Collaborate Disseminate
From this Quora answer:
Years ago when I was in China I was getting updated on cyber security
from one of our partnerships.
We were going over everything from basic hacks a 9 year old could do
to more sophisticat… Continue reading Do security consultants routinely demonstrate hacking into attendees’ PCs within minutes?
SSH and GPG each ask for passphrases during key generation. GPG also (at least from my experience) displays warnings if one is not provided and asks for confirmation that no security is indeed desirable.
Thus, it would seem,… Continue reading Assuming FDE, what are passphrases protecting GPG / SSH private keys useful for?
From OWASP AJAX Security Cheat Sheet:
Eval is evil, never use it. Needing to use eval usually indicates a problem in your design.
I understand that evaling untrusted JS code can lead to a whole world of pain, nonethele… Continue reading Why is it important to never use `eval` in conjunction with AJAX?
This question already has an answer here:
Protection against account lockout DoS
4 answers
Why do sites implement locking a… Continue reading Account lockout to protect from brute force: doesn’t it open up vulnerabilities to DOS attacks? [duplicate]
long story short if you can execute code on a box it is usually straightforward to get root
(quote source)
The immediate implication of this quote (if it’s accurate) is that if you’re running a multi-user system and don’t try your da… Continue reading Are most Linux systems that allow non-root users to execute code straightforwardly rootable?
Today I heard at Uni something that broke my mental model about separation of users’ rights. Namely, I heard that:
I can freely debug all programs I have the permission to run, even those that have setuid set to root.
T… Continue reading How can utilities with setuid set to root be secure if they are debuggable?
Chat webapp. Clients (that is, web browsers) send messages to the server, which the server broadcasts to all connected clients. Client-side code looks like this:
let p = document.createElement(‘p’)
p.appendChild(document.cre… Continue reading Should untrusted strings be sanitized server-side if they’re inserted into the document body through document.createTextNode?
Frequent scenario:
An old game is released on GOG / Steam.
It proves to be incompatible with new Windows systems. (Crashes, game breaking bugs, fps of 0.5 and the likes)
An unofficial patch is released by the fanbase, eithe… Continue reading Is there any way to estimate the safety of arbitrary binaries, which are usually released with unofficial patches?
Two ways to develop a web app: Either the “classical” way, completely reloading the page with each request, or the “API” way, that is make the server only send JSON data and make the client fetch it by AJAX and rebuild the pa… Continue reading Is it inherently insecure to fetch HTML and JS content from server and attach it to an existing HTML node (while executing all scripts)?
The common way to prevent CSRF requests: Each time the user loads a page that contains a form to be POSTed, the user is issued a CSRF token that it supposed to be unknown to potentially malicious third-party sites. The token … Continue reading Why can CSRF attack be prevented by issuing CSRF tokens?