit VMware Hypervisor-Hijack Holes (The Register March 2025)](https://www.theregister.com/2025/03/04/vmware_plugs_three_hypervisorhijack_holes)
* [Three Zero-Day Vulnerabilities Discovered in VMware Products (Cybereason 2025)](https://www.cybereason.com/blog/zero-day-vulnerabilities-vmware)
* [VMware ESXi Vulnerabilities: How to Find Impacted Assets (Runzero)](https://www.runzero.com/blog/vmware-esxi/)
* [Mass Exploitation of ESXi Hosts (Orange Cyber Defense)](https://www.orangecyberdefense.com/uk/insights/blog/research/mass-exploitation-of-esxi-hosts)
* [Threat Actors Exploiting New ESXi Vulnerability (Arete IR)](https://areteir.com/article/vmware-esxi-vulnerability-protection/)
* [Embattled VMware ESXi Hypervisor Flaw Exploitable in Myriad Ways (Dark Reading)](https://www.darkreading.com/vulnerabilities-threats/attackers-can-exploit-flaw-in-vmware-esxi-hypervisor-in-multiple-ways)
* [Attacks on VMware ESXi (University of West Oahu Cyber Research)](https://westoahu.hawaii.edu/cyber/vulnerability-research/vulnerabilities-weekly-summaries/attacks-on-vmware-esxi/)
* [VMware Hypervisor Security – Critical USB Controller Vulnerabilities (Entrust May 2024)](https://www.entrust.com/blog/2024/05/vmware-hypervisor-security-critical-vulnerabilities-related-to-usb-controller)
* [Securing Virtual Machines in QEMU on Linux (Security Boulevard May 2024)](https://securityboulevard.com/2024/05/securing-virtual-machines-in-qemu-on-linux/)
* [Rootless Virtual Machines with KVM and QEMU (Red Hat Developer December 2024)](https://developers.redhat.com/articles/2024/12/18/rootless-virtual-machines-kvm-and-qemu)
* [XEN Hypervisor Vulnerabilities (ADS Security)](https://adsecurity.org/?p=366)
* [VENOM - Xen, KVM, and QEMU Virtualization Vulnerability Advisory (NetWorks Group)](https://www.networksgroup.com/blog/venom-xen-kvm-qemu-virtualization-high-vulnerability-advisory)
* [VirtualBox Zero-Day Vulnerability Details and Exploit Publicly Available (BleepingComputer)](https://www.bleepingcomputer.com/news/security/virtualbox-zero-day-vulnerability-details-and-exploit-are-publicly-available/)
* [Oracle VirtualBox NAT Network DoS Vulnerability (Fortinet Blog)](https://www.fortinet.com/blog/threat-research/oracle-virtualbox-nat-network-dos-vulnerability)
* [CVE-2024-21111 Detection: Critical VirtualBox Privilege Escalation (SOC Prime)](https://socprime.com/blog/cve-2024-21111-detection-a-new-critical-local-privilege-escalation-vulnerability-in-oracle-virtualbox-with-the-poc-exploit-released/)
* [SentinelLabs Finds Three Vulnerabilities in Oracle VirtualBox (Born's Tech)](https://borncity.com/win/2021/11/27/sentinellabs-findet-drei-sicherheitslcken-in-oracle-virtualbox/)
* [Weekly Recap: Hyper-V Malware, RDP Exploits (The Hacker News November 2025)](https://thehackernews.com/2025/11/weekly-recap-hyper-v-malware-malicious.html)
## Presentations & Conferences
* [USENIX WOOT 2019: Breaking Turtles All the Way Down - VMware ESXi Exploitation](https://www.usenix.org/conference/woot19/presentation/zhao)
* [Black Hat USA 2016: Ouroboros - Tearing Xen Hypervisor with The Snake](https://blackhat.com/us-16/briefings.html)
* [Black Hat USA 2017: Virtualization Security Presentations](https://blackhat.com/us-17/briefings.html)
* [USENIX Security 2024: Virtualization and Cloud Security Sessions](https://www.usenix.org/conference/usenixsecurity24/technical-sessions)
* [KVM Forum 2024: Security and Confidential Computing Track](https://kvm-forum.qemu.org/2024/)
* [KVM Forum 2025: Advanced Virtualization Security](https://kvm-forum.qemu.org/2025/)
* [DEF CON: Hypervisor and Virtualization Security Talks (Annual)](https://www.defcon.org/)
* [Black Hat: Virtualization Security Briefings (Annual)](https://www.blackhat.com/)
* [HITBSecConf: Hypervisor Security Presentations](https://conference.hitb.org/)
## Videos
* [YouTube: Hypervisor From Scratch Tutorial Series](https://www.youtube.com/results?search_query=hypervisor+from+scratch)
* [YouTube: VMware ESXi Exploitation Techniques](https://www.youtube.com/results?search_query=vmware+esxi+exploitation)
* [YouTube: Hyper-V Security and Exploitation](https://www.youtube.com/results?search_query=hyper-v+exploitation)
* [YouTube: KVM Security Hardening](https://www.youtube.com/results?search_query=kvm+security)
* [USENIX: Virtualization Security Conference Talks](https://www.youtube.com/@UsenixOrg)
## Notes
* **Attack Vectors:** Guest-to-host VM escape, hypervisor privilege escalation, denial of service, information leakage, arbitrary code execution, USB controller exploitation, virtual device vulnerabilities
* **Primary Attack Sources:** Guest OS users (76% Xen, 85% KVM), cloud administrators, guest OS administrators, remote users
* **Common Attack Types:** DoS (44% Xen, 63% KVM), privilege escalation (30% Xen, 11% KVM), information leakage (14% Xen, 19% KVM), arbitrary code execution (7% both)
* **Major Hypervisors Targeted:** VMware ESXi/vSphere/Workstation/Fusion, Microsoft Hyper-V, Linux KVM/QEMU, Xen, Oracle VirtualBox, Parallels Desktop
* **2025 Critical VMware Zero-Days:** CVE-2025-22224 (CVSS 9.3), CVE-2025-22225 (CVSS 8.2), CVE-2025-22226 (CVSS 7.1) - actively exploited in the wild, allowing full VM escape and hypervisor compromise
* **2024 ESXi Authentication Bypass:** CVE-2024-37085 - exploited by ransomware groups (Helldown, Black Basta, Akira, Medusa, Scattered Spider) for mass encryption attacks
* **2024 USB Controller Vulnerabilities:** Four critical flaws in VMware ESXi allowing sandbox and hypervisor bypass with privileged guest access
* **VirtualBox Vulnerabilities:** CVE-2024-21111 (privilege escalation to NT AUTHORITY\SYSTEM), CVE-2018-2844 (VM escape via VBVA), multiple NAT DoS vulnerabilities
* **Xen Vulnerabilities:** XSA-148, XSA-182 (exploitable logic issues), x86 emulator privilege validation flaws enabling sensitive instruction emulation
* **KVM/QEMU Issues:** 41+ guest-triggerable CVEs since 2009, VENOM vulnerability, 9pfs implementation flaws, e1000e heap use-after-free, VNC DoS vulnerabilities
* **VM Escape Techniques:** Hypervisor-level attacks (exploit hypervisor code), guest-level attacks (exploit guest OS/applications), buffer overflow, command injection, shared hardware cache exploitation
* **Advanced Attacks:** VMScape (Spectre BTI attack breaking VM isolation on AMD/Intel), Fire Ant (hypervisor-level espionage), BluePill (theoretical hypervisor rootkit)
* **Fuzzing Approaches:** Morphuzz (Red Hat's QEMU fuzzer using libFuzzer), AFL++ with hypervisor injection, kAFL (hypervisor-based OS fuzzing), pattern-based seed generation
* **Virtualization Technology:** Intel VT-x, AMD-V (AMD SVM), EPT (Extended Page Tables), VPID (Virtual Processor ID), VMCS (Virtual Machine Control Structure)
* **Security Features:** VBS (Virtualization Based Security), Hyper-V Virtual Secure Mode (VSM), HVCI (Hypervisor-Protected Code Integrity), SEV-SNP (Secure Encrypted Virtualization)
* **Ransomware Targeting:** VM escape exploits highly sought after by nation-state actors and organized crime for privilege escalation avoidance and reduced detection footprint
* **Impact:** Full virtualized infrastructure compromise, lateral movement across VMs, ransomware deployment at scale, data exfiltration, persistent access
* **Detection Challenges:** Hypervisor-level attacks operate below OS visibility, minimal forensic artifacts, difficult to detect with traditional EDR/AV solutions
* **Defense Measures:** Regular patching (hypervisor, host OS, guest OS), network segmentation, least privilege access, disable unnecessary virtual devices, enable security features (VBS, SEV), monitoring hypervisor logs
* **Testing Environment:** Build isolated lab with nested virtualization support, use snapshots for clean state reversion, avoid testing on production systems
* **Vulnerability Sources:** CVE databases (VMware, Oracle, Xen, KVM), vendor security advisories, CISA KEV catalog, security research publications
* **Research Institutions:** Microsoft Threat Intelligence (MSTIC), Sygnia, Zero Day Engineering, Red Hat Research, Google Project Zero, SentinelLabs
* **Legal Warning:** Unauthorized exploitation of hypervisor vulnerabilities is illegal. All research must be conducted in authorized environments with proper permissions
* **Ethical Considerations:** Responsible disclosure to vendors, coordinated vulnerability disclosure programs, focus on defensive understanding and improving virtualization security
* **Best Practices:** Keep hypervisors updated, minimize attack surface (disable unused features), implement defense-in-depth, monitor for unusual VM behavior, use hardware security features
* **Certification Requirements:** CISA mandated federal agencies patch critical VMware vulnerabilities by March 25, 2025; compliance frameworks (FedRAMP, PCI-DSS) require hypervisor security controls
* **Future Trends:** Confidential computing adoption (Intel TDX, AMD SEV-SNP, ARM CCA), AI-powered vulnerability discovery, quantum-resistant hypervisor cryptography, automated exploit detection
# Drones Hacking
## Books & Whitepapers
- [The Big Book of Drones](https://www.amazon.com/Big-Book-Drones-Ralph-DeFrangesco/dp/1032062827)
- [Drone Hacking: Wireless Exploits, GPS Spoofing, and UAV Security](https://www.amazon.com/Drone-Hacking-Offensive-Defensive-Strategies/dp/B0F5PP2LRB)
- [Hacking and securing the AR.Drone 2.0 quadcopter](https://www.researchgate.net/publication/260420467_Hacking_and_securing_the_ARDrone_20_quadcopter_-_Investigations_for_improving_the_security_of_a_toy)
- [Drone Hacking: Exploitation and Vulnerabilities](https://hakin9.org/download/drone-hacking-exploitation-and-vulnerabilities/)
- [Drone Hacking with Raspberry-Pi 3 and WiFi Pineapple](https://ueaeprints.uea.ac.uk/id/eprint/83147/1/Accepted_manuscript.pdf)
- [Hacking a Commercial Drone](https://kth.diva-portal.org/smash/get/diva2:1484619/FULLTEXT01.pdf)
- [UAV Exploitation: A New Domain for Cyber Power](https://ccdcoe.org/uploads/2018/10/Art-13-UAV-Exploitation-A-New-Domain-for-Cyber-Power.pdf)
- [SoK: Security and Privacy in the Age of Drones](https://arxiv.org/pdf/1903.05155)
- [SoK: Security and Privacy in the Age of Commercial Drones](https://ieeexplore.ieee.org/document/9519393)
- [Unmanned Aerial Vehicle (UAV) Forensics: The Good, The Bad, and the Unaddressed](https://dl.acm.org/doi/10.1016/j.cose.2023.103340)
- [Continuous authentication of UAV flight command data using behaviometrics](https://ieeexplore.ieee.org/document/8203494)
- [Cyber security threat analysis and modeling of an unmanned aerial vehicle system](https://ieeexplore.ieee.org/document/6459914)
- [Cyber4Drone: A Systematic Review of Cyber Security and Forensics](https://www.mdpi.com/2504-446X/7/7/430)
- [Detection of UAV hijacking and malfunctions via variations in flight data statistics](https://ieeexplore.ieee.org/document/7815713)
- [Hacking a Commercial Drone with Open-Source Software](https://ieeexplore.ieee.org/document/9460295)
- [An Internet of Drones](https://www.computer.org/csdl/magazine/ic/2016/03/mic2016030068/13rRUILLkrV)
- [DRAT: A Penetration Testing Framework for Drones](https://www.researchgate.net/publication/354245593_DRAT_A_Penetration_Testing_Framework_for_Drones)
- [Penetration testing a civilian drone](https://www.diva-portal.org/smash/get/diva2:1463784/FULLTEXT01.pdf)
- [Attacks, Detection, and Prevention on Commercial Drones: A Review](https://www.semanticscholar.org/paper/Attacks%2C-Detection%2C-and-Prevention-on-Commercial-A-Warnakulasooriya-Segev/8b957a03efade8c0a51a8e36190298047ebcbae9#cited-papers)
- [Survey on Anti-Drone Systems: Components, Designs, and Challenges](https://ieeexplore.ieee.org/document/9378538)
- [Jamming and Spoofing Techniques for Drone Neutralization](https://www.mdpi.com/2504-446X/8/12/743)
- [Assessing the Impact of Aviation Security on Cyber Power](https://ccdcoe.org/uploads/2018/10/Art-14-Assessing-the-Impact-of-Aviation-Security-on-Cyber-Power.pdf)
- [Security Analysis of the Drone Communication Protocol](http://www.diva-portal.org/smash/get/diva2:1350857/FULLTEXT01.pdf)
- [Protecting Against the Threat of Unmanned Aircraft Systems (CISA)](https://www.cisa.gov/sites/default/files/publications/Protecting%20Against%20the%20Threat%20of%20Unmanned%20Aircraft%20Systems%20November%202020_508c.pdf)
- [Drone Security & Privacy (New Prairie Press)](https://newprairiepress.org/cgi/viewcontent.cgi?filename=3&article=1021&context=ebooks&type=additional)
- [DJI Drone Security White Paper](https://www.scribd.com/document/844981153/DJI-Drone-Security-White-Paper)
- [Drone Security (Scribd)](https://www.scribd.com/document/694560908/Drone-Security)
- [Drone Hacking (DronXploit PDF)](https://github.com/eusebio-orozco/hacking-drones/blob/main/DronXploit.pdf)
- [Vulnerability Analysis of Camera Drones](https://www.diva-portal.org/smash/get/diva2:1586253/FULLTEXT01.pdf)
- [Counter-UAS Systems Market Report 2024-2025](https://www.marketsandmarkets.com/Market-Reports/counter-uav-systems-market-99496341.html)
- [Drone Security Market Analysis 2024-2030](https://www.marketresearchfuture.com/reports/drone-security-market-8245)
- [UAV Cybersecurity Threats and Mitigation Strategies 2024](https://www.mdpi.com/search?q=UAV+cybersecurity+2024)
- [DJI Security: 2024 Update on Commercial Drone Security](https://enterprise.dji.com/security)
- [Parrot Drone Security Documentation](https://developer.parrot.com/docs/security/)
## Courses
- [Beginner to Advanced Drone Security Bundle (DroneSec)](https://training.dronesec.com/p/bundle)
- [C-UAS Site Vulnerability Assessments (DroneSec)](https://training.dronesec.com/p/site-vuln-assessment)
- [Drone Wi-Fi Hacking (Hakin9)](https://hakin9.org/course/blast-course-drone-wi-fi-hacking-w33/)
- [Drone Hacking Workshop (EC-Council)](https://iclass.eccouncil.org/product/drone-hacking-workshop/)
- [Drone Hacking and Forensics Course (CyberFox)](https://cyberfoxtrain.com/course/drone-hacking-and-forensics-course/)
- [Drone Training (NobleProg)](https://www.nobleprog.com.eg/cc/drone)
- [Certified Drone Cyber Defense Specialist (Tonex)](https://www.tonex.com/training-courses/certified-drone-cyber-defense-specialist-cdcds/)
- [Drone OSINT Investigations (CUAS Hub)](https://cuashub.com/en/service/drone-open-source-intelligence-investigations-online-training-course/)
- [Aerial Assault: Combining Drones and Pentesting (PentestMag)](https://pentestmag.com/course/aerial-assault-combining-drones-and-pentesting-w54/)
- [Udemy: Drone Security & Penetration Testing 2024](https://www.udemy.com/topic/drone-security/)
- [SANS: Securing IoT and UAV Systems](https://www.sans.org/cyber-security-courses/)
- [Class Central: 30+ Drone Security Online Courses for 2025](https://www.classcentral.com/subject/drone-security)
## Labs
- [Damn Vulnerable Drone (DVD)](https://github.com/nicholasaleks/Damn-Vulnerable-Drone)
- [Hack-a-Drone Workshop](https://github.com/miles-no/hack-a-drone-ws)
- [Hack-a-Drone (Ordina JTech)](https://github.com/Ordina-JTech/hack-a-drone)
- [DroneWolf Workshop](https://dronewolf.darkwolf.io/workshop)
- [Drone Wars Competition](https://www.commonwealthu.edu/offices-directory/mathematics-computer-science-and-digital-forensics/drone-wars-competition)
- [HackTheDrone CTF](http://hackthedrone.org/eng/index.php)
- [Build Your Own Drone Hacking Lab (Tutorial)](https://github.com/ANG13T/drone-hacking-workshop)
- [DJI Tello EDU Programming Lab](https://www.ryzerobotics.com/tello-edu)
## Blogs & Series
- [Looking at the sky: the world of Drone Pentesting](https://pentestmag.com/looking-at-the-sky-the-world-of-drone-pentesting/)
- [Drone Penetration Testing & Facility Security](https://grabtheaxe.com/drone-penetration-testing-facility-security/)
- [Hacking the DJI Phantom 3](http://dronesec.xyz/2017/01/25/hacking-the-dji-phantom-3/)
- [Russian software company hacks DJI drones](https://www.theverge.com/2017/6/21/15848344/drones-russian-software-hack-dji-jailbreak)
- [CopterSafe (Archives)](https://wetalkuav.com/coptersafe/)
- [How to penetrate a drone using a Flipper Zero](https://medium.com/infosec-writes-up/how-to-penetrate-a-drone-using-a-flipper-zero-3a9e0b5f1b83?source=rss------hacking-5)
- [Drone C2 Research: Security Threats and Mitigation](https://medium.com/@lovleska123/drone-c2-research-security-threats-and-mitigation-863138336959?source=rss------hacking-5)
- [C-UAS Drone Forensics (JAPCC)](https://www.japcc.org/chapters/c-uas-drone-forensics/)
- [DroneSec Blog: Latest UAV Security Insights](https://dronesec.com/blog/)
- [GPS Spoofing and Drone Hijacking: A Comprehensive Guide](https://www.pentestpartners.com/security-blog/drone-hacking/)
- [MAVLink Protocol Security Analysis](https://ardupilot.org/dev/docs/mavlink-security.html)
- [Wi-Fi Deauthentication Attacks on Consumer Drones](https://resources.infosecinstitute.com/topics/hacking/drone-hacking/)
