Collaborate Disseminate
There are many IT security frameworks/standards/regulations/etc to chose from, each with their own pros and cons. For example, IS0 27000 series, NIST CSF, NIST RMF, PCI-DSS, etc. My question is, is there a checklist that helps me decide wh… Continue reading How do I decide which security framework is most suited to my organization?
We are in the business of training. Training on Ethical Hacking. One of our module shows a demo of the Social Engineering Toolkit. The demo involves cloning of the Facebook login page. One of our members felt that we needed explicit permis… Continue reading Do I need explicit permissions to clone the FB login page for teaching and demonstration purposes? [migrated]
I am trying to set up a vulnerable machine running freeSSHd 1.2.6. The Metasploit exploit module fails with the following error:
Server encryption_client preferences: aes128-cbc,3des-cbc,blowfish-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,r… Continue reading Configure the Metasploit SSH client to support `aes256-cbc`
I am looking for a service (paid/free) that monitors data breaches, scams, and other related information security incidents on behalf of a given company. Please suggest such service, if they exists.
Continue reading Service that monitors information security incidents [closed]
I can find the benchmark for Windows Server 2008 R2. However, are there different benchmarks for the standard vs enterprise?
I have read in multiple places contradictory views on what might be considered a DOM based XSS. It seems that the original definition says that it is a form of XSS where the payload originates exclusively from inside the browser, but some people also view it as a form of XSS where the payload may not necessarily originate from inside the browser, but is used to modify the DOM.
The second view is what confuses me. What exactly does it mean that the payload is used to modify the DOM? The OWASP page describing DOM XSS , gives an example which, to me seems to be the same as reflected XSS.
It says:
A DOM Based XSS attack against this page can be accomplished by sending the following URL to a victim:
http://www.some.site/page.html?default=<script>alert(document.cookie)</script>. When the victim clicks on this link, the browser sends a request for:/page.html?default=<script>alert(document.cookie)</script>. The server responds with the page containing the above Javascript code.The original Javascript code simply echoes it into the page (DOM) at runtime. The browser then renders the resulting page and executes the attacker’s script:
alert(document.cookie)
Since the payload is going from the victim’s browser to the server and coming back to the browser, how is this not reflected XSS instead?
Should I interpret this as Reflected XSS means being able to injecting <script> tags in an HTML context, and DOM based XSS means being able to inject payload inside an already existing <script>?
I have read in multiple places contradictory views on what might be considered a DOM based XSS. It seems that the original definition says that it is a form of XSS where the payload originates exclusively from inside the brow… Continue reading Is the payload for DOM based XSS defined to originate from only inside the browser or even outside of it
A part of my /etc/login.defs file looks like this:
ENCRYPT_METHOD SHA512
# Define the number of SHA rounds.
# If not specified, the libc will choose the default number of rounds (5000).
# The values must be inside the 1000-999999999 rang… Continue reading How does hashcat figure out the SHA CRYPT ROUNDS on a Linux password