Collaborate Disseminate
Over the years I tried to minimize exposure people’s faces in images on my internet presence, mostly to evade automated facial recognition tools. I tried to either not show them at all or blur/occlude them in some way or another.
However, … Continue reading Can dithering of images impede facial recognition
If a version of log4j2 is present on a server (say, 2.5 or 2.7) but the JndiLookup class does not exist in any jars, does this mean this specific implementation of log4j2 is not vulnerable to Log4Shell?
Continue reading Absence of JndiLookup class on vulnerable version number… Log4Shell safe?
Apple recently introduced CSAM detection (https://www.apple.com/child-safety/), by which an iPhone device locally detects illegal photos, before uploading to iCloud, and reports any offender to law enforcement.
While this might be helpful … Continue reading How to protect from CSAM flooding (similar to Swatting)
I want to try some ret2Libc but it doesnt open my shell with the system command.
Here is my exploitable Code:
int main(int argc, char **argv)
{
char buffer[64];
gets(buffer);
}
Now i wrote a simple python exploit:
import struct
padding=… Continue reading Ret2Libc Bufferoverflow system command isnt working
Under Apple and Google’s contact tracing scheme, Alice’s device generates a daily random value (termed a Temporary Exposure Key or TEK in the Cryptography Specification). Every 10 minutes, a Rolling Proximity Identifier (RPI) is generated … Continue reading How does the Apple/Google Exposure Notification system prevent infected users from being identified?
I am working through a report of an automated vulnerability scanner. One Item is
Web Server Misconfiguration: Insecure Content-Type Setting ( 11359 )
It’s about not returning the character-set for a given HTML page like so, for examp… Continue reading Security Report about "Insecure Content-Type Setting": Does this apply to CSS and JavaScript as well?
Note: This question is specific to the Threema Messenger, and relates to their implementation of encryption (using the NaCl ECDH implementation as per their docs).
I refer specifically to their “note on outgoing messages” in their validat… Continue reading Threema: Are received messages exposed, when sender’s private key gets compromised?
I run a small DNS server (pihole) at home behind a firewall, with some custom filtering. It mainly filters ads and trackers, plus some top level domains I want to avoid navigating to. I have an IPv4 address (not fixed) with m… Continue reading Is there something like DynDNS for a DNS service?
Situation
I am the responsible developer for an ASP.NET application that uses the “Membership” (username and password) authentication scheme. I am presented with the following report from a WebInspect scan:
WebInspect has found a sess… Continue reading Hardening ASP.NET against session fixation: Should I change the session ID despite the additional Auth cookie?
I am learning about “Session fixation” and have read the corresponding OWASP page.
In their Example 2 in the above page, they describe an attack via JavaScript, that is embedded in the URL like:
http://website.kom/<script>document…. Continue reading Can a URL contain executable JavaScript?