- [Counter-Drone Technologies and Legal Implications 2024](https://www.lawfaremedia.org/article/counter-drone-systems)
## Presentations & Conferences
- [Game of Drones: Drone Defense Market (DEF CON 25)](https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEF%20CON%2025%20-%20Brown-and-Latimer-Game-of-Drones-Drone-Defense-Market-UPDATED.pdf)
- [Drone Hacking Presentation (Bishop Fox)](https://web.archive.org/web/20250317050144/https://resources.bishopfox.com/resources/tools/drones-penetration-testers/presentation-slides/)
- [Hacking Drones (DEF CON 24 Video)](https://www.youtube.com/watch?v=0LA8tTKAfK0)
- [Hacking the Drones (OWASP Slides)](https://owasp.org/www-chapter-london/assets/slides/OWASP201604_Drones.pdf)
- [Drone Hacking Workshop Slides](https://github.com/ANG13T/drone-hacking-workshop/blob/main/Drone_Hacking_Workshop_Slides.pptx)
- [Drone Wars / Hack Drones Slides](https://github.com/JaramilloRobert/DroneWarsSlide--DroneHacking)
- [Controlling UAVs with Hijacked Radio Links (USENIX)](https://www.usenix.org/sites/default/files/conference/protected-files/woot16_slides_davidson.pdf)
- [DroneSploit - BlackHat EU Arsenal](https://github.com/dhondta/dronesploit/blob/master/docs/blackhat-eu19-arsenal.pdf)
- [Hacking a Professional Drone (Asia 16)](https://www.scribd.com/document/403930294/Asia-16-Rodday-Hacking-a-Professional-Drone)
- [OWASP Drones Presentation](https://www.scribd.com/document/332852011/Owasp201604-Drones)
- [DEF CON 32 (2024): UAV Security Village Talks](https://www.defcon.org/)
- [Black Hat USA 2024: Counter-Drone Technologies and Detection Systems](https://www.blackhat.com/)
- [DroneCon 2024: Cybersecurity Talks](https://www.dronecon.nl/)
- [Unmanned Systems Summit 2024: Security Track](https://xponential.org/)
## Videos
- [Introduction to Drone Hacking (Video)](https://www.youtube.com/watch?v=iG7hUE2BZZo)
- [Hacking Drones with Flipper Zero (Video)](https://www.youtube.com/watch?v=4UluLNVPtAE)
- [Drone Hacking Demo (Video)](https://www.youtube.com/watch?v=EHKV01YQX_w)
- [Drone Security Talk (Video)](https://www.youtube.com/watch?v=kfsYeqGuI8E)
- [YouTube: Drone Hacking Tutorial Series 2024](https://www.youtube.com/results?search_query=drone+hacking+tutorial+2024)
- [YouTube: GPS Spoofing and Drone Attacks](https://www.youtube.com/results?search_query=gps+spoofing+drone+attacks)
- [YouTube: MAVLink Protocol Security](https://www.youtube.com/results?search_query=mavlink+protocol+security)
## Tools & Frameworks
**Drone Hacking Frameworks:**
* [DroneSploit: Automated Exploitation Framework for Drones](https://github.com/dhondta/dronesploit)
* [Snoopy: Distributed Tracking and Profiling Framework (Drones)](https://github.com/sensepost/snoopy-ng)
* [DRAT: Drone Reconnaissance and Auditing Toolkit](https://github.com/topics/drone-hacking)
* [Maldrone: Malicious Drone Research Framework](https://github.com/Ullaakut/maldrone)
**GPS Spoofing & Jamming:**
* [GPS-SDR-SIM: GPS Signal Simulator](https://github.com/osqzss/gps-sdr-sim)
* [HackRF One: Software Defined Radio for GPS Spoofing](https://greatscottgadgets.com/hackrf/)
* [BladeRF: Software Defined Radio Platform](https://www.nuand.com/)
* [GNSS-SDR: Open Source GNSS Software Defined Receiver](https://gnss-sdr.org/)
**Wi-Fi Deauthentication & Attack Tools:**
* [Flipper Zero: Multi-tool for Pentesters (Wi-Fi, Sub-GHz)](https://flipperzero.one/)
* [WiFi Pineapple: Wireless Auditing Platform](https://shop.hak5.org/products/wifi-pineapple)
* [Aircrack-ng: Wi-Fi Network Security Testing Suite](https://www.aircrack-ng.org/)
* [Wifiphisher: Automated Phishing Attacks Against Wi-Fi Networks](https://github.com/wifiphisher/wifiphisher)
* [ESP32 Jammer: Wi-Fi/Bluetooth Jammer](https://github.com/KEI4251/ESP32-Jammer-)
**MAVLink Protocol Testing:**
* [MAVProxy: Lightweight GCS for MAVLink](https://ardupilot.org/mavproxy/)
* [QGroundControl: Ground Control Station for Drones](http://qgroundcontrol.com/)
* [DroneKit: Python API for Drone Development](https://github.com/dronekit/dronekit-python)
* [PyMAVLink: Python Implementation of MAVLink Protocol](https://github.com/ArduPilot/pymavlink)
**Drone Detection & Counter-Drone:**
* [OpenDroneID: Drone Identification and Tracking](https://github.com/opendroneid)
* [DroneDetect: RF-based Drone Detection System](https://github.com/topics/drone-detection)
* [C-UAS Technologies: Commercial Counter-Drone Solutions](https://www.cisa.gov/counter-unmanned-aircraft-systems)
**Forensics & Analysis:**
* [UAV Forensics Toolkit](https://github.com/nicholasaleks/Awesome-Drone-Hacking#forensics)
* [DJI Flight Log Analyzer](https://www.airdata.com/)
* [DroneLogbook: Flight Data Analysis](https://www.dronelogbook.com/)
* [Litchi CSV Processor: DJI Flight Mission Analysis](https://flylitchi.com/)
**OSINT & Reconnaissance:**
* [Drone Tracking via ADS-B](https://www.adsbexchange.com/)
* [FlightRadar24: Real-Time Flight Tracking](https://www.flightradar24.com/)
* [OpenSky Network: Open Aviation Data](https://opensky-network.org/)
* [SkyVector: Aeronautical Charts and Flight Planning](https://skyvector.com/)
**GitHub Resources & Collections:**
* [Awesome Drone Hacking List](https://github.com/nicholasaleks/Awesome-Drone-Hacking)
* [Drone Hacking Guideline](https://github.com/BOB4Drone/Drone_Hacking_Guideline_ENG)
* [Drone Security (GitHub)](https://github.com/Kyle-dev922/DroneSecurity)
* [Countermeasures against Drone Hacking](https://github.com/Deepak-nitrr/countermeasures-against-drone-hacking-and-GPS-spoofing-project)
* [Hacker Drone](https://github.com/HardwareWiki/Hacker-Drone)
* [Drone Hacking Tools](https://github.com/Soofiyan/Drone_hacking)
* [DJI Phantom Vision](https://github.com/noahwilliamsson/dji-phantom-vision)
* [Drone Hacking Tool](https://github.com/readloud/Drone-Hacking-Tool)
## Notes
* Setup your own drone hacking lab using consumer drones (DJI Tello, Parrot AR.Drone, DJI Phantom), SDR hardware (HackRF, BladeRF), and Wi-Fi auditing tools
* **2024-2025 Statistics:** Counter-UAS market projected to reach $6.98 billion by 2029 (CAGR 26.8%); 1.6M+ commercial drones registered in US alone
* **Market Growth:** Global drone security market expected to reach $7.5 billion by 2030; compound annual growth rate (CAGR) of 24.3%
* **Security Incidents:** 2,000+ reported drone security incidents globally in 2024; 60% involve unauthorized surveillance, 25% critical infrastructure threats
* **Attack Vectors:** GPS spoofing (85% success rate on consumer drones), Wi-Fi deauthentication (95% on older models), MAVLink hijacking, RF jamming
* **Common Protocols:** MAVLink (ArduPilot, PX4), Lightbridge (DJI), OcuSync (DJI), Parrot SDK, DroneKit API
* **Communication Channels:** 2.4GHz/5.8GHz Wi-Fi, 433MHz/915MHz radio control, GPS L1/L2 bands, 4G/5G cellular
* **Popular Targets:** DJI Phantom series (35% of consumer market), DJI Mavic series (30%), Parrot AR.Drone (legacy testing), DJI Tello EDU (educational)
* **Attack Types:**
- GPS spoofing and location manipulation
- Wi-Fi deauthentication and man-in-the-middle attacks
- MAVLink protocol injection and command hijacking
- RF jamming and signal disruption
- Firmware exploitation and backdoor installation
- Video feed interception and manipulation
- Autonomous flight takeover
* **GPS Spoofing Success:** 85%+ of consumer drones vulnerable to GPS spoofing; can redirect drones up to 10km from intended location
* **Wi-Fi Vulnerabilities:** 95% of older drone models (pre-2020) vulnerable to Wi-Fi deauth attacks; modern DJI OcuSync more resilient
* **MAVLink Security:** Unencrypted by default; allows command injection, telemetry interception, mission manipulation on ArduPilot/PX4 systems
* **DJI Security Updates:** 2024 security patches address firmware vulnerabilities, encrypted communications, geo-fencing improvements
* **Regulatory Context:** FAA Remote ID (2023), EASA drone regulations (2024), NIST cybersecurity framework for UAS
* **Legal Warning:** Unauthorized interference with aircraft (including drones) is a federal crime in most countries. All testing must be performed on personally owned drones in controlled environments with explicit permission
* **Ethical Use:** These tools are for authorized security research, penetration testing of owned systems, and defensive understanding only
* **Lab Hardware:** Use DJI Tello EDU ($99), HackRF One ($350), Flipper Zero ($169), WiFi Pineapple ($119), RTL-SDR dongles ($25)
* **Software Stack:** Kali Linux, DroneSploit, Aircrack-ng, MAVProxy, QGroundControl, GPS-SDR-SIM, Wireshark
* **Best Practices:** Test in isolated environments away from airports/restricted airspace, never compromise flight safety, follow responsible disclosure
* **Counter-Drone Technologies:** RF detection systems, radar-based tracking, optical/thermal cameras, GPS jamming, net guns, directed energy weapons
* **Forensics Capabilities:** Extract flight logs, analyze telemetry data, recover video footage, identify pilot location, timeline reconstruction
* **OSINT Applications:** Track drone registrations, identify operators, analyze flight patterns, monitor drone activity near critical infrastructure
* **Certification Path:** DroneSec certifications, Certified Drone Cyber Defense Specialist (CDCDS), EC-Council Drone Hacking Workshop
* **Continuous Learning:** Follow DroneSec blog, monitor CVEs for drone firmware, participate in Drone Wars competitions, study C-UAS technologies
* **Notable Vulnerabilities (2023-2024):**
- CVE-2023-XXXX: DJI firmware buffer overflow allowing arbitrary code execution
- CVE-2024-XXXX: Parrot SDK authentication bypass
- Multiple MAVLink protocol vulnerabilities in ArduPilot/PX4 (ongoing research)
* **Defense Strategies:** Enable Remote ID, use encrypted communication protocols, implement geo-fencing, keep firmware updated, monitor for GPS anomalies
* **Emerging Threats (2024-2025):** AI-powered autonomous attack drones, swarm coordination exploits, 5G network vulnerabilities, quantum-resistant encryption needs
# MedTech Hcking
## Books & Whitepapers
* **[Medical Device Cybersecurity for Engineers and Manufacturers (2nd Edition)](https://www.amazon.com/Medical-Device-Cybersecurity-Engineers-Manufacturers/dp/1630819913)** – *The definitive industry guide.*
* **[Hacking Medical Devices (ERNW)](https://ernw.de/download/ERNW_CSA-No-Summit_Hacking_Medical_Devices_fgrunow.pdf)** – *Technical presentation/whitepaper on device exploitation.*
* **[Hacking Medical Devices (Slides)](https://sdnewhop.github.io/AISec/slides/zn-2019-hm.pdf)** – *Technical slides covering attack surfaces and protocols.*
* **[Medical Device Product Security](https://pressbooks.umn.edu/mdih/chapter/medical-device-product-security/)** – *University of Minnesota (Open Textbook).*
* **[Medical Instrument Design and Development](https://link.springer.com/book/10.1007/978-1-4614-1674-6)** – *Springer.*
* **[Preventing Bluetooth and Wireless Attacks in IoMT Healthcare Systems](https://www.wiley.com/en-us/Preventing+Bluetooth+and+Wireless+Attacks+in+IoMT+Healthcare+Systems-p-9781394349425)** – *Wiley.*
* **[Connected Health: The Medical Internet of Things](https://www.nccgroup.com/media/d5xgxwuw/_ncc-group-connected-health-whitepaper-july-2019.pdf)** – *NCC Group Whitepaper.*
* **[Hacking Healthcare: A Guide to Standards, Workflows, and Meaningful Use](https://www.oreilly.com/library/view/hacking-healthcare/9781449309602/)** – *O'Reilly (Essential for hospital infrastructure).*
* **[Healthcare Information System Hacking & Protection](https://www.amazon.com/Healthcare-Information-System-Hacking-Protect/dp/1976967996)**
* **[Hacking Healthcare: How AI Will Reboot an Ailing System](https://www.amazon.com/Hacking-Healthcare-Intelligence-Revolution-Reboot/dp/1032260157)**
* **[Hacking Health: How to Make Money and Save Lives](https://www.amazon.com/Hacking-Health-Money-Lives-HealthTech/dp/3319716182)**
* **[Hacking Medical Devices (Whitepaper)](https://media.blackhat.com/bh-us-11/Radcliffe/BH_US_11_Radcliffe_Hacking_Medical_Devices_WP.pdf)** – *Jay Radcliffe (Black Hat).*
* **[Security and Privacy Issues in Internet of Medical Things](https://www.amazon.com/Security-Privacy-Issues-Internet-Medical/dp/0323898726)**
* **[Deep Learning for Internet of Things Infrastructure](https://onlinelibrary.wiley.com/doi/book/10.1002/9781119769200)** – *Wiley Online Library.*
* **[Playbook for Threat Modeling Medical Devices](https://www.mitre.org/sites/default/files/2021-11/Playbook-for-Threat-Modeling-Medical-Devices.pdf)** – *MITRE/FDA (Highly Recommended).*
* **[FDA: Cybersecurity in Medical Devices - Final Guidance (June 2025)](https://www.fda.gov/media/119933/download)** – *Official FDA guidance for premarket submissions.*
* **[Cybersecurity Vulnerabilities in Medical Devices (PMC)](https://pmc.ncbi.nlm.nih.gov/articles/PMC4516335/)** – *Complex environment and multifaceted problem analysis.*
* **[Unpatched and Outdated Medical Devices Cyber Threats (IC3/FBI)](https://www.ic3.gov/CSA/2022/220912.pdf)** – *FBI Cybersecurity Advisory 2022.*
* **[IoMT Security Frameworks for Risk Assessment (PMC)](https://pmc.ncbi.nlm.nih.gov/articles/PMC11102065/)** – *Scoping review of security frameworks.*
* **[Design of Hack-Resistant Diabetes Devices (PMC)](https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5478035/)** – *Cyber safety disclosure research.*
* **[60 Healthcare and Medical Device Cybersecurity Statistics for 2025 (C2A Security)](https://c2a-sec.com/60-healthcare-and-medical-device-cybersecurity-risk-statistics-for-2025/)**
* **[Integrating Security into CI/CD Pipelines for Medical Devices (ResearchGate)](https://www.researchgate.net/publication/390459514_Integrating_Security_into_CICD_Pipelines_A_DevSecOps_Approach_with_SAST_DAST_and_SCA_Tools)**
## Courses
* **TÜV SÜD:** [Medical Device Cybersecurity Training (US)](https://www.tuvsud.com/en-us/store/academy-us/healthcare-hospitality/medical-devices/46-43-24-0021)
* **TÜV SÜD:** [Medical Device Software & Security (UK)](https://www.tuvsud.com/en-gb/store/academy-gb/training-sectors/medical/12-184-23-0001)
* **TÜV SÜD:** [Medical Device Cybersecurity Risk Assessment (E-Learning)](https://www.tuvsud.com/en-us/services/training/e-learning-courses/medical-device-cybersecurity-risk-assessment)
* **Tonex:** [Medical Device Cybersecurity Training](https://www.tonex.com/training-courses/medical-device-cybersecurity/)
* **Tonex:** [IoMT Security Bootcamp](https://www.tonex.com/training-courses/healthcare-device-iomt-internet-of-medical-things-security-bootcamp/)
* **CodeRed:** [Cybersecurity for Healthcare - Part 1](https://coderedpro.com/products/cybersecurity-for-healthcare-part-1)
* **CodeRed:** [Cybersecurity for Healthcare - Part 2](https://coderedpro.com/products/cybersecurity-for-healthcare-part-2)
* **Coursera:** [Medical Technology and Evaluation Specialization](https://www.google.com/search?q=https://www.coursera.org/specializations/medical-technology-evaluation) – *Univ of Minnesota.*
* **IEEE:** [Medical Device Cybersecurity Certification Program](https://standards.ieee.org/products-programs/icap/programs/medical-devices-cybersecurity/)
* **University of Minnesota:** [Introduction to Medical Device Cybersecurity (Short Course)](https://cse.umn.edu/tli/medical-device-cybersecurity-short-courses)
* **St. Petersburg College:** [Medical Device Networking and Cybersecurity Certificate](https://www.spcollege.edu/future-students/degrees-training/engineering-manufacturing-and-building-arts/biomedical-engineering-technology/medical-device-networking-and-cybersecurity-certificate)
* **CertX:** [Cybersecurity for Medical Devices – Crash Course](https://certx.com/cybersecurity-and-medical-devices-how-to-handle-it/)
* **Oriel Stat:** [Medical Device Cybersecurity Risk Management Training](https://www.orielstat.com/training/medical-device-cybersecurity-risk-training)
* **TriMedX:** [Medical Device Cybersecurity Training and Development](https://www.trimedx.com/cybersecurity/training)
* **UL Solutions:** [Medical Device Cybersecurity Certification](https://www.ul.com/services/medical-device-cybersecurity-certification)
* **Class Central:** [30+ Medical Device Security Online Courses](https://www.classcentral.com/subject/medical-device-security)
## Labs
*Since actual medical hardware is hard to get, use these software simulators:*
* **[OpenEMR](https://www.open-emr.org/demo/):** Open-source electronic medical record system. Install via Docker to practice attacking patient data databases and web vulnerabilities.
* **[Orthanc DICOM Server](https://www.orthanc-server.com/):** Open-source server for medical imaging. Use this to practice attacking DICOM protocols and image manipulation.
* **[DCM4CHE](https://www.dcm4che.org/):** Java toolkit for the DICOM standard. Essential for analyzing medical network traffic.
* **Biohacking Village CTF:** Keep an eye on [VillageB.io](https://www.villageb.io/) for their CTF challenges (often released during DEF CON).
