Collaborate Disseminate
Researchers have discovered a weakness in the way Chrome and Firefox interact with CSS3 that could have caused them to leak usernames, profile pictures and likes from sites such as Facebook. Continue reading Bizarre Chrome and Firefox flaw exposed Facebook details
Are there any protections against users using Chrome Developer Tools to right click on a password input field, and then change input type=”pass” to “text” to reveal the password?
There are probably JavaScript ways but once a… Continue reading Protecting against input type ="password" changes? [on hold]
Diana Smith’s work is digital art on ultra-hard mode. Continue reading This Stunning Image Made With Pure Code Is Like a Mood Ring For Your Browser
Earlier this year, we posted a link to an interactive Web page. Most people seemed to like it, but we got at least one comment about how they would never be so incautious as to allow JavaScript to run on their computers. You can argue the relative merit of that statement, but it did remind us that just disabling JavaScript is no panacea when it comes to Internet security. You might wonder how you could steal data without scripting, assuming you don’t directly control the server or browser, of course. The answer is by using a cascading style sheet (CSS). …read more
Is it possible to make an XSS attack if you can inject an arbitrary file (any extension, like: .js, .html etc…) in background-image CSS property? If yes, how to do it?
Continue reading XSS – arbitrary file in background-image css property
You can use Content Security Policy to disallow style attributes, but you can just get around this just by using javascript to modify an element’s style. Isn’t this a security hole or am I missing something?
Continue reading Why doesn’t CSP block JS from modifying an element’s style?
Forex
StockMarket
I make a trade via my broker, 12:30pm at GMT+2 pre-market NYSE and will buy XIV at 23rd October 2017. It will instant fall from second my broker has made the deal, therefore broker leaked trading informat… Continue reading Can Analytics Software in iOS and macOS collect trading data? [on hold]
BIG-IP provides Local Traffic Policies that simplify the way in which you can manage traffic associated with a virtual server. You can associate a BIG-IP local traffic policy to support selective compression for types of content that can benefit from compression, like HTML, XML, and CSS style sheets. These file types can realize performance improvements, […]
The post Selective Compression on BIG-IP appeared first on Security Boulevard.
I am using the Accept known good validation strategy to sanitize user input (rich HTML) and are using a 3rd party component to do this.
The component by default requires every permitted class name to explicitly listed, but also has a checkbox to suspend this rule (i.e. every class name will be accepted). The help text for this checkbox says:
Bypassing this rule may lead to security vulnerabilities. Only grant this filter to trusted roles.
I understand by checking that box, I would permit user input such as:
<div class="exploit">…</div>
However, I am unable to think of what to replace “exploit” with that may be a security vulnerability.
Can anyone explain to me why I need to whitelist class names.
Low cost, long range, or low power — when it comes to wireless connectivity, historically you’ve only been able to pick two. But a group at the University of Washington appears to have made a breakthrough in backscatter communications that allows reliable data transfer over 2.8 kilometers using only microwatts, and for pennies apiece.
For those unfamiliar with backscatter, it’s a very cool technology that modulates data onto RF energy incident from some local source, like an FM broadcast station or nearby WiFi router. Since the backscatter device doesn’t need to power local oscillators or other hungry components, it has …read more
Continue reading Hybrid Technique Breaks Backscatter Distance Barrier