Collaborate Disseminate
XSS Auditors are security mechanisms in browsers that operate as a preventative layer against Reflected Cross-site Scripting attacks. Each browser has a different way of implementing XSS Auditors. In this blog post, we discuss Google Chrome’s rec… Continue reading XSS Auditors – Abuses, Updates and Protection
By the end of the 90s, communication between distributed systems had become a crucial necessity. One of the solutions implemented since then is the XML-RPC (Remote Procedure Call) protocol. This protocol allows remote procedure calls through data trans… Continue reading IP Disclosure of Servers Behind WAFs Using WordPress XML-RPC
A Frame Injection is a type of Code Injection vulnerability classified by OWASP Top 10 2017 in its A1 Injection category. Cross-site Scripting is naturally prioritized by bug bounty hunters since it seems easily exploitable and effective. But malicious… Continue reading Frame Injection Attacks
Beginning its journey almost ten years ago, Google Chrome has become one of the most popular web browsers on the internet and continues to prioritize speed and security in its service to users. Earlier this month at Google’s I/O 2019 conference, … Continue reading SameSite Cookies by Default in Chrome 76 and Above
The author of a bug bounty write-up published in Medium on March 20, username ‘terjanq’, demonstrated that the response to a resource varies based on the state of authorization of the user requesting it. As we explained in a previous blog post, referen… Continue reading Content-Type and Status Code Leakage
Setting cookies on domains that have multiple subdomains can pose security risks if it is implemented incorrectly. An attacker who gains access to a particular domain can conduct a session fixation attack and hijack users’ sessions on its subdoma… Continue reading Separating Subdomains From Third-Party Hosted WWW Domains
On March 13, 2019, RIPS Technologies, a company specializing in static code analysis software, released details of a Cross-site Scripting (XSS) vulnerability they found in all versions of WordPress up to 5.1.1. The vulnerability had been disclosed on v… Continue reading WordPress XSS Vulnerability Can Result in Remote Code Execution (RCE)
Application security is crucial right from the early stages of web application development. Developers and other team members involved in the product design stage should at least be aware of the need for web application security. However, recent studie… Continue reading Application Security is Vital Throughout SDLC
In this article, we discuss how the domain name of the services in the Tor network are set and what security risks they may pose. We examine a study from Princeton University concerned with the habits of Tor users in order to determine the potential im… Continue reading Behind the Scenes of Onion Services
Security researcher Brian Hyde was accepted into Synack Red Teams private bug bounty platform and discovered a Reflected XSS vulnerability in one of their programs. The difficulties he faced in exploiting this Cross-site Scripting (XSS) vulnerability, … Continue reading Transforming Self-XSS Into Exploitable XSS