* **HoneyPots:** Look into **Conpot** (ICS honeypot) and configure it to simulate medical device profiles.
* **[CICIoMT2024 Dataset](https://www.unb.ca/cic/datasets/iomt-dataset-2024.html):** Research dataset with 18 cyberattacks targeted at 40 IoMT devices.
* **[Horos DICOM Viewer](https://horosproject.org/):** Open-source medical image viewer for macOS.
* **Mirth Connect:** Open-source HL7 interface engine for healthcare integration testing.
## Blogs, Articles & News
* **[IOActive: Penetration Testing of the DICOM Protocol](https://www.ioactive.com/penetration-testing-of-the-dicom-protocol-real-world-attacks/)** – *Deep dive into real-world attacks on medical imaging protocols.*
* **[BleepingComputer: Medical IoT Devices with Outdated OS Exposed](https://www.bleepingcomputer.com/news/security/medical-iot-devices-with-outdated-operating-systems-exposed-to-hacking/)**
* **[DarkReading: Black Hat Flashback - Deadly Consequences of Weak Security](https://www.darkreading.com/iot/black-hat-flashback-deadly-consequences-weak-medical-device-security)**
* **[Medium (Case Study): What Happens When a Glucose Monitor Gets Hacked](https://medium.com/@jeet25/what-happens-when-a-glucose-monitor-gets-hacked-a-blueprint-for-securing-mobile-medical-devices-4299a6dbec63?source=rss------cybersecurity-5)**
* **[Medium: Why Medical Devices are the Next Big Cybersecurity Risk](https://amolrangari.medium.com/why-medical-devices-are-the-next-big-cybersecurity-risk-2825e3019a04?source=rss------infosec-5)**
* **[Medium: Medical Devices Vulnerable to Cyber Attacks](https://motasemhamdan.medium.com/medical-devices-vulnerable-to-cyber-attacks-74881c083f80?source=rss------hacking-5)**
* **[Medium Article: Security Insights](https://medium.com/p/dec8eb361518)**
* **[Biohacking Village Blog](https://www.google.com/search?q=https://www.villageb.io/blog):** Updates from the premier medical hacking community.
* **[MedCrypt Blog](https://www.medcrypt.com/blog):** Technical deep-dives on device encryption and security.
* **[Armis Labs Blog](https://www.armis.com/blog/):** Famous for discovering "Urgent11" and other critical hospital vulnerabilities.
* **[Claroty Medigate](https://claroty.com/blog):** Focuses on IoMT and clinical environment security.
* **[IoMT Vulnerabilities Statistics & Security Trends 2025 (DeepStrike)](https://deepstrike.io/blog/iomt-vulnerabilities-statistics-2025)**
* **[Forescout: 162 Vulnerabilities in Connected Medical Devices (Industrial Cyber)](https://industrialcyber.co/medical/forescout-research-reveals-162-vulnerabilities-in-connected-medical-devices-elevating-risks-to-patient-data-and-safety/)**
* **[State of Cybersecurity in Healthcare 2025 (Echelon Risk + Cyber)](https://echeloncyber.com/intelligence/entry/the-state-of-cybersecurity-in-healthcare-2025-insights-from-echelon-experts)**
* **[Secureworks: Hacking Intelligent Medical Devices](https://www.secureworks.com/blog/medical-device-security-hacking-intelligent-medical-devices-to-enhance-your-organizations-safety)**
* **[Healthcare Cybersecurity 2025: Claroty's Medigate & IoMT (Elisity)](https://www.elisity.com/blog/healthcare-cybersecurity-in-2025-why-clarotys-medigate-microsegmentation-and-iomt-security-are-critical-for-compliance)**
* **[How Secure Are Health Devices? (Nature npj Digital Medicine)](https://www.nature.com/articles/s41746-025-01710-2)**
* **[Safeguarding Healthcare from IoMT Risks (LevelBlue)](https://levelblue.com/blogs/security-essentials/safeguarding-healthcare-organizations-from-iomt-risks)**
* **[Pacemakers and Insulin Pumps Can Be Hacked (UPI)](https://www.upi.com/Health_News/2022/06/01/medical-devices-pacemakers-cybersecurity/7041653656330/)**
* **[CBS News: How Medical Devices Can Be Hacked](https://www.cbsnews.com/news/cybersecurity-researchers-show-medical-devices-hacking-vulnerabilities/)**
* **[AAMC: Exposing Vulnerabilities in Medical Devices](https://www.aamc.org/news/exposing-vulnerabilities-how-hackers-could-target-your-medical-devices)**
* **[Insulin Pumps Recalled After Hacking Vulnerability (AFERM)](https://resources.aferm.org/erm_feed/insulin-pumps-recalled-after-hacking-vulnerability-revealed/)**
* **[Armis: A History of Medical Device Hacking](https://www.armis.com/blog/chapter-3-a-history-of-medical-device-hacking/)**
* **[CSO Online: Hacking Pacemakers, Insulin Pumps in Real Time](https://www.csoonline.com/article/566025/hacking-pacemakers-insulin-pumps-and-patients-vital-signs-in-real-time.html)**
* **[Patient Insecurity: Explosion of IoMT (Cybersecurity Ventures)](https://cybersecurityventures.com/patient-insecurity-explosion-of-the-internet-of-medical-things/)**
* **[How I Got Into Hacking Ultrasound Machines (Medium)](https://medium.com/@pasknel/how-i-got-into-hacking-ultrasound-machines-part-02-3b16b799974c)**
* **[FDA Cybersecurity Guidelines for Medical Devices 2024 (Sternum IoT)](https://sternumiot.com/iot-blog/fda-cybersecurity-guidelines-for-medical-devices-2024-guide/)**
* **[C2A Security: FDA's Final Cybersecurity Guidance June 2025](https://c2a-sec.com/fdas-final-cybersecurity-guidance-june-2025-what-medical-device-manufacturers-must-do-now/)**
* **[Johner Institute: FDA Guidance on Cybersecurity](https://blog.johner-institute.com/iec-62304-medical-software/fda-guidance-on-cybersecurity/)**
## Presentations & Conferences
* **[Biohacking Village Official Channel](https://www.youtube.com/@BiohackingVillage/videos)** – *Start here. Contains years of DEF CON talks.*
* [Talk: Hacking Medical Devices (Demo)](https://www.youtube.com/watch?v=cb8MgVSuwwg)
* [Talk: Anatomy of a Medical Device Hack](https://www.youtube.com/watch?v=J_yQAHYHuqU)
* [Talk: Medical Device Security Vulnerabilities](https://www.youtube.com/watch?v=Nkr_5S-KYXA)
* [Talk: Real-world IoMT Attacks](https://www.youtube.com/watch?v=4mgyHS0ARxI)
* [Talk: Securing the Hospital of the Future](https://www.youtube.com/watch?v=QiGLLinRaHo)
* [Conference: DefCon/BlackHat Medical Talks](https://www.youtube.com/watch?v=UW33rToRx28)
* [Talk: The Reality of Medical Device Security](https://www.youtube.com/watch?v=NU7fn5-FRSY)
* [Demo: Pacemaker/Insulin Pump Security](https://www.youtube.com/watch?v=voTZOaBIvgM)
* [Lecture: Medical Device Risk Management](https://www.youtube.com/watch?v=DsVgE_5Ekg4)
* [Talk: Hospital Network Penetration Testing](https://www.youtube.com/watch?v=Or5GsZbvobM)
* [Webinar: FDA Cybersecurity Guidelines](https://www.youtube.com/watch?v=x00W0Ip-0Ek)
* [Documentary: Cyber Attacks on Hospitals](https://www.youtube.com/watch?v=_nODFSIr_tg)
* [Talk: Biomedical Engineering & Security](https://www.youtube.com/watch?v=SQ-ZhgpoYGg)
* [Talk: Wireless Medical Device Attacks](https://www.youtube.com/watch?v=7hQ_8aICyk4)
* [Talk: Embedded Security in MedTech](https://www.youtube.com/watch?v=YFbAuhnUEQQ)
* [Talk: The Future of IoMT Security](https://www.youtube.com/watch?v=CZOEP4czIDc)
* [Talk: Clinical Engineering Perspective](https://www.youtube.com/watch?v=0ym46I3DyaY)
* [Talk: Healthcare Cybersecurity Landscape](https://www.youtube.com/watch?v=L3mxvCiNd2c)
## Tools & Frameworks
**DICOM Protocol Tools**
* **[pydicom](https://github.com/pydicom/pydicom):** Python library for working with DICOM files.
* **[Pynetdicom3](https://github.com/pydicom/pynetdicom):** Python implementation of DICOM network protocol.
* **[DICOM Toolkit (sdnewhop)](https://github.com/sdnewhop/dicom):** Essential toolkit for analyzing and testing DICOM implementations.
* **[DCM4CHE](https://www.dcm4che.org/):** Java toolkit for the DICOM standard.
* **[Radamsa](https://gitlab.com/akihe/radamsa):** General purpose fuzzer for DICOM testing.
* **[PowerTools DICOM & HL7 Utilities](https://www.imgsol.com/product/data-management/developer-tools/powertools-dicom-hl7-utilities/):** Commercial suite for development and testing.
**HL7 Protocol Tools**
* **[HL7Magic (WithSecure)](https://labs.withsecure.com/publications/hl7magic--a-tool-for-testing-medical-devices-using-the-hl7-proto):** Tool for proxying, parsing and amending HL7 messages (DEF CON 2023).
* **[hl7 (Python)](https://github.com/johnpaulett/python-hl7):** Python library to parse HL7 messages (hospital data protocol).
* **[Mirth Connect](https://www.nextgen.com/products-and-services/integration-engine):** Open-source HL7 interface engine.
* **MedAudit:** Graphical interface for testing devices using HL7 (BlackHat 2017).
**Wireless & Network Testing**
* **[KillerBee](https://github.com/riverloopsec/killerbee):** Framework for ZigBee exploitation (common in older medical devices).
* **[Ubertooth](https://github.com/greatscottgadgets/ubertooth):** Tools for Bluetooth Low Energy (BLE) monitoring (common in modern wearables).
* **[Wireshark](https://www.wireshark.org/):** Network protocol analyzer with DICOM dissectors.
**Medical Device Simulators**
* **[OpenEMR](https://www.open-emr.org/):** Open-source electronic medical record system.
* **[Orthanc](https://www.orthanc-server.com/):** Open-source DICOM server for medical imaging.
* **[Conpot](https://github.com/mushorg/conpot):** ICS/SCADA honeypot that can simulate medical device profiles.
**Security Platforms**
* **[Medigate (Claroty)](https://claroty.com/medigate/):** IoMT security platform for clinical environments.
* **[Armis](https://www.armis.com/):** Agentless device security platform.
* **[Forescout](https://www.forescout.com/):** Device visibility and control platform.
* **[MedCrypt](https://www.medcrypt.com/):** Cybersecurity platform for medical device manufacturers.
* **[C2A Security](https://c2a-sec.com/):** Risk-driven DevSecOps platform for medical devices.
## Notes
* **[FDA Guidance](https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity):** Mandatory reading for US compliance.
* **[MDR (Medical Device Regulation)](https://ec.europa.eu/health/medical-devices-sector/new-regulations_en):** The new European standard for device safety.
* **[HIPAA Security Rule](https://www.hhs.gov/hipaa/for-professionals/security/index.html):** US federal law protecting patient health information (PHI).
* **[ISO 14971](https://www.iso.org/standard/72704.html):** The global standard for risk management to medical devices.
* **[UL 2900](https://www.ul.com/services/cybersecurity-assurance-program):** Standard for Software Cybersecurity for Network-Connectable Products.
* **[IEC 62304](https://www.iso.org/standard/38421.html):** Medical device software lifecycle processes.
* **[IEC 81001-5-1](https://www.iso.org/standard/72370.html):** Health software and health IT systems safety, effectiveness and security.
* **[IEEE 2621.2](https://standards.ieee.org/ieee/2621.2/10866/):** Wireless medical devices cybersecurity assurance.
* **[MDCG 2019-16](https://health.ec.europa.eu/document/download/be0acb92-1f0b-4e57-a15e-1075f85b8a5c_en?filename=md_cybersecurity_en.pdf):** EU guidance on cybersecurity for medical devices.
* **[IMDRF Principles and Practices for Medical Device Cybersecurity](https://www.imdrf.org/documents/principles-and-practices-medical-device-cybersecurity):** International framework.
## Misc (GitHub Repos, Videos, Reports)
* **[GitHub: DICOM Toolkit (sdnewhop)](https://github.com/sdnewhop/dicom)** – *Essential toolkit for analyzing and testing DICOM implementations.*
* **[Shared Resource Collection](https://share.google/XKPch6kjWEdnYmssA)** – *Additional materials/drive link.*
* **[Akitra: Cybersecurity in the IoMT](https://akitra.com/cybersecurity-in-the-iomt/)** (Article/Report).
* **pydicom:** Python library for working with DICOM files.
* **hl7 (Python):** Library to parse HL7 messages (hospital data protocol).
* **KillerBee:** Framework for ZigBee exploitation (common in older medical devices).
* **Ubertooth:** Tools for Bluetooth Low Energy (BLE) monitoring (common in modern wearables).
* D1T2 - How to Hack Medical Imaging Applications via DICOM - Maria Nedyak.pdf https://share.google/XKPch6kjWEdnYmssA
- GitHub - sdnewhop/dicom: DICOM secuirty https://share.google/xyftvDSiyvHbR99a5
- zn-2019-hm.pdf https://share.google/R9iGXkZXmwBGYf4Ct
- Penetration Testing of the DICOM Protocol: Real-World Attacks - IOActive https://share.google/VdhL2raN58HBMvexV
- ERNW_CSA-No-Summit_Hacking_Medical_Devices_fgrunow.pdf https://share.google/Q3V70jAD5il9bQ34m
- Playbook-for-Threat-Modeling-Medical-Devices.pdf https://share.google/aF5jUQTSqp10kHCPI
# CPU Exploitation
## Books & Whitepapers
* [Processor Microarchitecture Security (ACM Guide)](https://dl.acm.org/doi/10.5555/AAI29060496)
* [A Survey of Microarchitectural Timing Attacks (IACR eprint)](https://eprint.iacr.org/2016/613.pdf)
* [A Survey of Microarchitectural Side-channel Vulnerabilities, Attacks, and Defenses in Cryptography (ACM Computing Surveys)](https://dl.acm.org/doi/10.1145/3456629)
* [Microarchitectural Attacks in Heterogeneous Systems: A Survey (ACM Computing Surveys)](https://dl.acm.org/doi/10.1145/3544102)
* [A Systematic Evaluation of Transient Execution Attacks and Defenses (arXiv)](https://arxiv.org/pdf/1811.05441)
* [A Systematic Evaluation of Transient Execution Attacks and Defenses (Daniel Gruss)](https://gruss.cc/files/transientsok.pdf)
* [Spectre Attacks: Exploiting Speculative Execution (PDF)](https://spectreattack.com/spectre.pdf)
* [On the Spectre and Meltdown Processor Security Vulnerabilities (Mark D. Hill)](https://css.csail.mit.edu/6.858/2023/readings/spectre-meltdown.pdf)
* [Survey of Transient Execution Attacks (Chinese Academy of Sciences)](https://crad.ict.ac.cn/en/article/doi/10.7544/issn1000-1239.202440167)
* [Discovering Novel Microarchitectural Security Vulnerabilities in Modern Processors (MIT)](https://dspace.mit.edu/handle/1721.1/152860)
* [Secure Processor Architectures (Springer)](https://link.springer.com/rwe/10.1007/978-981-97-9314-3_10)
* [Secure Computer Architecture in the Post-Meltdown World (SIGARCH)](https://www.sigarch.org/secure-computer-architecture-in-the-post-meltdown-world-a-long-road-ahead/)
* [Microarchitectural Vulnerabilities Introduced, Exploited, and Accelerated by Heterogeneous FPGA-CPU Platforms (Springer)](https://link.springer.com/chapter/10.1007/978-3-031-45395-3_8)
* [A New Approach for Rowhammer Attacks (Stony Brook University PDF)](https://www.seclab.cs.sunysb.edu/seclab/pubs/host16.pdf)
* [Defeating Software Mitigations against Rowhammer: a Surgical Precision Hammer (VUSec PDF)](https://download.vusec.net/papers/hammertime_raid18.pdf)
* [Rowhammer Attacks in Dynamic Random-Access Memory and Defense Methods (PMC)](https://pmc.ncbi.nlm.nih.gov/articles/PMC10819648/)
* [Memory Under Siege: A Comprehensive Survey of Side-Channel Attacks on Memory (arXiv)](https://arxiv.org/html/2505.04896v1)
* [A Survey of Side-Channel Attacks and Mitigation for Processor Interconnects (MDPI)](https://www.mdpi.com/2076-3417/14/15/6699)
* [Cache and Speculative Side Channel Attacks: A Comprehensive Review (Springer)](https://link.springer.com/chapter/10.1007/978-3-032-06665-7_21)
* [Survey of CPU Cache-Based Side-Channel Attacks: Systematic Analysis, Security Models, and Countermeasures (Hindawi)](https://www.hindawi.com/journals/scn/2021/5559552/)
* [Cache Side Channel Attack: Exploitability and Countermeasures (Black Hat Asia 2017 PDF)](https://blackhat.com/docs/asia-17/materials/asia-17-Irazoqui-Cache-Side-Channel-Attack-Exploitability-And-Countermeasures.pdf)
* [Security, Performance and Energy Trade-offs of TEEs (arXiv)](https://arxiv.org/pdf/1903.04203)
## Courses
* [MIT OpenCourseWare: Lecture 16 - Side-Channel Attacks (Computer Systems Security)](https://ocw.mit.edu/courses/6-858-computer-systems-security-fall-2014/resources/lecture-16-side-channel-attacks/)
* [Class Central: 200+ Side Channel Attacks Online Courses for 2025](https://www.classcentral.com/subject/side-channel-attacks)
* [Side Channel Attacks for Hardware N00BZ - Securing Hardware Workshop](https://securinghardware.com/training/sca4n00bz/)
* [CASS-KUL: Session 7 - Caches and Microarchitectural Timing Attacks](https://cass-kul.github.io/exercises/7-cache/)
* [MIT 6.5950/6.5951: Cache Attacks Lab](https://shd.mit.edu/2024/labs/cache.html)
## Labs
**Official Vulnerability Sites:**
* [Meltdown and Spectre Official Website](https://meltdownattack.com/)
* [Spectre Attack Official Website](https://spectreattack.com/)
**GitHub Resource Collections:**
* [GitHub: speed47/spectre-meltdown-checker - Vulnerability Checker for Multiple Attacks](https://github.com/speed47/spectre-meltdown-checker)
* [GitHub: IAIK/meltdown - Meltdown Bug Demonstration Applications](https://github.com/IAIK/meltdown)
* [GitHub: paboldin/meltdown-exploit - Meltdown Exploit PoC](https://github.com/paboldin/meltdown-exploit)
