Collaborate Disseminate
If $1 contains untrusted user input for example $(whoami). Are any of the following bash examples vulnerable to command injection?
I’m having issues clearly understanding this behavior in Bash. Also, I have issues with echo -n "$1&quo… Continue reading Are these bash lines (handling untrusted user input) vulnerable to command injection?
The seqence below is a form submission on a personal site of mine and seems to be crashing the browser.
It crashes the browser tab (becomes unresponsive) of my site’s backend where I approve submissions, and it crashes gmail when displayin… Continue reading Is this sequence "ALTER …" an attack of some kind?
Recent reports describe how a new prompt injection technique uses hex encoding to bypass the internal content moderation safeguards in language models like ChatGPT-4o, allowing them to generate exploit code. This technique reportedly disgu… Continue reading How does hex-encoded prompt injection work to bypass protections in LLMs (i.e. ChatGPT)?
I am creating an application that takes information from another system and writes reports in CSV format. I am trying to mitigate CSV Injection vulnerabilities on it. I have done some research and I got started with OWASP – CSV Injection w… Continue reading Preventing CSV Injection
We are experiencing an issue on our WordPress site running WooCommerce, for the second time this year where a hacker is injecting some kind of script that is redirecting the stripe.js code from it’s native location at stripe to an offsite … Continue reading WordPress Site Hacked to redirect stripe.js offsite for credit card skimming – Can’t Find The Source
I have recently bought a hosting and hosted my php site, but after hosting site was not loading and showing a round loading image. I thought my files were infected, so I checked on console and I got this error – mixed content error, reques… Continue reading My hosting has no content, but shows error – requested an insecure script ‘http://cdn.jsinit.directfwd.com/sk-jspark_init.php
I’m reviewing code which apparently ignores all security standards but doesn’t seem to be exploitable due to its peculiar construction. The first stage is a Java Spring application and the name parameter is fully user-controlled.
String cm… Continue reading Is this code vulnerable to injection?
In our ongoing efforts to ensure secure transactional email delivery, we prioritize user input escaping. This practice mitigates potential vulnerabilities like HTML injection attacks.
We leverage the i18next library (https://www.i18next.co… Continue reading Securing Transactional Email: User Input Escaping for a email subject
Is there any way to save half dumped output in csv file or in table format in sqlmap?
Look below image for better understanding. The target is boolean based blind injection vulnerable. For sure this injection takes hell of a time for large… Continue reading sqlmap –dump csv file output problem for Large database
Take this HTTP request as an example.
GET /directory/blahblah/ping%20interact.sh
Say this request receives any 3xx, 4xx, 5xx HTTP response code. Is it likely or even possible that a backend web server process this request and pings interac… Continue reading Command Injection in URLs. Are response codes foolproof indicator of true/false positive?