css – Page 7 – WindowsTechs.com

Why should class names be whitelisted?

Posted on October 12, 2017 by Free Radical

I am using the Accept known good validation strategy to sanitize user input (rich HTML) and are using a 3rd party component to do this.

The component by default requires every permitted class name to explicitly listed, but also has a checkbox to suspend this rule (i.e. every class name will be accepted). The help text for this checkbox says:

Bypassing this rule may lead to security vulnerabilities. Only grant this filter to trusted roles.

I understand by checking that box, I would permit user input such as:

<div class="exploit">…</div>

However, I am unable to think of what to replace “exploit” with that may be a security vulnerability.

Can anyone explain to me why I need to whitelist class names.

Continue reading Why should class names be whitelisted?→

Hybrid Technique Breaks Backscatter Distance Barrier

Posted on September 19, 2017 by Dan Maloney

Low cost, long range, or low power — when it comes to wireless connectivity, historically you’ve only been able to pick two. But a group at the University of Washington appears to have made a breakthrough in backscatter communications that allows reliable data transfer over 2.8 kilometers using only microwatts, and for pennies apiece.

For those unfamiliar with backscatter, it’s a very cool technology that modulates data onto RF energy incident from some local source, like an FM broadcast station or nearby WiFi router. Since the backscatter device doesn’t need to power local oscillators or other hungry components, it has …read more

Continue reading Hybrid Technique Breaks Backscatter Distance Barrier→

xss through css color inline style

Posted on September 6, 2017 by Alex_H

I have a site that parse cookie and print message with style based on this cookie. Inline stylesheet looks like this:

.user {color: green;}
.admin {color: red;}

In a request I can change cookie and highlight message, for … Continue reading xss through css color inline style→

Threatpost News Wrap, August 25, 2017

Posted on August 25, 2017 by Chris Brook

The news of the week is discussed, including the AWS S3 leaks, Zerodium’s bounty on messaging app zero days, Ropemaker, and cobot vulnerabilities. Continue reading Threatpost News Wrap, August 25, 2017→

ROPEMAKER Exploit Allows for Changing of Email Post-Delivery

Posted on August 23, 2017 by Chris Brook

An exploit dubbed ROPEMAKER relies on taking advantage of email design functionality, namely by remotely changing CSS in HTML-based emails after they’ve been sent. Continue reading ROPEMAKER Exploit Allows for Changing of Email Post-Delivery→

Advice on building a Google chrome extension [on hold]

Posted on August 1, 2017 by JuniorSecurityResearcher

I have an existing extension it’s called ncage and it resets all user images to Nicolas Cage photos. I want to do a similar thing when users visit an Amazon or target (ecommerce). You want to buy a fruit basket? Cool. Go onli… Continue reading Advice on building a Google chrome extension [on hold]→

Cross site styling vulnerability?

Posted on March 22, 2017 by ColBeseder

I stumbled across a “vulnerability” that allows me to include an arbitrary css stylesheet in a website.

I understand that this is potentially a tool for csrf or stealing url parameters. But on its own, should it be considere… Continue reading Cross site styling vulnerability?→

DRM on CSS or even HTML files through domain locking via Javascript?

Posted on March 10, 2017 by Sparrowcide

If you are planning to downvote me to oblivion, let me clarify what this question is about:

I am not interested to prevent someone from copying my website. I know there are no foolproof method.
My goal here is to merely m… Continue reading DRM on CSS or even HTML files through domain locking via Javascript?→

Quick and Easy IoT Prototyping with Involt

Posted on February 5, 2017 by Cameron Coward

IoT, web apps, and connected devices are all becoming increasingly popular. But, the market still resembles a wild west apothecary, and no single IoT ecosystem or architecture seems to be the one bottle of snake oil we’ll all end up using. As such, we hackers are keen to build our own devices, instead of risking being locked into an IoT system that could become obsolete at any time. But, building an IoT device and interface takes a wide range of skills, and those who are lacking skill in the dark art of programming might have trouble creating a control app …read more

Continue reading Quick and Easy IoT Prototyping with Involt→

The Oil Sands’ ‘Cleaner’ Future Looks Awfully Dirty

Posted on August 29, 2016 by Jordan Pearson for Motherboard

Steam-powered mining is anything but environmentally friendly. Continue reading The Oil Sands’ ‘Cleaner’ Future Looks Awfully Dirty→