* [GitHub: Frichetten/meltdown-spectre-poc - Combined Meltdown & Spectre PoCs](https://github.com/Frichetten/meltdown-spectre-poc)
* [GitHub: kianenigma/meltdown-spectre - PoC Implementation with Tutorial](https://github.com/kianenigma/meltdown-spectre)
* [GitHub: jarmouz/spectre_meltdown - CPU Vulnerabilities Explained & Exploited](https://github.com/jarmouz/spectre_meltdown)
* [GitHub: adamalston/Meltdown-Spectre - Exploited Vulnerabilities](https://github.com/adamalston/Meltdown-Spectre)
**Attack Tools & Frameworks:**
* [GitHub: cache_template_attacks - Cache Template Attack Tools (IAIK)](https://github.com/IAIK/cache_template_attacks)
* [GitHub: Security-RISC - Microarchitectural Attacks on RISC-V CPUs (CISPA)](https://github.com/cispa/Security-RISC)
* [GitHub: Mastik Toolkit - Cache-based Side-Channel Attacks (Yuval Yarom)](https://github.com/CTSRD-CHERI/Mastik)
* [GitHub Topics: Cache Attack Repositories](https://github.com/topics/cache-attack)
* [GitHub Topics: Side-Channel Attacks Repositories](https://github.com/topics/side-channel-attacks?o=desc&s=forks)
* [GitHub Topics: Microarchitectural Attack Repositories](https://github.com/topics/microarchitectural-attack)
* [GitHub: uarchsec - Microarchitecture Security Resources](https://github.com/flowyroll/uarchsec)
* [Hammertime: Rowhammer Testing Suite](https://github.com/vusec/hammertime)
* [MemTest86 v5.0: Rowhammer Test](https://www.memtest86.com/)
## Blogs & Series
* [What are the Spectre and Meltdown CPU Vulnerabilities (Cybereason)](https://www.cybereason.com/blog/what-are-the-spectre-and-meltdown-vulnerabilities)
* [New Research Reveals Spectre Vulnerability Persists in Latest AMD and Intel Processors (The Hacker News 2024)](https://thehackernews.com/2024/10/new-research-reveals-spectre.html)
* [TEE.Fail: Researchers Break Intel SGX/TDX and AMD SEV-SNP (Security Online)](https://securityonline.info/tee-fail-researchers-break-intel-sgx-tdx-and-amd-sev-snp-with-sub-1000-ddr5-memory-bus-attack/)
* [TEE.Fail Attack Breaks Confidential Computing on Intel, AMD, NVIDIA CPUs (BleepingComputer)](https://www.bleepingcomputer.com/news/security/teefail-attack-breaks-confidential-computing-on-intel-amd-nvidia-cpus/)
* [New TEE.Fail Side-Channel Attack Extracts Secrets from Intel and AMD DDR5 Secure Enclaves (The Hacker News)](https://thehackernews.com/2025/10/new-teefail-side-channel-attack.html)
* [Intel SGX and AMD SEV Enclaves Vulnerable to Physical Attacks (WebProNews)](https://www.webpronews.com/intel-sgx-and-amd-sev-enclaves-vulnerable-to-physical-attacks/)
* [Cheap Hardware Hacks Shatter Nvidia, AMD, Intel Enclave Security (WebProNews)](https://www.webpronews.com/cheap-hardware-hacks-shatter-nvidia-amd-intel-enclave-security/)
* [ρHammer: Reviving RowHammer Attacks on New Architectures via Prefetching (ACM)](https://dl.acm.org/doi/10.1145/3725843.3756042)
* [Using Rowhammer Attacks on DDR4 Memory in Modern Systems (Medium)](https://medium.com/@RocketMeUpCybersecurity/using-rowhammer-attacks-on-ddr4-memory-in-modern-systems-techniques-risks-and-countermeasures-312e97663e28)
* [Rowhammer Attacks: Exploiting DRAM Vulnerabilities in Modern Systems (Medium)](https://medium.com/@roshan.reju/rowhammer-attacks-exploiting-dram-vulnerabilities-in-modern-systems-3160f01c6995)
* [Side-Channel Attacks: Methods Exploits and Defense Guide (Startup Defense)](https://www.startupdefense.io/cyberattacks/side-channel-attack)
* [What is Side Channel Attacks? (Training Camp)](https://trainingcamp.com/glossary/side-channel-attacks/)
* [CPU Cache Side-Channel Attacks: Meltdown & Spectre (Guanzhou Hu)](https://www.josehu.com/technical/2020/06/10/cpu-side-channel.html)
* [What is a Timing Attack? (TechTarget)](https://www.techtarget.com/searchsecurity/definition/timing-attack)
* [What is a Side Channel Attack? (Comparitech)](https://www.comparitech.com/blog/information-security/side-channel-attack/)
* [Fundamentally Understanding and Solving RowHammer (ACM)](https://dl.acm.org/doi/10.1145/3566097.3568350)
* [When Mitigations Backfire: Timing Channel Attacks for PRAC-Based RowHammer Mitigations (arXiv)](https://arxiv.org/abs/2505.10111)
* [DEACT: Hardware Solution to Rowhammer Attacks (Science Publications)](https://thescipub.com/abstract/jcssp.2023.861.876)
## Presentations & Conferences
* [Black Hat USA: CPU Exploitation Presentations](https://www.blackhat.com/)
* [DEF CON: Hardware Hacking and CPU Security Talks](https://defcon.org/)
* [Black Hat USA 2024: Arbitrary Data Manipulation and Leakage with CPU Zero-Day Bugs on RISC-V](https://www.blackhat.com/us-24/)
* [Black Hat 2025 & DEF CON 33 August 2025 Las Vegas](https://blackhat.com/us-25/defcon.html)
* [USENIX Security: Lord of the Ring(s) - Side Channel Attacks on CPU Ring Interconnect](https://www.usenix.org/conference/usenixsecurity21/presentation/paccagnella)
* [ACM SIGARCH: Secure Computer Architecture in Post-Meltdown World](https://www.sigarch.org/secure-computer-architecture-in-the-post-meltdown-world-a-long-road-ahead/)
* [IEEE S&P 2023: A Security RISC - Microarchitectural Attacks on Hardware RISC-V CPUs](https://github.com/cispa/Security-RISC)
* [ACM Microarchitecture Symposium: ρHammer Presentation](https://dl.acm.org/doi/10.1145/3725843.3756042)
* [ACM CCS 2017: Cache Side Channels Tutorial](https://dl.acm.org/doi/10.1145/3133956.3136064)
## Videos
* [YouTube: Meltdown and Spectre Explained](https://www.youtube.com/results?search_query=meltdown+spectre+explained)
* [YouTube: CPU Cache Side-Channel Attacks Tutorial](https://www.youtube.com/results?search_query=cpu+cache+side+channel+attacks+tutorial)
* [YouTube: Rowhammer Attack Demonstration](https://www.youtube.com/results?search_query=rowhammer+attack+demonstration)
* [YouTube: Intel SGX Attacks Explained](https://www.youtube.com/results?search_query=intel+sgx+attacks+explained)
* [YouTube: Spectre and Meltdown DEF CON Talks](https://www.youtube.com/results?search_query=spectre+meltdown+defcon)
* [YouTube: CPU Timing Attacks Tutorial](https://www.youtube.com/results?search_query=cpu+timing+attacks+tutorial)
## Tools & Frameworks
**Spectre & Meltdown Tools:**
* [Spectre & Meltdown Checker Scripts](https://github.com/speed47/spectre-meltdown-checker)
* [InSpectre: Spectre/Meltdown Vulnerability Scanner](https://www.grc.com/inspectre.htm)
* [Microsoft Hardware Readiness Tool](https://www.microsoft.com/en-us/download/details.aspx?id=56716)
**Cache Attack Tools:**
* [Cache Template Attacks Framework](https://github.com/IAIK/cache_template_attacks)
* [Mastik: Microarchitectural Side-Channel Toolkit](https://github.com/CTSRD-CHERI/Mastik)
* [Flush+Reload Attack Tools](https://github.com/clementine-m/cache_template_attacks)
* [Prime+Probe Implementation](https://github.com/topics/prime-probe)
**Rowhammer Tools:**
* [Hammertime: Rowhammer Testing Suite](https://github.com/vusec/hammertime)
* [RAMBleed Exploit](https://rambleed.com/)
* [BLACKSMITH: Rowhammer Fuzzer](https://comsec.ethz.ch/research/dram/blacksmith/)
* [TRRespass: Rowhammer Attacks Toolkit](https://github.com/vusec/trrespass)
**SGX/TEE Attack Tools:**
* [SGX-Step: A Framework for Intel SGX Attacks](https://github.com/jovanbulck/sgx-step)
* [Foreshadow Attack POC](https://foreshadowattack.eu/)
* [SGAxe: Side-Channel Attack on SGX](https://github.com/PSCLab-ASU/sgaxe)
* [TEE.Fail Research Code](https://tee.fail/)
**Side-Channel Analysis:**
* [ChipWhisperer: Side-Channel Analysis Platform](https://github.com/newaetech/chipwhisperer)
* [SCALib: Side-Channel Analysis Library](https://github.com/simple-crypto/SCALib)
* [Riscure Inspector: Side-Channel Analysis Tool](https://www.riscure.com/product/inspector/)
**Research & Development:**
* [Security-RISC: RISC-V Microarchitectural Attacks](https://github.com/cispa/Security-RISC)
* [MicroScope: Microarchitecture Modeling Framework](https://github.com/danielmgmi/medusa)
* [Transient Fail: Transient Execution Attacks](https://transient.fail/)
## Notes
* **2024-2025 Major Attacks:** Training Solo (May 2025) affects all Intel CPUs with eIBRS; Branch Privilege Injection (May 2025) affects Intel 9th gen+; VMScape (September 2025) exploits incomplete isolation in branch predictor between VMs
* **2024 Notable Attacks:** BHI vulnerability exploitable in Linux user space; TikTag attack against ARM v8.5A Memory Tagging Extension; Indirector attack on Intel Alder/Raptor Lake; TSA attacks on AMD Zen 3/4
* **Transient Execution Attacks:** Exploit processor optimizations to bypass security checks and exfiltrate sensitive information through covert channels; affects Intel, AMD, and ARM processors
* **Spectre Family:** Exploits speculative execution to access unauthorized memory; multiple variants discovered (v1, v2, BTI, PHT, STL); persists in latest processors despite mitigations
* **Meltdown:** Breaks isolation between user applications and operating system; allows reading kernel memory from user space; primarily affects Intel processors
* **TEE.Fail Attack (October 2025):** Breaks Intel SGX/TDX and AMD SEV-SNP using sub-$1,000 DDR5 memory bus attack; extracts attestation keys and cryptographic material; built using off-the-shelf hardware
* **Rowhammer:** Exploits DRAM cell interaction to flip bits in adjacent memory rows; affects DDR3, DDR4, and DDR5 memory; variants include BLACKSMITH, TRRespass, ρHammer
* **Cache Timing Attacks:** Exploit CPU cache behavior to infer secret information; techniques include Flush+Reload, Prime+Probe, Evict+Time, Flush+Flush
* **Side-Channel Attacks:** Leverage timing, power consumption, electromagnetic emissions, or acoustic signatures; target cryptographic implementations and secure enclaves
* **Intel SGX Attacks:** SGAxe, Foreshadow, Spectre-SGX, SGX-Step; exploit speculative execution and cache timing; compromise enclave confidentiality
* **AMD SEV Attacks:** SEVered, SEVerity, CrossLine; exploit memory encryption weaknesses; affect confidential computing in cloud environments
* **RISC-V Security:** Emerging attack surface; Security-RISC demonstrates Spectre-v1 and cache attacks on hardware RISC-V; requires vendor-specific mitigations
* **Mitigation Challenges:** Microcode updates impact performance (5-30% overhead); some attacks have no complete mitigation; ongoing cat-and-mouse between attackers and defenders
* **Vendor Responses:** Intel implements eIBRS, IBPB, STIBP; AMD uses LFENCE dispatch serialization; ARM introduces CSV2, CSV3 mitigations; physical attacks often out-of-scope
* **Attack Prerequisites:** Some require local access, others remote timing observation; vary from user-mode to kernel privileges; physical attacks require hardware interposition
* **Testing Tools:** MemTest86 for Rowhammer detection; spectre-meltdown-checker for vulnerability assessment; ChipWhisperer for side-channel analysis
* **Research Institutions:** Leading work from MIT, ETH Zurich, Georgia Tech, Purdue, VUSec, IAIK Graz, CISPA; publications in USENIX, IEEE S&P, ACM CCS
* **Real-World Impact:** Cloud security compromised by VM escape; cryptographic keys extracted from SGX enclaves; browser-based attacks via JavaScript
* **Defense Strategies:** Hardware fixes (CPU redesign, memory encryption); software mitigations (kernel page-table isolation, retpoline); compiler-based defenses (lfence insertion)
* **Performance vs Security:** Mitigations introduce significant overhead; context switching costs increase; some features disabled (hyperthreading, speculative execution)
* **Future Trends:** Quantum-resistant side-channels; AI-accelerated attack discovery; formal verification of microarchitectural security; hardware-software co-design for security
* **Lab Setup:** Use vulnerable test systems; QEMU for safe experimentation; logic analyzers for hardware attacks; isolated networks for testing
* **Legal Warning:** Unauthorized exploitation of CPU vulnerabilities is illegal; research requires responsible disclosure; testing only on authorized systems with proper permissions
* **Ethical Considerations:** Coordinate disclosure with vendors (typically 90-day embargo); publish proof-of-concepts responsibly; consider societal impact before public release
* **Hardware Requirements:** Logic analyzer for memory bus attacks; oscilloscope for power analysis; FPGA for custom attack implementations; DDR interposers for TEE.Fail-style attacks
* **Best Practices:** Stay updated on latest CVEs; apply security patches promptly; disable hyperthreading if high security required; use constant-time cryptographic implementations
* **Detection Methods:** Performance anomaly detection; cache occupancy monitoring; memory access pattern analysis; timing variance detection
* **Academic Resources:** arXiv for latest preprints; IACR ePrint for cryptographic attacks; ACM/IEEE digital libraries for peer-reviewed research
* **Industry Standards:** Common Vulnerabilities and Exposures (CVE) system; CERT coordination; vendor security advisories; NIST guidelines
# GPU Exploitation
## Books & Whitepapers
* [GPU Computing Gems (Morgan Kaufmann) - Advanced GPU Programming](https://www.elsevier.com/books/gpu-computing-gems-emerald-edition/hwu/978-0-12-384988-5)
* [CUDA by Example: An Introduction to General-Purpose GPU Programming](https://developer.nvidia.com/cuda-example)
* [OpenCL Programming Guide by Aaftab Munshi, Benedict Gaster, Timothy Mattson](https://www.pearson.com/store/p/opencl-programming-guide/P100000339417)
* [Exploiting GPU Drivers: Security Vulnerabilities in Graphics Processing (Black Hat 2017)](https://www.blackhat.com/docs/us-17/thursday/us-17-Matrosov-Betraying-The-BIOS-Where-The-Guardians-Of-The-BIOS-Are-Failing.pdf)
* [Breaking Down the Boundaries: Attacks on GPU Isolation (USENIX Security 2023)](https://www.usenix.org/conference/usenixsecurity23/presentation/gpu-isolation)
* [GPU Security Vulnerabilities: Attacks on NVIDIA, AMD, and Intel Graphics (Tencent Blade Team)](https://blade.tencent.com/en/advisories/qualpwn/)
* [Exploiting Qualcomm Adreno GPU on Android (Tencent 2019)](https://blade.tencent.com/en/advisories/qualpwn/)
* [CVE-2024-0109: NVIDIA GPU Driver Escalation of Privilege (NVD)](https://nvd.nist.gov/vuln/detail/CVE-2024-0109)
* [AMD GPU Driver Vulnerabilities Research (GPUOpen 2024)](https://gpuopen.com/security/)
* [GPU Side-Channel Attacks: Leaking Data Through Graphics (Research Paper)](https://arxiv.org/pdf/2101.05261)
* [GPU Memory Side-Channels: A Survey (IEEE 2023)](https://ieeexplore.ieee.org/document/10234567)
* [Exploiting GPU Virtualization in Cloud Environments (VMware Research)](https://www.vmware.com/security/hardening-guides.html)
* [GPU Kernel Driver Exploitation Techniques (Phrack Magazine)](http://phrack.org/issues/70/5.html)
* [Breaking TrustZone on Mobile GPUs (ARM Mali Security Research)](https://developer.arm.com/documentation/102099/latest/)
* [Intel Graphics Driver Vulnerabilities: A Deep Dive (Project Zero)](https://googleprojectzero.blogspot.com/search/label/Intel)
* [GPU DMA Attacks: Direct Memory Access Exploitation (BlackHat Asia 2021)](https://www.blackhat.com/asia-21/briefings/schedule/)
* [CUDA Security: Exploiting NVIDIA's Parallel Computing Platform](https://developer.nvidia.com/blog/cuda-security-best-practices/)
* [GPU Virtualization Security: vGPU Attack Surface Analysis](https://www.vmware.com/security/advisories.html)
* [AMD ROCm Security Whitepaper (2024)](https://www.amd.com/en/technologies/software-security.html)
## Courses
* [Exodus Intelligence: GPU Security Research Training](https://www.exodusintel.com/training/)
* [OffensiveCon: GPU Exploitation Workshops](https://www.offensivecon.org/)
* [NVIDIA CUDA Training & Certification](https://developer.nvidia.com/cuda-education)
* [AMD ROCm Developer Training](https://www.amd.com/en/technologies/rocm.html)
* [Khronos OpenCL Training Courses](https://www.khronos.org/opencl/)
* [Udacity: Intro to Parallel Programming (CUDA)](https://www.udacity.com/course/intro-to-parallel-programming--cs344)
* [Coursera: GPU Programming Specialization](https://www.coursera.org/specializations/gpu-programming)
## Labs & Tools
**GitHub Resource Collections:**
* [GitHub: xairy/linux-kernel-exploitation - Includes NVIDIA & Mali GPU Exploits](https://github.com/xairy/linux-kernel-exploitation)
* [GitHub: 0xor0ne/awesome-list - Mali GPU Vulnerabilities Research](https://github.com/0xor0ne/awesome-list)
* [GitHub: CaledoniaProject/drivers-binaries - Exploitable Drivers Collection](https://github.com/CaledoniaProject/drivers-binaries)
* [GitHub: TakahiroHaruyama/VDR - Vulnerable Driver Research Tool](https://github.com/TakahiroHaruyama/VDR)
* [GitHub: stong/CVE-2020-15368 - Vulnerable Driver Exploitation Tutorial](https://github.com/stong/CVE-2020-15368)
* [GitHub: hacksysteam/HackSysExtremeVulnerableDriver - HEVD for Driver Exploitation](https://github.com/hacksysteam/HackSysExtremeVulnerableDriver)
**GPU Development & Tools:**
* [NVIDIA CUDA Toolkit - GPU Development Environment](https://developer.nvidia.com/cuda-toolkit)
* [AMD ROCm - Open-Source GPU Compute Platform](https://www.amd.com/en/technologies/rocm.html)
* [Intel oneAPI - Unified GPU/CPU Programming](https://www.intel.com/content/www/us/en/developer/tools/oneapi/overview.html)
* [GPUOpen - AMD's Open-Source GPU Tools](https://gpuopen.com/)
* [NVIDIA Nsight - GPU Debugging & Profiling Tools](https://developer.nvidia.com/nsight-graphics)
* [Radeon GPU Profiler (RGP) - AMD Performance Analysis](https://gpuopen.com/rgp/)
* [Intel Graphics Performance Analyzers (GPA)](https://www.intel.com/content/www/us/en/developer/tools/graphics-performance-analyzers/overview.html)
* [GPU-Z - Graphics Card Information & Monitoring](https://www.techpowerup.com/gpuz/)
* [MSI Afterburner - GPU Overclocking & Monitoring](https://www.msi.com/Landing/afterburner)
* [Syzkaller - Kernel Fuzzer (GPU Driver Fuzzing)](https://github.com/google/syzkaller)
* [AFL++ - GPU Driver Fuzzing Framework](https://github.com/AFLplusplus/AFLplusplus)
* [QEMU GPU Passthrough - Virtualized GPU Testing](https://www.qemu.org/)
* [GPU Ocelot - Dynamic GPU Compiler Framework](https://github.com/gtcasl/gpuocelot)
* [Barra - GPU Vulnerability Scanner](https://github.com/OpenGPU/Barra)
* [NVIDIA NVFlash - BIOS Flashing Tool](https://www.techpowerup.com/download/nvidia-nvflash/)
* [AMD VBFlash - GPU BIOS Flashing Utility](https://www.techpowerup.com/download/ati-atiflash/)
* [GPU Shark - GPU Monitoring & Analysis](http://www.geeks3d.com/20130412/gpu-shark-0-7-0-simple-gpu-monitoring-tool-geforce-radeon/)
* [nvtop - NVIDIA GPU Process Monitor (Linux)](https://github.com/Syllo/nvtop)
* [radeontop - AMD GPU Monitor for Linux](https://github.com/clbr/radeontop)
## Blogs & Series
* [CVE-2024-0109: NVIDIA GPU Driver Privilege Escalation - Critical Vulnerability (2024)](https://nvidia.custhelp.com/app/answers/detail/a_id/5491)
* [CVE-2024-21762: AMD Radeon GPU Driver Memory Corruption (2024)](https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3001.html)
* [CVE-2024-23211: Qualcomm Adreno GPU Exploit - Remote Code Execution (2024)](https://docs.qualcomm.com/product/publicresources/securitybulletin/march-2024-bulletin.html)
* [CVE-2023-4295: Intel Graphics Driver Vulnerability - Actively Exploited (2023)](https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00854.html)
* [Google Project Zero: GPU Driver Vulnerability Research](https://googleprojectzero.blogspot.com/search/label/GPU)
* [NVIDIA Security Bulletins: GPU Driver Vulnerabilities](https://nvidia.custhelp.com/app/answers/list/st/1/kw/security/page/1)
* [AMD Product Security: Radeon GPU Driver Advisories](https://www.amd.com/en/resources/product-security.html)
* [Qualcomm Security Bulletins: Adreno GPU Vulnerabilities](https://docs.qualcomm.com/product/publicresources/securitybulletin.html)
* [Tencent Blade Team: QualpWN - Qualcomm GPU Exploitation](https://blade.tencent.com/en/advisories/qualpwn/)
* [ARM Mali GPU Security Research](https://developer.arm.com/documentation/102099/latest/)
* [GPU Memory Vulnerabilities: LeftoverLocals Attack (2024)](https://leftoverslocals.com/)
* [Trail of Bits: GPU Security Research Blog](https://blog.trailofbits.com/category/security-reviews/)
* [Kernel Café: GPU Driver Exploitation Series](https://kernelcafe.org/)
* [ZDI (Zero Day Initiative): GPU Driver Vulnerabilities](https://www.zerodayinitiative.com/advisories/published/)
* [GitHub Security Lab: GPU Driver Fuzzing Results](https://securitylab.github.com/)
* [NCC Group: Graphics Driver Vulnerability Research](https://research.nccgroup.com/)
* [Quarkslab Blog: GPU Exploitation & Reverse Engineering](https://blog.quarkslab.com/)
* [GRIMM: GPU Security Research](https://blog.grimm-co.com/)
* [OpenGL Vulnerabilities: Khronos Security Advisories](https://www.khronos.org/news/)
* [Vulkan Security: Graphics API Exploitation Research](https://www.vulkan.org/)
## Presentations & Conferences
* [Black Hat USA: GPU Driver Exploitation Talks](https://www.blackhat.com/html/archives.html)
* [DEF CON: Hardware Hacking Village - GPU Security](https://www.defcon.org/)
* [Pwn2Own: GPU Driver Exploit Demonstrations](https://www.zerodayinitiative.com/Pwn2Own.html)
* [HITB (Hack in The Box): GPU Security Research](https://conference.hitb.org/)
* [OffensiveCon: GPU Exploitation Workshops](https://www.offensivecon.org/)
* [REcon: GPU Reverse Engineering Conference](https://recon.cx/)
* [INFILTRATE: Graphics Driver Vulnerability Research](https://infiltratecon.com/)
* [SIGGRAPH: GPU Security & Trusted Graphics](https://www.siggraph.org/)
* [GTC (GPU Technology Conference) - NVIDIA Security Track](https://www.nvidia.com/gtc/)
* [AMD GPU Open Developer Conference](https://gpuopen.com/)
## Videos
* [LiveOverflow: GPU Driver Exploitation Series](https://www.youtube.com/c/LiveOverflow)
* [NVIDIA Developer: CUDA Security Best Practices](https://www.youtube.com/c/NVIDIADeveloper)
* [GPU Technology Conference: Security Talks](https://www.nvidia.com/en-us/on-demand/session-catalog/)
---
## Notes
1. **GPU Driver Kernel Exploitation**
- GPU drivers run in kernel mode with high privileges (Ring 0 on x86, EL1 on ARM)
- Common vendors: NVIDIA (GeForce, Quadro, Tesla), AMD (Radeon, RDNA), Intel (Arc, Iris Xe), Qualcomm (Adreno), ARM (Mali)
- Attack surface: IOCTL handlers, memory management (VRAM/system RAM mapping), command submission, shader compilation
- Common vulnerabilities: use-after-free, buffer overflows, integer overflows, race conditions, type confusion
- Tools: IDA Pro, Ghidra, WinDbg, LLDB, Syzkaller (GPU driver fuzzing)
2. **NVIDIA GPU Driver Exploitation**
- NVIDIA dominates discrete GPU market (80%+ market share)
- Driver components: nvidia.ko (Linux), nvlddmkm.sys (Windows)
- Common targets: IOCTL handlers (NV_ESC_RM_* functions), UVM (Unified Virtual Memory), CUDA runtime
- CVE-2024-0109 (2024): Critical privilege escalation in NVIDIA GPU driver
- Research: Google Project Zero's extensive NVIDIA driver research
3. **AMD Radeon GPU Driver Exploitation**
- AMD GPU drivers: amdgpu.ko (Linux), amdkmdag.sys (Windows)
- ROCm (Radeon Open Compute): Open-source compute platform
- Common vulnerabilities: DRM (Direct Rendering Manager) bugs, memory mapping issues
- CVE-2024-21762 (2024): AMD Radeon driver memory corruption
4. **Qualcomm Adreno GPU Exploitation**
- Adreno GPUs dominate Android mobile market (Snapdragon SoCs)
- Attack surface: kgsl (Kernel Graphics Support Layer), GPU firmware, command submission
- QualpWN (Tencent Blade Team 2019): Qualcomm GPU/WLAN driver vulnerability chain
- CVE-2024-23211 (2024): Adreno GPU remote code execution
- Mobile exploitation: Adreno exploits often used in Android privilege escalation chains
5. **Intel Graphics Driver Exploitation**
- Intel integrated GPUs (Iris Xe, UHD Graphics, Arc discrete GPUs)
- Drivers: i915.ko (Linux), igdkmd64.sys (Windows)
- Common vulnerabilities: Display engine bugs, GuC (Graphics Microcontroller) issues
- CVE-2023-4295 (2023): Intel graphics driver actively exploited in the wild
6. **ARM Mali GPU Exploitation**
- ARM Mali GPUs prevalent in mobile/embedded devices (Samsung Exynos, MediaTek)
- Attack surface: Mali kernel driver, job scheduling, memory management
- TrustZone integration: Mali Protected Mode for secure video playback
- Research: Breaking TrustZone via Mali GPU vulnerabilities
7. **GPU Side-Channel Attacks**
- Timing attacks: Measuring GPU execution time to infer data
- Cache attacks: GPU cache side-channels (similar to CPU Spectre/Meltdown)
- GPU memory side-channels: Leaking data through VRAM access patterns
- Cross-VM attacks: Exploiting shared GPU in cloud environments
- Notable: LeftoverLocals (2024) - GPU memory disclosure vulnerability affecting AMD, Apple, Qualcomm
8. **GPU DMA (Direct Memory Access) Attacks**
- GPUs can directly access system memory via DMA
- PCIe DMA attacks: GPU as a rogue DMA device
- IOMMU bypass: Exploiting IOMMU (Input-Output Memory Management Unit) misconfigurations
- Physical attacks: GPU DMA for cold boot attacks, memory imaging
- Mitigations: VT-d (Intel), AMD-Vi, PCIe ACS (Access Control Services)
9. **GPU Virtualization Exploitation**
- GPU passthrough: Dedicated GPU assignment to VMs (VFIO, SR-IOV)
- vGPU (Virtual GPU): Time-sliced GPU sharing (NVIDIA GRID, AMD MxGPU)
- Attack vectors: VM escape via GPU driver bugs, GPU memory isolation bypasses
- Cloud environments: Exploiting shared GPU in AWS, Azure, GCP instances
- Research: VMware GPU virtualization security research
10. **Graphics API Vulnerabilities**
- OpenGL: Legacy graphics API, vulnerabilities in shader compilers, extensions
- Vulkan: Modern low-level graphics API, explicit memory management
- DirectX: Windows graphics API (D3D11, D3D12)
- Metal: Apple's graphics API for macOS/iOS
- Common issues: Shader compiler bugs, invalid API state handling, memory corruption in runtime
11. **GPU Firmware Exploitation**
- GPU VBIOS/UEFI GOP (Graphics Output Protocol) vulnerabilities
- GPU microcontroller firmware: NVIDIA GSP (GPU System Processor), AMD SMU (System Management Unit)
- Firmware update mechanisms: Exploiting insecure BIOS flashing
- Persistent threats: GPU firmware rootkits, BIOS-level implants
- Tools: NVIDIA NVFlash, AMD VBFlash, GPU-Z BIOS dumping
12. **CUDA & GPU Compute Exploitation**
- CUDA: NVIDIA's parallel computing platform (widely used in AI/ML)
- GPU compute vulnerabilities: Kernel memory leaks, buffer overflows in CUDA kernels
- OpenCL/ROCm exploitation: Cross-platform GPU compute security
- AI/ML attacks: Poisoning GPU-accelerated machine learning models
- Cryptocurrency mining malware: GPU hijacking for cryptojacking
13. **GPU Fuzzing & Vulnerability Discovery**
- Syzkaller: Google's kernel fuzzer, supports GPU driver fuzzing
- AFL++: Fuzzing GPU userspace libraries and APIs
- IOCTL fuzzing: Targeting GPU driver control interfaces
- Shader fuzzing: Finding bugs in shader compilers (GLSL, HLSL, SPIR-V)
- Coverage-guided fuzzing: Instrumented GPU driver fuzzing for code coverage
14. **Notable GPU Exploits & CVEs**
- **CVE-2024-0109 (2024)**: NVIDIA GPU driver privilege escalation - critical severity
- **CVE-2024-21762 (2024)**: AMD Radeon driver memory corruption
- **CVE-2024-23211 (2024)**: Qualcomm Adreno GPU remote code execution
- **CVE-2023-4295 (2023)**: Intel graphics driver actively exploited
- **LeftoverLocals (2024)**: GPU memory disclosure affecting AMD, Apple, Qualcomm GPUs
- **QualpWN (2019)**: Tencent's Qualcomm Adreno GPU vulnerability chain
- **Project Zero**: Numerous NVIDIA/AMD/Intel GPU driver vulnerabilities disclosed
15. **Legal & Ethical Considerations**
- GPU security research is legal when conducted on your own hardware
- NVIDIA, AMD, Intel, Qualcomm have bug bounty programs for GPU driver vulnerabilities
- Unauthorized exploitation of cloud GPU instances is illegal
- Always obtain proper authorization before testing GPU systems
- Responsible disclosure through vendor security teams or coordinated disclosure platforms
16. **2024-2025 GPU Exploitation Trends**
- Increased focus on AI/ML GPU workload security (CUDA exploits)
- Cloud GPU exploitation: Attacking shared GPU in AWS, Azure, GCP
- LeftoverLocals-style GPU memory disclosure vulnerabilities
- GPU side-channel attacks for cryptographic key extraction
- NVIDIA H100/A100 security research (datacenter GPUs)
- AMD Instinct MI300 exploitation research (AI accelerators)
- Qualcomm Adreno exploitation for Android privilege escalation
- GPU firmware rootkit research (persistent GPU-level malware)
- **CVE-2024-0109**, **CVE-2024-21762**, **CVE-2024-23211**: Critical GPU driver vulnerabilities
# macOS Exploitation
## Books & Whitepapers
* [The Mac Hacker's Handbook by Charlie Miller & Dino Dai Zovi](https://www.wiley.com/en-us/The+Mac+Hacker%27s+Handbook-p-9780470395363)
* [macOS and iOS Internals, Volume III: Security & Insecurity by Jonathan Levin](http://newosxbook.com/index.php)
* [*OS Internals (Volumes I, II, III) by Jonathan Levin - Comprehensive macOS Internals](http://newosxbook.com/)
* [Mac OS X Internals: A Systems Approach by Amit Singh](https://www.amazon.com/Mac-OS-Internals-Systems-Approach/dp/0321278542)
* [Hacking and Securing iOS Applications: Stealing Data, Hijacking Software, and How to Prevent It by Jonathan Zdziarski](https://www.oreilly.com/library/view/hacking-and-securing/9781449325213/)
* [Mac Malware: The Art and Science of Detection (SentinelOne Whitepaper)](https://www.sentinelone.com/resources/mac-threat-hunting/)
* [Examining Pointer Authentication on macOS (Google Project Zero Paper)](https://googleprojectzero.blogspot.com/2019/02/examining-pointer-authentication-on.html)
* [macOS Kernel Exploitation: Attacks and Mitigations (SyScan 2014)](https://www.slideshare.net/i0n1c/syscan-2014-macOS-kernel-exploitation)
* [Exploiting the XNU Kernel in El Capitan (Black Hat 2016 - Liang Chen)](https://www.blackhat.com/docs/us-16/materials/us-16-Chen-Attacking-The-XNU-Kernel-In-El-Capitan.pdf)
* [macOS Security and Privilege Escalation (Phrack Magazine)](http://phrack.org/issues/69/6.html)
* [Advanced macOS Exploitation Techniques (USENIX Security)](https://www.usenix.org/conference/usenixsecurity23/presentation/macos)
* [XCSSET: macOS Malware Campaign Analysis (Trend Micro 2021)](https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf)
* [Silver Sparrow: macOS M1 Malware Analysis (Red Canary 2021)](https://redcanary.com/blog/clipping-silver-sparrows-wings/)
* [macOS Transparency, Consent, and Control (TCC) Bypass Research](https://wojciechregula.blog/post/play-the-music-and-bypass-tcc-aka-cve-2020-29621/)
* [macOS Gatekeeper Bypass Techniques (Objective-See Research)](https://objective-see.com/blog.html)
* [Attacking the macOS XPC Security Model (NCC Group 2020)](https://research.nccgroup.com/2020/06/30/attacking-the-macos-xpc-model/)
* [macOS System Integrity Protection (SIP) Bypass Research (Project Zero)](https://googleprojectzero.blogspot.com/2021/01/macos-sip-bypass.html)
* [The Mac Security Blog by Patrick Wardle (Objective-See)](https://objective-see.com/blog.html)
* [macOS Exploit Development: Zero to Hero (OffensiveCon 2023)](https://www.offensivecon.org/trainings/2023/macos-exploit-development.html)
* [Analyzing FORCEDENTRY: Zero-Click iMessage Exploit (Citizen Lab 2021)](https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/)
## Courses
* [Offensive Security: Advanced macOS Control Bypasses (EXP-312)](https://www.offsec.com/courses/exp-312/)
* [Exodus Intelligence: macOS Vulnerability Research & Exploitation Training](https://www.exodusintel.com/training/)
* [OffensiveCon: macOS Offensive Security Workshops](https://www.offensivecon.org/)
* [ZeroNights Training: macOS Security & Exploitation](https://zeronights.ru/)
* [Azeria Labs: ARM64 Assembly & macOS Reverse Engineering](https://azeria-labs.com/)
* [Objective-See Training: macOS Security Internals](https://objective-see.com/)
* [Signal Labs: macOS Application Security Assessment](https://www.signal-labs.com/)
* [Corellium Training: macOS Kernel Debugging and Exploit Development](https://www.corellium.com/)
## Labs & Tools
**GitHub Resource Collections:**
* [GitHub: michalmalik/osx-re-101 - OSX/iOS Reverse Engineering Resources](https://github.com/michalmalik/osx-re-101)
* [GitHub: kai5263499/osx-security-awesome - OSX/iOS Security Resources](https://github.com/kai5263499/osx-security-awesome)
* [GitHub: houjingyi233/macOS-iOS-system-security - macOS/iOS System Security](https://github.com/houjingyi233/macOS-iOS-system-security)
* [GitHub: ashishb/osx-and-ios-security-awesome - macOS Security Tools Collection](https://github.com/ashishb/osx-and-ios-security-awesome)
**Kernel Exploits:**
* [GitHub: A2nkF/macOS-Kernel-Exploit - CVE-2019-8781 Exploit](https://github.com/A2nkF/macOS-Kernel-Exploit)
* [GitHub: jeffball55/intro_to_xnu_exploitation - XNU Exploitation Introduction](https://github.com/jeffball55/intro_to_xnu_exploitation)
**Official Sources:**
* [XNU Kernel Source Code (Darwin)](https://github.com/apple/darwin-xnu)
* [Apple OSS Distributions - XNU Kernel](https://github.com/apple-oss-distributions/xnu)
**Security Tools:**
* [Objective-See Security Tools - macOS Security Utilities](https://objective-see.com/products.html)
* [lldb - macOS Debugger (Apple's Official Debugger)](https://lldb.llvm.org/)
* [Hopper Disassembler - macOS Binary Analysis Tool](https://www.hopperapp.com/)
* [Ghidra - macOS Kernel & Binary Reverse Engineering](https://ghidra-sre.org/)
* [IDA Pro - macOS ARM64/x86_64 Disassembly & Debugging](https://hex-rays.com/ida-pro/)
* [Frida - Dynamic Instrumentation for macOS](https://frida.re/)
* [dtrace - macOS Dynamic Tracing Framework](https://dtrace.org/guide/preface.html)
* [class-dump - Objective-C Class Dumper for macOS](https://github.com/nygard/class-dump)
* [Keystone Engine - Assembler Framework for macOS Exploitation](https://www.keystone-engine.org/)
* [SuspiciousPackage - macOS Package Inspector](https://mothersruin.com/software/SuspiciousPackage/)
* [KnockKnock - macOS Persistence Detection Tool](https://objective-see.com/products/knockknock.html)
* [BlockBlock - macOS Persistence Monitor](https://objective-see.com/products/blockblock.html)
* [LuLu - macOS Firewall & Network Monitor](https://objective-see.com/products/lulu.html)
* [OverSight - macOS Webcam & Microphone Monitor](https://objective-see.com/products/oversight.html)
* [FileMonitor - macOS File System Monitor](https://objective-see.com/products/filemonitor.html)
* [macOS Kernel Debugging with LLDB](https://developer.apple.com/documentation/xcode/debugging-kernel-extensions)
* [SF Symbols - Apple's macOS Icon Library (for app analysis)](https://developer.apple.com/sf-symbols/)
## Blogs & Series
* [CVE-2025-24085: macOS XNU Kernel Use-After-Free - Actively Exploited (2025)](https://support.apple.com/en-us/HT214081)
* [CVE-2024-44243: macOS TCC Bypass via Safari (2024)](https://support.apple.com/en-us/HT214120)
* [CVE-2024-44133: macOS Kernel Privilege Escalation - Exploit in the Wild (2024)](https://support.apple.com/en-us/HT214119)
* [CVE-2024-27815: macOS Gatekeeper Bypass (2024)](https://support.apple.com/en-us/HT214096)
* [Objective-See Blog: macOS Malware & Vulnerability Research](https://objective-see.com/blog.html)
* [Patrick Wardle: macOS Security Research & Exploits](https://twitter.com/patrickwardle)
* [Jonathan Levin's Blog (*OS Internals & Exploitation)](http://newosxbook.com/articles/)
* [Google Project Zero: macOS Exploits & Research](https://googleprojectzero.blogspot.com/search/label/macOS)
* [Wojciech Regula: macOS TCC Bypass Research](https://wojciechregula.blog/)
* [Cedric Owens: macOS Red Team Research](https://cedowens.medium.com/)
* [Phil Stokes: macOS Malware Analysis (SentinelOne)](https://www.sentinelone.com/blog/author/philstokes/)
* [Thomas Reed: macOS Security & Malwarebytes Research](https://blog.malwarebytes.com/author/thomas-reed/)
* [Jamf Threat Labs: macOS Security Research](https://www.jamf.com/blog/)
* [Csaba Fitzl: macOS Security & Reverse Engineering](https://theevilbit.github.io/)
* [Offensive macOS Research by Cody Thomas](https://medium.com/@its_a_feature_)
* [The Mac Security Blog (Intego)](https://www.intego.com/mac-security-blog/)
* [FORCEDENTRY: Zero-Click macOS/iOS iMessage Exploit (Citizen Lab 2021)](https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/)
* [XCSSET: macOS Malware Exploiting Xcode Projects (2020-2021)](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/xcsset-mac-malware-infects-xcode-projects-uses-0-days)
* [SolarWinds Supernova: macOS Implant Analysis (2021)](https://www.sentinelone.com/blog/solarwinds-supernova-a-novel-net-webshell/)
* [macOS Monterey Security Changes & Bypasses (Wojciech Regula 2021)](https://wojciechregula.blog/post/macos-monterey-security-changes/)
## Presentations & Conferences
* [Black Hat USA: macOS Security & Exploitation Talks](https://www.blackhat.com/html/archives.html)
* [DEF CON: macOS Hacking Village & Presentations](https://www.defcon.org/)
* [Pwn2Own: macOS Safari & Kernel Exploit Demonstrations](https://www.zerodayinitiative.com/Pwn2Own.html)
* [Objective by the Sea: Annual macOS Security Conference](https://objectivebythesea.org/)
* [OffensiveCon: macOS Exploitation Workshops](https://www.offensivecon.org/)
* [INFILTRATE: macOS Offensive Security Conference](https://infiltratecon.com/)
* [POC (Power of Community) - macOS Kernel Exploitation](https://powerofcommunity.net/)
* [SyScan: macOS Security & Exploitation Archive](https://www.syscan.org/)
* [HITB (Hack in The Box): macOS Security Research](https://conference.hitb.org/)
* [RSA Conference: macOS Enterprise Security Track](https://www.rsaconference.com/)
## Videos
* [Patrick Wardle (Objective-See): macOS Security Talks](https://www.youtube.com/c/ObjectiveSeeSecurity)
* [LiveOverflow: macOS Hacking & Reverse Engineering](https://www.youtube.com/c/LiveOverflow)
* [Objective by the Sea Conference Videos](https://objectivebythesea.org/v4/talks.html)
## Notes
1. **XNU Kernel Exploitation**
- XNU is a hybrid kernel (Mach microkernel + BSD components), shared with iOS
- Common targets: IOKit drivers, network stack, file systems, kext vulnerabilities
- Modern mitigations: KASLR, kernel PAC (KPAC on Apple Silicon), zone_require, PPL (Page Protection Layer)
- Exploitation techniques: Use-after-free, heap feng shui, OOL (out-of-line) ports, arbitrary read/write primitives
- Tools: lldb with KDK (Kernel Debug Kit), IDA Pro, Ghidra, dtrace
2. **Gatekeeper Bypass**
- Gatekeeper enforces code signing and notarization for downloaded applications
- Historical bypasses: archive format exploits, symlink attacks, quarantine attribute manipulation
- CVE-2024-27815 (2024): Recent Gatekeeper bypass allowing unsigned code execution
- Research: Objective-See's extensive Gatekeeper bypass research (Patrick Wardle)
3. **System Integrity Protection (SIP) Bypass**
- SIP prevents modification of system files and processes, even with root privileges
- Introduced in macOS El Capitan (10.11), restricts access to /System, /usr, /bin, etc.
- Bypass techniques: kernel exploits, NVRAM manipulation, Recovery Mode abuse
- CVE-2021-30892 (2021): SIP bypass via InstallerConnection XPC service
- Research: Google Project Zero's SIP bypass research
4. **Transparency, Consent, and Control (TCC) Bypass**
- TCC controls app access to sensitive data (location, camera, microphone, contacts, photos, etc.)
- TCC database: /Library/Application Support/com.apple.TCC/TCC.db (SQLite)
- Bypass techniques: synthetic clicks, accessibility API abuse, database manipulation, XPC exploits
- Notable: CVE-2020-29621 (Music.app TCC bypass), CVE-2024-44243 (Safari TCC bypass)
- Research: Wojciech Regula's extensive TCC bypass research
5. **macOS Sandboxing & Entitlements**
- App Sandbox restricts application capabilities (file access, network, IPC)
- Entitlements define app privileges (e.g., com.apple.security.cs.allow-dyld-environment-variables)
- Sandbox profiles written in SBPL (Sandbox Profile Language)
- Exploitation: sandbox escapes via XPC, Mach ports, shared memory
6. **XPC Service Exploitation**
- XPC (Inter-Process Communication) is macOS's primary IPC mechanism
- Attack surface: privileged helper tools, LaunchDaemons, XPC services running as root
- Common vulnerabilities: improper entitlement checks, lack of input validation, race conditions
- Research: NCC Group's "Attacking the macOS XPC Model" (2020)
7. **Code Signing & Notarization**
- All apps must be signed with valid Apple Developer ID
- Notarization: Apple scans apps for malware before distribution (macOS 10.15+)
- Ad-hoc signing vs. Developer ID signing
- Self-signing techniques for local exploitation
8. **macOS Persistence Techniques**
- LaunchAgents/LaunchDaemons (plist files in /Library/LaunchAgents, ~/Library/LaunchAgents)
- Login items (LSSharedFileList API)
- Cron jobs, periodic scripts
- Dylib hijacking, dylib proxying
- Kernel extensions (kexts) - deprecated on Apple Silicon
- System extensions (macOS 10.15+)
- Tools: KnockKnock, BlockBlock for persistence detection
9. **Notable macOS Exploits & Campaigns**
- **FORCEDENTRY (2021)**: Zero-click iMessage exploit targeting macOS/iOS (NSO Group Pegasus)
- **XCSSET (2020-2021)**: macOS malware exploiting Xcode projects, Safari 0-days
- **Silver Sparrow (2021)**: macOS M1 malware discovered on 30,000+ Macs
- **CVE-2025-24085 (2025)**: XNU kernel use-after-free, actively exploited in the wild
- **CVE-2024-44133 (2024)**: Kernel privilege escalation exploited in the wild
- **CVE-2024-27815 (2024)**: Gatekeeper bypass allowing unsigned code execution
10. **Apple Silicon (M1/M2/M3/M4) Security**
- ARM64 architecture with Apple-designed SoCs
- Pointer Authentication (PAC): Hardware-based code integrity
- Secure Enclave: Hardware-isolated processor for cryptographic operations
- Kernel extensions (kexts) no longer supported, replaced by System Extensions
- Boot security: Secure Boot, Signed System Volume (SSV)
- Research challenges: Limited kernel debugging on Apple Silicon
11. **macOS Malware Analysis**
- Common malware families: Shlayer, OSX.Dok, MacKeeper, Genieo, Flashback
- 2024-2025 trends: Infostealer malware targeting crypto wallets, password managers
- Detection evasion: TCC bypasses, Gatekeeper bypasses, process injection
- Tools: Objective-See suite (KnockKnock, BlockBlock, LuLu, OverSight), VirusTotal, ANY.RUN
12. **Legal & Ethical Considerations**
- macOS security research is legal when conducted on your own devices
- Apple Security Bounty offers rewards up to $1 million for critical macOS exploits
- Unauthorized access to others' macOS systems is illegal under CFAA (US)
- Responsible disclosure through Apple Product Security or coordinated disclosure platforms
- Never use exploits for unauthorized access, stalkerware, or malicious purposes
13. **2024-2025 macOS Exploitation Trends**
- Increased focus on TCC bypass techniques (privacy controls evasion)
- Apple Silicon (M-series) exploitation research growing
- Zero-click exploits targeting iMessage, FaceTime, AirDrop
- Gatekeeper bypass research continues (notarization evasion)
- SIP bypass research for persistence and defense evasion
- macOS Sequoia (macOS 15) hardening: enhanced TCC, improved XPC validation
- **CVE-2025-24085** and **CVE-2024-44133**: Actively exploited kernel vulnerabilities
- Growing macOS malware ecosystem targeting enterprise environments
- M4 chip security research (released 2024)
# Satellite Hacking
## Books & Whitepapers
- [The Spacecraft Hacker's Handbook](https://nostarch.com/spacecraft-hacking)
- [Satellite hacking: A guide for the perplexed](https://librarysearch.bond.edu.au/discovery/fulldisplay/alma9930726583002381/61BOND_INST:BOND)
- [Satellite Network Threats Hacking & Security Analysis](https://www.amazon.com/Satellite-Network-Threats-Security-Analysis/dp/1535252545)
- [Advanced Penetration Testing: Hacking Satellite Communication](https://www.amazon.com.be/-/en/Richard-Knowell/dp/B0CXSJJKVW)
- [Cybersecurity for Space](https://www.google.it/books/edition/Cybersecurity_for_Space/31DaDwAAQBAJ?hl=it&gbpv=0)
- [Cybersecurity for Space: Protecting the Final Frontier](https://www.amazon.com/Cybersecurity-Space-Protecting-Final-Frontier/dp/1484257316)
- [Satellite Network Hacking & Security Analysis (Journal)](https://www.cscjournals.org/manuscript/Journals/IJCSS/Volume10/Issue1/IJCSS-1200.pdf)
- [Satellite Cyberattack Whitepaper (HDI Global)](https://www.hdi.global/globalassets/_local/international/downloads/specialty/hdis209_satellite-cyberattack_whitepaper_v8_05july21-1.pdf)
- [Satellite Hacking: Cybersecurity Threats in Space IoT Systems](https://www.amazon.com/Satellite-Hacking-Cybersecurity-Offensive-Strategies/dp/B0F6CR3R3S)
- [The Dark Art and Science of GPS Spoofing](https://www.amazon.com.be/-/en/Gareth-Morgan-Thomas/dp/B0DS2HXYBM)
- [Safeguarding Satellite Communications](https://www.wiley.com/en-us/Safeguarding+Satellite+Communications%3A+Issues%2C+Challenges%2C+and+Solutions-p-9781394304295)
- [Hack-A-Sat 4 Finalist Technical Papers](https://github.com/cromulencellc/hackasat-finals-2023/blob/main/team_writeups/HAS4%20Finalist%20Tech%20Papers.pdf)
- [Hack-A-Sat 2 Finalist Technical Papers](https://github.com/cromulencellc/hackasat-final-2021/blob/main/HAS2%20Finalist%20Technical%20Papers%20Distro%20A.pdf)
- [Satellite Security Technical Paper](https://2ea998fc-9f95-482a-87f8-dd57460966a8.filesusr.com/ugd/e741d3_daa22cd1e5234b8f9139fa9c7406be29.pdf)
## Courses
- [Space Hacking Certification (SHC)](https://is4.org/program/space-hacking-certification-shc/)
- [Certified Space Security Specialist Professional (CSSSP)](https://is4.org/program/certified-space-security-specialist-professional-csssp-program-all-levels/)
- [Certified Space Penetration Professional (CSPP)](https://is4.org/program/certified-space-penetration-professional-cspp/)
- [Certified Space and Satellite Security Analyst (CSSSA)](https://is4.org/program/certified-space-and-satellite-security-analyst-csssa/)
- [Aerospace Cybersecurity: Satellite Hacking (PentestMag)](https://pentestmag.com/course/aerospace-cybersecurity-satellite-hacking-w53/)
- [Satellite Cybersecurity (Udemy)](https://www.udemy.com/course/satellite-cybersecurity/)
- [Cybersecurity and Satellite Systems Training (Tonex)](https://www.tonex.com/training-courses/cybersecurity-and-satellite-systems-training-cybersecurity-and-satcom-training/)
## Labs
- [Hacking Satellites: Analysis and Defense Lab (Medium Archive)](https://web.archive.org/web/20210811055826/https://medium.com/codex/hacking-satellites-analysis-and-defense-lab-58fad6830efa)
- [How to Hack a Vulnerable Satellite (PwnSat Project)](https://undercodetesting.com/how-to-hack-a-vulnerable-satellite-pwnsat-project/)
- [Satellite Hacking Workshop (GitHub)](https://github.com/Faizan-Khanx/SatelliteHacking-Workshop)
- [Hack-A-Sat Finals 2023 Resources](https://github.com/cromulencellc/hackasat-finals-2023)
- [Hack-A-Sat Finals 2022 Resources](https://github.com/cromulencellc/hackasat-finals-2022)
- [Hack-A-Sat Finals 2021 Resources](https://github.com/cromulencellc/hackasat-final-2021)
- [DoD Hack-A-Sat Library](https://github.com/deptofdefense/hack-a-sat-library)
## Blogs & Series
- [Satellite Hacking (Black Hills Infosec)](https://www.blackhillsinfosec.com/satellite-hacking/)
- [Satellite Hacking: An Introduction (Hackers-Arise)](https://hackers-arise.com/satellite-hacking-an-introduction-to-satellites-and-satellite-systems/)
- [Satellite Hacking: Hacking the Iridium System (Hackers-Arise)](https://hackers-arise.com/satellite-hacking-hacking-the-iridium-satellite-system/)
- [Satellite Hacking Part 1: Getting Started (Hackers-Arise)](https://hackers-arise.com/satellite-hacking-part-1-getting-started/)
- [Hacking a Satellite: More Common Than You Think (Medium)](https://medium.com/predict/hacking-a-satellite-more-common-than-you-think-eda4e911277a)
## Presentations & Conferences
- [Hacking Satellites with Software Defined Radio (Video)](https://www.youtube.com/watch?v=SRQza6IxOjo)
- [Hacking Satellites: Hardware & Software (Video)](https://www.youtube.com/watch?v=-_cSuaEOXIw)
- [The Risk to Space & Satellite Communications (SANS)](https://www.sans.org/presentations/the-risk-to-space-as-satellite-communications-systems-and-ground-networks-are-the-new-target-for-attackers)
- [A Wake-up Call for SATCOM Security](https://www.youtube.com/watch?v=wg2eNFWuxcY)
- [Hacking Satellites with Software Defined Radio (DEF CON 28)](https://www.youtube.com/watch?v=17G8MjJc7mw)
- [Hacking Satellites: Practical Attacks](https://www.youtube.com/watch?v=PyXZX63etog)
- [Introduction to Satellite Hacking](https://www.youtube.com/watch?v=YeKswEamOl4)
- [Satellite Communications Security](https://www.youtube.com/watch?v=arPqhHQ-R4o)
- [Deep Dive into Satellite Vulnerabilities](https://www.youtube.com/watch?v=d5Sbwlu6f8o)
- [Gaining Access to Satellites](https://www.youtube.com/watch?v=Kfwiw-2TkMw)
- [Space Systems Cyber Security](https://www.youtube.com/watch?v=xIsG8GpB67A)
- [Analyzing Satellite Signals](https://www.youtube.com/watch?v=b8QWNiqTx1c)
- [Satellite Hacking Techniques](https://www.youtube.com/watch?v=WvKtdXSRvhM)
- [Securing the Final Frontier](https://www.youtube.com/watch?v=t_efCpd2PbM)
- [Attacking Satellite Ground Systems](https://www.youtube.com/watch?v=cvKaC4pNvck)
- [GPS Spoofing and Satellite Attacks](https://www.youtube.com/watch?v=TCoSRx7DpGY)
- [Satellite Network Security Analysis](https://www.youtube.com/watch?v=U1WyBP4lKZk)
- [Cyber Threats to Space Assets](https://www.youtube.com/watch?v=mT7dXJ_ob8k)
- [Exploiting Satellite Terminals](https://www.youtube.com/watch?v=Duxr1yRKRoU)
## Notes
- [Hack-A-Sat 2022 Writeups](https://github.com/cromulencellc/hackasat-finals-2022/tree/main/team_writeups)
- [DEF CON Forum: Satellite Hacking Discussion 1](https://forum.defcon.org/node/231910)
- [DEF CON Forum: Satellite Hacking Discussion 2](https://forum.defcon.org/node/232077)
## Misc (GitHub Repos, Videos, Reports)
- [SPARTA: Space Attack Research and Tactic Analysis](https://sparta.aerospace.org/)
- [ESA Space Shield (European Space Agency)](https://spaceshield.esa.int/)
# Robots Hacking
## Books & Whitepapers
- [Robot Hacking Manual (RHM) - 0.5](https://github.com/vmayoral/robot_hacking_manual/releases/download/0.5/RHM.pdf)
- [How to Kill a Robot: Hacker's Guide](https://www.amazon.com/How-Kill-Robot-Hackers-Guide/dp/B0F1KQQP83)
- [Safety, Security, and Reliability of Robotic Systems](https://www.taylorfrancis.com/books/edit/10.1201/9781003031352/safety-security-reliability-robotic-systems-brij-gupta-nadia-nedjah)
- [Robot Operating System (ROS) for Absolute Beginners](https://www.amazon.com/Robot-Operating-System-Absolute-Beginners-dp-148427749X/dp/148427749X)
- [Cybersecurity For Robotics and Autonomous Systems (Book)](https://www.amazon.com/Cybersecurity-Robotics-Autonomous-Systems-Jyothsna/dp/B0C6VTZJVH)
- [Robot Hazards: From Safety to Security](https://arxiv.org/pdf/1806.06681)
- [DevSecOps in Robotics](https://arxiv.org/pdf/2003.10402)
- [Introducing the Robot Security Framework (RSF)](https://arxiv.org/pdf/1806.04042)
- [Towards an Open Standard for Assessing Robot Security Vulnerabilities (RVSS)](https://arxiv.org/pdf/1807.10357)
- [Robotics CTF (RCTF)](https://arxiv.org/pdf/1810.02690)
- [Hacking Robots Before Skynet (Technical Appendix)](https://www.ioactive.com/wp-content/uploads/pdfs/Hacking-Robots-Before-Skynet-Technical-Appendix.pdf)
- [Current Research Issues on Cybersecurity in Robotics](https://web.archive.org/web/20200506144623/https://www.iit.cnr.it/sites/default/files/TR-05-2020.pdf)
- [Industrial Robot Ransomware: Akerbeltz](https://arxiv.org/pdf/1912.07714)
- [Introducing the Robot Vulnerability Database (RVD)](https://arxiv.org/pdf/1912.11299)
- [Advancing Cybersecurity in Smart Factories Through Autonomous Robotic Defenses](https://www.researchgate.net/publication/392862934_Advancing_Cybersecurity_in_Smart_Factories_Through_Autonomous_Robotic_Defenses)
- [Industrial Robotics and Cybersecurity (TÜV Rheinland)](https://www.tuv.com/content-media-files/master-content/global-landingpages/images/functional-safety-meets-cybersecurity/tuv-rheinland-whitepaper-robotics-en.pdf)
- [An Introduction to Robot System Cybersecurity](https://arxiv.org/pdf/2103.05789)
- [Rogue Robots: Testing the Limits of an Industrial Robot's Security](https://blackhat.com/docs/us-17/thursday/us-17-Quarta-Breaking-The-Laws-Of-Robotics-Attacking-Industrial-Robots-wp.pdf)
- [ROSploit: Cybersecurity Tool for ROS](https://www.researchgate.net/publication/332075478_ROSploit_Cybersecurity_Tool_for_ROS)
- [Real-Time Security for Robotics](https://aliasrobotics.com/files/realtimesecurity.pdf)
- [Time-Sensitive Networking for Robotics](https://dl.acm.org/doi/10.1145/3320269.3384735#sec-supp)
- [Robotics cyber security: vulnerabilities, attacks, countermeasures (2021)](https://link.springer.com/article/10.1007/s10207-021-00545-8)
- [Penetration Testing ROS (Springer 2019)](https://link.springer.com/chapter/10.1007/978-3-030-20190-6_8)
- [Security for the Robot Operating System](https://www.sciencedirect.com/science/article/abs/pii/S0921889017302762)
- [Addressing cybersecurity challenges in robotics: A comprehensive overview (2024)](https://www.sciencedirect.com/science/article/pii/S2772918424000407)
- [A Systematic Review of Sensor Vulnerabilities in Industrial Robotic Systems (2025)](https://ietresearch.onlinelibrary.wiley.com/doi/full/10.1049/cps2.70023)
- [Securing cyber-physical robotic systems (2025)](https://jis-eurasipjournals.springeropen.com/articles/10.1186/s13635-025-00186-7)
## Courses
- [Robot Hacking Manual (Training Material)](https://rhm.cybersecurityrobotics.net/)
- [Cybersecurity for Robotics and Autonomous Systems (CodeRed)](https://coderedpro.com/products/cybersecurity-for-robotics-and-autonomous-systems)
- [Cybersecurity for Robotics and Autonomous Systems (EC-Council)](https://learn.eccouncil.org/course/cybersecurity-for-robotics-and-autonomous-systems)
- [Robotics Developer Masterclass (The Construct)](https://www.theconstruct.ai/robotics-developer/)
- [Certified Ethical Hacker (CEH) - Robotics Focus (EC-Council)](https://www.eccouncil.org/train-certify/certified-ethical-hacker-ceh-compete/)
- [Using Robotics to Teach About Cybersecurity (RobotLab)](https://www.robotlab.com/blog/using-robotics-to-teach-about-cybersecurity)
- [OpenSesame: Ethical Hacking for Robotics](https://www.opensesame.com/how-ethical-hacking-keeps-robotics-secure-key-insights-for-national-robotics-week/)
- [Robotics Training & Automation Certifications 2025 (UTI)](https://www.uti.edu/blog/robotics-and-automation/2025-robotics-automation-certifications-guide)
## Labs
- [ROSPenTo: Penetration Testing Tool for ROS (GitHub)](https://github.com/jr-robotics/ROSPenTo)
- [HAROS: Static Analysis Framework for ROS](https://github.com/git-afsantos/haros)
- [Robot Cybersecurity Resources Portal](https://cybersecurityrobotics.net/resources/)
- [Penetration Testing ROS (Research Paper)](https://bernharddieber.com/publication/dieber2019penetration/)
- [Scanning the Internet for ROS Research](https://www.researchgate.net/publication/335144665_Scanning_the_Internet_for_ROS_A_View_of_Security_in_Robotics_Research)
## Blogs & Series
- [Red Teaming the ROS in Industry](https://cybersecurityrobotics.net/red-teaming-the-ros-in-industry/)
- [Building an ethical hacking robot with ROS2 & WiFi scanner](https://dev.to/sebos/building-an-ethical-hacking-robot-with-ros2-wifi-scanner-implementation-3ol5)
- [Industrial Robots at Risk: 7 Considerations for 2024](https://www.roboticstomorrow.com/story/2024/07/industrial-robots-are-at-increased-risk-of-cybersecurity-threats-7-considerations-for-2024/22826/)
- [Robotics vs Cybersecurity: Risks & Realities (2025)](https://saturnpartners.com/2025/04/robotics-vs-cybersecurity-risks-realities-and-readiness/)
- [Cybersecurity and Safety in Industrial Robotics (2025)](https://www.automationalley.com/2025/08/21/cybersecurity-and-safety-in-industrial-robotics-a-growing-imperative/)
- [The Importance of Cybersecurity in Industrial Robotics](https://c2a-sec.com/the-importance-of-cybersecurity-in-industrial-robotics-protecting-the-smart-manufacturing-floor/)
- [Cybersecurity in Robotics: Managing the New Risks](https://saturnpartners.com/2025/04/cybersecurity-in-robotics-protecting-a-rapidly-evolving-frontier/)
- [Critical Vulnerabilities in AI-Enabled Robots (2024)](https://techxplore.com/news/2024-10-critical-vulnerabilities-ai-enabled-robots.html)
## Presentations & Conferences
- [Reverse engineering and hacking Ecovacs robots (HITCON 2024 Slides)](https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf)
- [Reverse engineering and hacking Ecovacs robots (Web Presentation)](https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.html)
- [Hijacking Ecovacs Home Robots via Bluetooth (DEF CON 32, 2024)](https://techcrunch.com/2024/08/12/best-hacks-security-research-black-hat-def-con-2024/)
- [Hacking Robotics (Slides)](https://www.slideshare.net/slideshow/hacking-roboticsenglish-version/44882200)
- [Hacking Robots Before Skynet (DEF CON 26)](https://www.youtube.com/watch?v=LK43J-p1H3o)
- [Breaking the Laws of Robotics (Black Hat USA 2017)](https://www.youtube.com/watch?v=tGcNefddfZM)
- [ROS 2 Security (ROSCon 2017)](https://www.youtube.com/watch?v=5pWqROTERgU&list=PLf4Fnww4KiFdjCAfs04ynv40xbpqFPibm&index=11)
- [ROS 2 Security Update (ROSCon 2018)](https://www.youtube.com/watch?v=n7BvyUgKP-M&list=PLf4Fnww4KiFdjCAfs04ynv40xbpqFPibm&index=12)
- [Hands-on with ROS 2 Security (ROSCon 2018)](https://www.youtube.com/watch?v=RKLUWnzIaP4)
- [SROS2: Usable Security for ROS 2 (ROSCon 2018)](https://vimeo.com/292703074)
- [ROS 2 Security (ROSCon 2019)](https://www.youtube.com/watch?v=5dYmpKH_3EM)
- [DDS Security (ROSCon 2019)](https://vimeo.com/378682905)
- [ROS 2 Security (ROSCon 2016)](https://vimeo.com/187705073)
- [Determinism in ROS (ROSCon 2017)](https://vimeo.com/236172830)
- [Robot Security (Ubuntu Summit)](https://www.youtube.com/watch?v=Yu3lgESCB8M)
- [ROS 2 Security Class (The Construct)](https://www.youtube.com/watch?v=jfPw8gH1i2I)
- [Talks and related about robots (Playlist)](https://www.youtube.com/playlist?list=PLf4Fnww4KiFdjCAfs04ynv40xbpqFPibm)
## Tools & Frameworks
**ROS Security & Penetration Testing:**
- [ROSPenTo: Penetration Testing Tool for ROS](https://github.com/jr-robotics/ROSPenTo)
- [Roschaos: ROS Sabotage Tool](https://github.com/jr-robotics/ROSPenTo)
- [ROSploit: Security Exploitation Framework for Robots](https://github.com/jr-robotics/ROSPenTo)
- [SROS2: Secure ROS 2](https://github.com/ros2/sros2)
**Static Analysis & Vulnerability Scanning:**
- [HAROS: Static Analysis Framework for ROS-based Code](https://github.com/git-afsantos/haros)
- [Flawfinder: C/C++ Static Analysis](https://dwheeler.com/flawfinder/)
- [RATS: Rough Auditing Tool for Security](https://github.com/andrew-d/rough-auditing-tool-for-security)
- [Cppcheck: Static Analysis for C/C++](https://cppcheck.sourceforge.io/)
- [SonarQube: Code Quality & Security](https://www.sonarsource.com/products/sonarqube/)
**Robot Exploitation & Security Research:**
- [Robot Vulnerability Database (RVD)](https://github.com/aliasrobotics/RVD)
- [Robot Security Framework (RSF)](https://github.com/aliasrobotics/robot_security_framework)
- [Aztarna: Robot Footprinting Tool](https://github.com/aliasrobotics/aztarna)
**Industrial Robot Security:**
- [IEC 62443 Compliance Tools](https://www.iec.ch/cyber-security)
- [OT Security Platforms (Nozomi Networks, Claroty, Dragos)](https://www.nozominetworks.com/)
## Notes
**2024-2025 Market & Threat Statistics:**
- Global cybersecurity in robotics market size: $4.1-$15.2 billion (2024), projected to reach $9.2-$45.3 billion by 2031-2035
- Market CAGR: 12.20%-18% (2024-2035)
- 70% of organizations reported experiencing cyber attacks in 2024
- Over 60% of robotic deployments are now connected to networks
- 80% of manufacturing firms experienced security incidents or breaches in 2024
- Cyberattacks on ICS and OT systems surged by 50% from 2021-2023
- North America leads the market with 38-40% global share
- Asia-Pacific is the fastest-growing regional market
**Critical Vulnerabilities (2024-2025):**
- **Sensor Exploits:** Temperature fluctuations, electromagnetic/acoustic interference, ambient light variations can be weaponized
- **AI/ML Jailbreaking:** 100% success rate in jailbreaking AI-powered robots demonstrated in research (2024)
- **Authentication Issues:** Unpatched operating systems, default manufacturer passwords, unsecured internet protocols
- **Physical Access:** Exposed USB ports, RJ-45 ports, debug interfaces
- **Bluetooth Vulnerabilities:** Ecovacs robots hijacked via malicious Bluetooth signals (DEF CON 32, 2024)
- **Network Attacks:** Cross-site scripting, Telnet pivoting, man-in-the-middle attacks
**Impact & Financial Losses:**
- Downtime costs: $10,000-$100,000 per hour
- Average loss per cyberattack: Up to $2 million for manufacturers
- 2022 incident: Compromised robotic arm caused real-world equipment damage
**Attack Vectors:**
- IoT connectivity vulnerabilities
- ROS/ROS2 exposed to internet (Shodan-discoverable systems)
- Corrupted sensor logic and training data
- Rewriting control logic and disabling safety mechanisms
- XMLRPC exploitation in ROS Master and Nodes
- DDS (Data Distribution Service) security weaknesses
**Security Standards & Best Practices:**
- Implement IEC 62443 series for industrial control systems
- Network segmentation and encrypted communications
- Continuous system updates and patch management
- Regular penetration testing using ROSPenTo, HAROS, and other tools
- Secure authentication mechanisms and access controls
- Monitor for exposed ROS systems on public internet
- Deploy OT security platforms (Nozomi Networks, Claroty, Dragos)
**Regional Compliance Requirements:**
- GDPR compliance in Europe (31.8% market share)
- HIPAA compliance for healthcare robotics in North America
- ISO 27001/27002 for information security management
**Legal Warning:**
- Robot hacking without authorization is illegal and may violate Computer Fraud and Abuse Act (CFAA), ICS security regulations, and local laws
- Always obtain written permission before testing robot systems
- Only perform security research in authorized environments (labs, CTFs, bug bounty programs)
- Unauthorized access to industrial robots can cause physical harm, equipment damage, and production shutdowns
**Research Focus Areas:**
- Cyber-physical systems (CPS) security
- Real-time security for time-sensitive robotics applications
- DevSecOps integration in robotics development lifecycle
- Robot Operating System 2 (ROS2) security architecture improvements
- AI/ML model security and adversarial robustness
## Misc (GitHub Repos, Videos, Reports)
- [Robot Hacking Manual (GitHub Repo)](https://github.com/vmayoral/robot_hacking_manual)
- [Robot Vulnerability Database (RVD)](https://github.com/aliasrobotics/RVD)
- [MORPH: Modular Open Robotics Platform for Hackers (Project)](https://hackaday.io/project/25730-morph-modular-open-robotics-platform-for-hackers)
- [MORPH (GitHub Repo)](https://github.com/roaldlemmens/morph)
- [Robo-op (GitHub Repo)](https://github.com/peopleplusrobots/robo-op)
- [Tinynav (GitHub Repo)](https://github.com/UniflexAI/tinynav)
# Vending Machine Hacking
## Books & Whitepapers
- [The Complete Vending Machine Fundamentals: Volumes 1 & 2](https://www.amazon.com/Complete-Vending-Machine-Fundamentals-Volumes/dp/1463508689)
- [Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions](https://www.amazon.com/Hacking-Point-Sale-Application-Solutions/dp/1118810112)
- [DEF CON 21: Please Insert Inject More Coins (Whitepaper)](https://www.defcon.org/images/defcon-21/dc-21-presentations/Oberli/DEFCON-21-Oberli-Please-Insert-Inject-More-Coins.pdf)
- [Attack Scenarios and Security Analysis of MQTT](https://files.core.ac.uk/download/pdf/296975884.pdf)
- [Man-in-the-Middle Attacks on MQTT based IoT networks](https://scholarsmine.mst.edu/cgi/viewcontent.cgi?article=9105&context=masters_theses)
- [Multi-Drop Bus / Internal Communication Protocol (MDB/ICP) Specification](https://256.makerslocal.org/wiki/images/f/fb/Mdb_version_4-2.pdf)
## Courses & Labs (Practical Guides)
- [Lab: Hacking MQTT (ITExamAnswers)](https://itexamanswers.net/5-1-3-7-lab-hacking-mqtt-answers.html)
- [MQTT Pentesting Guide with Hands-on Real World Attacks](https://medium.com/@vaishalinagori112/mqtt-pentesting-guide-with-hands-on-real-world-attacks-in-a-local-lab-1e19639fed3b)
- [MQTT from Zero to Hero](https://www.redalertlabs.com/blog/mqtt-from-zero-to-hero)
- [Pentesting IoT Protocol: MQTT](https://www.hackingloops.com/pentesting-iot-protocol-mqtt/)
- [IoT Pentesting 101: How to Hack MQTT](https://securitycafe.ro/2022/04/08/iot-pentesting-101-how-to-hack-mqtt-the-standard-for-iot-messaging/)
## Blogs & Series (Case Studies)
- [How I hacked the vending machine in my hostel](https://medium.com/illumination/how-i-hacked-the-vending-machine-in-my-hostel-43deae317693)
- [The Vending Machine Hack: How I Outsmarted a Snack Dispenser](https://krishna-cyber.medium.com/the-vending-machine-hack-how-i-outsmarted-a-snack-dispenser-033eab2e65d6)
- [How I Hacked Modern Vending Machines](https://hackernoon.com/how-i-hacked-modern-vending-machines-43f4ae8decec)
- [How I Hacked Vending Machine (Krevetk0)](https://krevetk0.medium.com/how-i-hacked-vending-machine-5b5a80bd5ffe)
- [The vending machine that hacked a small business](https://osintteam.blog/the-vending-machine-that-hacked-a-small-business-2025s-strangest-cyberattack-b9f74b55736c)
- [Vending Machine Hacking (Security Affairs)](https://securityaffairs.com/92537/hacking/vending-machine-hacking.html)
- [How to Secure Vending Machines from Cyber Threats](https://medium.com/@julia.samara/how-to-secure-vending-machines-from-cyber-threats-51aea7d8b7d3?source=rss------hacking-5)
- [How Hackers Can Easily Penetrate Your MQTT Solution](https://realtimelogic.com/articles/How-Hackers-Can-Easily-Penetrate-Your-MQTT-Solution)
- [MQTT Port 1883: How to Exploit](https://medium.com/@verylazytech/mqtt-message-queuing-telemetry-transport-port-1883-how-to-exploit-3ee2f6510bf4?source=rss------bug_bounty-5)
- [Message Queuing Telemetry Transport (MQTT) Hacking](https://www.ghostlulz.com/blog/message-queuing-telemetry-transport-mqtt-hacking)
## Presentations & Conferences
- [Plundering Smart Payment Terminals (DEF CON 24)](https://www.youtube.com/watch?v=4g9Id-PJrGU)
- [Hacking Cashless Vending Machines (YouTube)](https://www.youtube.com/watch?v=1JT_lTfK69Q)
- [Vending Machine Hacking Demo (YouTube)](https://www.youtube.com/watch?v=eYNaztzohhc)
- [Hacking MQTT (YouTube)](https://www.youtube.com/watch?v=fLmcZ1d8zCM)
- [Project 2501: Hacking Vending Machines (Hackaday Superconference)](https://www.google.com/search?q=https://www.youtube.com/watch%3Fv%3DC7C1i8n_q4w)
## Notes
- [HackTricks: 1883 - Pentesting MQTT](https://angelica.gitbook.io/hacktricks/network-services-pentesting/1883-pentesting-mqtt-mosquitto)
## Misc (GitHub Repos, Tools)
- [MDB-Sniffer (Hardware Tool)](https://github.com/MarginallyClever/MDB-Sniffer)
# OSINT
## **Books & Whitepapers**
* **[Open Source Intelligence Techniques (11th Edition)](https://inteltechniques.com/book1.html)** by Michael Bazzell
* **[The OSINT Handbook](https://www.packtpub.com/en-us/product/the-osint-handbook-9781837635283)** (2024) by Dale Meredith
* **[The OSINT Bible](https://www.amazon.com/OSINT-Bible-Complete-Mastering-Open-Source/dp/B0DJUV17Y6)** (2024) by Trevor Shelwick
* **[Open Source Intelligence Methods and Tools](https://link.springer.com/book/10.1007/978-1-4842-3213-2)** by Nihad A. Hassan & Rami Hijazi
* **[Hunting Cyber Criminals](https://www.amazon.com/Hunting-Cyber-Criminals-Intelligence-Techniques/dp/1119540925)** by Vinny Troia
* **[We Are Bellingcat](https://www.bloomsbury.com/uk/we-are-bellingcat-9781526615756/)** by Eliot Higgins
* **[The Operator Handbook](https://www.amazon.com/Operator-Handbook-Team-OSINT-Reference/dp/B085RR67H5)** by Joshua Picolet
* **[Hiding from the Internet](https://www.inteltechniques.com/books.html)** by Michael Bazzell
* **[Social Engineering: The Science of Human Hacking](https://www.amazon.com/Social-Engineering-Science-Human-Hacking/dp/111943338X)** by Christopher Hadnagy
* **[Investigating Cryptocurrencies](https://www.wiley.com/en-us/Investigating%2BCryptocurrencies%253A%2BUnderstanding%252C%2BExtracting%252C%2Band%2BAnalyzing%2BBlockchain%2BEvidence-p-9781119480587)** by Nick Furneaux
* **[Deep Dive: Exploring the Real-world Value of OSINT](https://www.wiley.com/en-us/Deep%2BDive%253A%2BExploring%2Bthe%2BReal%2Bworld%2BValue%2Bof%2BOpen%2BSource%2BIntelligence-p-9781119933243)** by Rae Baker
* **[Kali Linux OSINT 2025](https://www.amazon.in/KALI-LINUX-OSINT-2025-Intelligence-ebook/dp/B0FRNMKGGL)** by Diego Rodrigues
* **[Open Source Intelligence (OSINT) – A Practical Introduction](https://www.taylorfrancis.com/books/mono/10.1201/9788770047180/open-source-intelligence-osint-practical-introduction-varin-khera-anand-prasad-suksit-kwanoran)** by Khera, Prasad & Kwanoran (2024)
* **[A Practical Approach to Open Source Intelligence (OSINT) - Volume 1](https://www.researchgate.net/publication/392154726_A_Practical_Approach_to_Open_Source_Intelligence_OSINT_-_Volume_1)** (ResearchGate)
* **[IC OSINT Strategy 2024-2026 (U.S. Intelligence Community)](https://www.dni.gov/files/ODNI/documents/IC_OSINT_Strategy.pdf)**
* **[Open Sources Intelligence (OSINT) Miniguide 2025](http://whitepapers.virtualprivatelibrary.net/OSINTminiguide.pdf)** by Marcus P. Zillman
* **[[1611.06737] OSSINT - Open Source Social Network Intelligence](https://arxiv.org/abs/1611.06737)**
* **[[2501.08723] Multilingual Email Phishing Attacks Detection using OSINT](https://arxiv.org/abs/2501.08723)**
* **[[2307.15225] A Secure OSINT Framework For Cyberbullying Investigation](https://arxiv.org/abs/2307.15225)**
* **[[2405.14487] A Comprehensive Overview of LLMs for Cyber Defences](https://arxiv.org/html/2405.14487v1)**
* **[[2509.17087] Governing Automated Strategic Intelligence (AUTOINT)](https://arxiv.org/abs/2509.17087)**
* **[The Digital Blueprint: Mapping Your Attack Surface with OSINT](https://preciousvincentct.medium.com/article-title-the-digital-blueprint-mapping-your-attack-surface-with-osint-before-the-adversary-ed8cde55cb7c)**
-----
## **Courses**
* **[SANS SEC497: Practical Open-Source Intelligence (OSINT)](https://www.sans.org/cyber-security-courses/practical-open-source-intelligence/)**
* **[SANS SEC587: Advanced OSINT Gathering and Analysis](https://www.sans.org/cyber-security-courses/advanced-open-source-intelligence-gathering-analysis/)**
* **[GIAC Open Source Intelligence (GOSI) Certification](https://www.giac.org/certifications/open-source-intelligence-gosi/)**
* **[McAfee Institute C|OSINT - Certified in Open Source Intelligence](https://www.mcafeeinstitute.com/products/certified-osint)**
* **[McAfee Institute AOSINT - Advanced Open Source Intelligence](https://www.mcafeeinstitute.com/products/aosint)**
* **[TCM Security: OSINT Fundamentals](https://academy.tcm-sec.com/p/osint-fundamentals)**
* **[TCM Security: Practical OSINT Research Professional (PORP) Certification](https://certifications.tcm-sec.com/porp/)**
* **[MOIS - Certified OSINT Expert (MCSI)](https://www.mosse-institute.com/certifications/mois-certified-osint-expert.html)**
* **[OSINT Industries: Open-Source Intelligence Training](https://www.osint.industries/services/training)**
* **[Tonex: Open-Source Intelligence (OSINT) Certification Program](https://niccs.cisa.gov/training/catalog/tonex/open-source-intelligence-osint-certification-program)**
* **[IntelTechniques Online Video Training](https://www.inteltechniques.com/training.html)**
* **[Basel Institute on Governance: OSINT eLearning (Free)](https://learn.baselgovernance.org/course/view.php?id=79)**
* **[Udemy: OSINT Open Source Intelligence](https://www.udemy.com/course/osint-open-source-intelligence-no-vm/)**
* **[My OSINT Training](https://www.myosint.training/)**
-----
## **Labs**
* **[TryHackMe (OSINT Path)](https://www.google.com/search?q=https://tryhackme.com/path/outline/osint)**
* **[Hack The Box (Sherlock Category)](https://www.google.com/search?q=https://www.hackthebox.com/hacker/sherlocks)**
* **[CyberDefenders (Blue Team Labs)](https://cyberdefenders.org/blue-team-training/)**
* **[Sofia Santos (Gralhix) Exercises](https://gralhix.com/)**
* **[Gralhix - List of OSINT Exercises](https://gralhix.com/list-of-osint-exercises/)**
* **[Trace Labs (Search Party)](https://www.tracelabs.org/)**
* **[GeoGuessr](https://www.geoguessr.com/)**
* **[Sourcing.Games](https://sourcing.games/)**
* **[OSINT Dojo](https://www.osintdojo.com/)**
* **[DIVER OSINT CTF](https://ctftime.org/event/2365/)**
* **[IRIS CTF 2024 - OSINT Challenges](https://hackmd.io/@vow/BybjdCJta)**
* **[Intigriti 1337Up CTF - OSINT Challenges](https://osintteam.blog/intigriti-1337up-2024-ctf-osint-challenges-82f92e275fb3)**
* **[OSINT Week CTF](https://www.cybersleuthchronicles.com/landing/osint-week-ctf-may-2024)**
* **[HackYourMom - OSINT CTF Challenges](https://hackyourmom.com/en/kibervijna/osint-ctf-challenges/)**
-----
## **Blogs & Series**
* **[Oh Shint\! Blog](https://ohshint.gitbook.io/oh-shint-its-a-blog/)**
* **[WebBreacher Blog](https://webbreacher.com/)**
* **[OSINT Updates Newsletter](https://free.osintupdates.com/p/weekly-updates-5)**
* **[The Ultimate Guide to Launching a Career in OSINT](https://preciousvincentct.medium.com/the-ultimate-guide-to-launching-a-career-in-open-source-intelligence-osint-from-beginner-to-0b3dd09ec88f)**
* **[List of OSINT Resources (Medium)](https://medium.com/@loyalonlytoday/a-list-of-osint-resources-must-read-article-6f7ee11709da)**
* **[Bellingcat - Investigative Journalism & OSINT Case Studies](https://www.bellingcat.com/)**
* **[OSINT Curious - Expert Interviews & Resources](https://osintcurios.us/)**
* **[Michael Bazzell - Privacy, Security, and OSINT Show](https://inteltechniques.com/podcast.html)**
* **[Hetherington Group - Investigative Tips & Resources](https://hetheringtongroup.com/blog/)**
* **[OSINT Techniques - Complete List for Investigators](https://shadowdragon.io/blog/osint-techniques/)**
* **[OSINT Tools and Techniques - Neotas](https://www.neotas.com/osint-tools-and-techniques/)**
* **[How to Use the OSINT Framework - BitSight](https://www.bitsight.com/learn/cti/osint-framework)**
* **[Maltego - What is OSINT and How to Conduct Investigations](https://www.maltego.com/blog/what-is-open-source-intelligence-and-how-to-conduct-osint-investigations/)**
* **[The Beginner's Guide to OSINT - TechMindXperts](https://medium.com/@techmindxperts/the-beginners-guide-to-open-source-intelligence-osint-techniques-and-tools-6a91b9c37ee1)**
* **[OSINT Techniques Homepage](https://www.osinttechniques.com/)**
* **[A Guide To Open Source Intelligence - ITsec Group](https://itsec.group/blog-post-osint-guide-part-1.html)**
* **[OSINT Guide: Tools and Techniques - Authentic8](https://www.authentic8.com/blog/OSINT-techniques-and-tools-guide)**
* **[7 OSINT Blogs Every Analyst Should Read - LifeRaft](https://liferaftlabs.com/blog/7-osint-blogs-every-analyst-should-read)**
* **[OSINT Roadmap for 2025 - Key Skills & Trends](https://osintguide.com/2024/11/14/osint-roadmap/)**
* **[What Is OSINT in 2025 - Molfar Intelligence Institute](https://www.molfar.institute/en/shcho-take-osint-u-2024-gaid-vid-molfar/)**
-----
## **Presentations & Conferences**
* **[OSINT Conference (Global Event)](https://osintconference.com/)**
* **[Trace Labs Community](https://www.tracelabs.org/)**
* **[OSINT Summit (Annual Global Conference)](https://osintsummit.com/)**
* **[DEF CON OSINT Village](https://osintvillage.org/)**
* **[OSINT For All Conference](https://www.osintforall.com/)**
* **[European OSINT Forum](https://www.europeanosintforum.com/)**
* **[InfraGard National Members Alliance - OSINT Resources](https://www.infragard.org/)**
* **[OSINT World Conference](https://www.osintworld.com/)**
-----
## **Tools & Frameworks**
**All-in-One OSINT Platforms**
* **[OSINT Framework](https://osintframework.com/)** - Comprehensive collection of OSINT tools organized by category
* **[SpiderFoot](https://github.com/smicallef/spiderfoot)** - Automated OSINT reconnaissance tool
* **[Maltego](https://www.maltego.com/)** - Interactive data mining and link analysis platform
* **[Recon-ng](https://github.com/lanmaster53/recon-ng)** - Full-featured reconnaissance framework
* **[theHarvester](https://github.com/laramies/theHarvester)** - E-mail, subdomain, and name harvesting
* **[OSINT-SPY](https://github.com/SharoSec/OSINT-SPY)** - All-in-one OSINT toolkit
**Username & Social Media OSINT**
* **[Sherlock](https://github.com/sherlock-project/sherlock)** - Hunt down social media accounts by username
* **[Maigret](https://github.com/soxoj/maigret)** - Collect info about people by username across 3000+ sites
* **[Blackbird](https://github.com/p1ngul1n0/blackbird)** - Search usernames across 500+ websites
* **[WhatsMyName](https://github.com/WebBreacher/WhatsMyName)** - Username enumeration tool
* **[social-analyzer](https://github.com/qeeqbox/social-analyzer)** - API, CLI, and web app for social media analysis
**Search & Discovery Tools**
* **[Photon](https://github.com/s0md3v/Photon)** - Fast web crawler for OSINT
* **[Shodan](https://www.shodan.io/)** - Search engine for Internet-connected devices
* **[Censys](https://censys.io/)** - Internet-wide scanner and search engine
* **[Wayback Machine](https://web.archive.org/)** - Internet archive for historical website snapshots
* **[URLScan.io](https://urlscan.io/)** - URL and website scanner
**Email & Phone OSINT**
* **[Holehe](https://github.com/megadose/holehe)** - Check if an email is attached to accounts
* **[h8mail](https://github.com/khast3x/h8mail)** - Email OSINT and breach hunting
* **[Phoneinfoga](https://github.com/sundowndev/phoneinfoga)** - Phone number intelligence gathering
* **[Epieos](https://epieos.com/)** - Email and phone lookup tool
**Geolocation & Image OSINT**
* **[GeoSpy](https://geospy.ai/)** - AI-powered geolocation from images
* **[PimEyes](https://pimeyes.com/)** - Reverse image search for faces
* **[TinEye](https://tineye.com/)** - Reverse image search
* **[Google Earth](https://earth.google.com/)** - Satellite and street-level imagery
* **[SunCalc](https://www.suncalc.org/)** - Calculate sun position for geolocation verification
**Domain & Network OSINT**
* **[SecurityTrails](https://securitytrails.com/)** - DNS and domain intelligence
* **[DNSDumpster](https://dnsdumpster.com/)** - DNS recon and research
* **[BuiltWith](https://builtwith.com/)** - Website technology profiler
* **[Wappalyzer](https://www.wappalyzer.com/)** - Technology detection browser extension
* **[Amass](https://github.com/owasp-amass/amass)** - OWASP network mapping tool
**Advanced & Specialized Tools**
* **[sn0int](https://github.com/kpcyrd/sn0int)** - Semi-automatic OSINT framework and package manager
* **[Coeus](https://github.com/gxd1123/Coeus)** - Chinese-focused OSINT framework
* **[FBI-tools](https://github.com/danieldurnwalder/FBI-tools)** - Collection of OSINT browser tools
* **[OSINT-Search](https://github.com/am0nt31r0/OSINT-Search)** - Custom search queries for investigators
* **[IntelOwl](https://github.com/intelowlproject/IntelOwl)** - Intelligence orchestration platform
* **[OSINT Combine](https://www.osintcombine.com/tools)** - Commercial OSINT platform and tools
-----
## **Notes**
* **[Nixintel's OSINT Resource List (Start.me)](https://start.me/p/rx6Qj8/nixintel-s-osint-resource-list)**
* **[16osint.io Dashboard (Start.me)](https://start.me/p/1kOJ9N/16osint-io)**
* **[OSINT International (Start.me)](https://start.me/p/7kDabv/osint-international)**
* **[Mappy - Geolocation Tools (Start.me)](https://start.me/p/8ykwnj/mappy)**
-----
## **Misc (GitHub Repos, Videos, Reports)**
**GitHub Repos & Awesome Lists**
* **[Awesome OSINT (The Standard List)](https://github.com/jivoi/awesome-osint)**
* **[Awesome AI OSINT](https://github.com/ubikron/Awesome-AI-OSINT)**
* **[Awesome OSINT For Everything](https://github.com/Astrosp/Awesome-OSINT-For-Everything)**
* **[Awesome Lists (OSINT Topic)](https://awesome.ecosyste.ms/lists?topic=osint)**
* **[OSINT-Collection - 2025 Updated List](https://github.com/Ph055a/OSINT-Collection)**
* **[Social Media OSINT Tools Collection](https://github.com/WebBreacher/obsidian-osint-templates)**
* **[Awesome Social Media Analysis](https://github.com/lorien/awesome-social-media-analysis)**
* **[Awesome OSINT by Sindresorhus](https://github.com/sindresorhus/awesome)**
* **[OSINT-Framework GitHub](https://github.com/lockfale/OSINT-Framework)**
* **[OSINT Resources for Ukraine Conflict](https://github.com/tycrek/awesome-russia-ukraine-open-source-intelligence)**
**Browser Extensions & Add-ons**
* **[Forensic OSINT Browser Extension (Ubikron)](https://chromewebstore.google.com/detail/ubikron/edfkaefjonbohokoldemepfolefiplgd?pli=1)**
* **[Hunchly - Web Capture Tool for Investigations](https://www.hunch.ly/)**
* **[OSINT Combine Browser Extension](https://chrome.google.com/webstore/detail/osint-combine/)**
* **[IG Stories for Instagram OSINT](https://chrome.google.com/webstore/)**
**Commercial & Professional Platforms**
* **[Recorded Future - Threat Intelligence](https://www.recordedfuture.com/)**
* **[Palantir - Data Integration Platform](https://www.palantir.com/)**
* **[Pipl - People Search Engine](https://pipl.com/)**
* **[Social Links - Social Media Intelligence](https://sociallinks.io/)**
* **[Skopenow - Digital Investigation Platform](https://www.skopenow.com/)**
**Standards & Frameworks**
* **[MITRE ATT&CK Framework](https://attack.mitre.org/)**
* **[NIST Cybersecurity Framework](https://www.nist.gov/cyberframework)**
* **[Intelligence Community Directive 203 - Analytic Standards](https://www.dni.gov/files/documents/ICD/ICD%20203%20Analytic%20Standards.pdf)**
**Videos & Documentaries**
* **[YouTube: OSINT Tools & Techniques (David Bombal)](https://www.youtube.com/watch?v=7zzubjKEUW4)**
* **[YouTube: Ubikron Extension Demo](https://www.youtube.com/watch?v=zgIteU4jEZs)**
* **[YouTube: Michael Bazzell - Complete OSINT Course](https://www.youtube.com/results?search_query=michael+bazzell+osint)**
* **[YouTube: SANS OSINT Summit Sessions](https://www.youtube.com/c/SANSOffensive)**
* **[YouTube: Bellingcat OSINT Case Studies](https://www.youtube.com/c/bellingcat)**
* **[YouTube: IntelTechniques Video Series](https://www.youtube.com/c/IntelTechniques)**
* **[YouTube: Trace Labs Search Party Walkthrough](https://www.youtube.com/c/TraceLabs)**
# Created By
# Thank u all and have a good hacking time to make internet more secure. :) Happy Hacking