Collaborate Disseminate
In a FlaskRestX API for an e-commerce site, I use jinja2 to generate a HTML template (to create a PDF purchase receipt). After reading the docs, and asking various AI models, I am still not convinced that my code is safe from XSS (Cross-Si… Continue reading Jinja2: safe from XSS/SSTI if using select_autoescape and context dictionary?
After running a Nessus scan, one of its plugins checks for cookie injection called "Web Server Generic Cookie Injection" (https://www.tenable.com/plugins/nessus/44135)
The scan shows that this issue exists on a site. It shows tha… Continue reading Web Server Generic Cookie Injection
I entered an onclick=’alert("helo there")’ in a button thru inspect and I got an alert.
Can I report the bug like that or should I search for a dangerous payload to get maximum priority?
Also what type of xss is that?
Continue reading Can I always exploit the website after getting an alert box? [closed]
I have found a WordPress site where the WP scanner provided me with:
[!] Title: Realtyna Organic IDX plugin < 4.14.8 – Unauthenticated SQLi
| Fixed in: 4.14.8
| References:
| – https://wpscan.com/vulnerability/d22a60bc-b… Continue reading How this SQL injection vulnerability could cause problems? [closed]
I am doing a bug bounty and i found an XSS injection point. However most tags are filtered and i have been getting no results in executing JS, i can do what ever HTML i want though
here are some examples as they show id WebDev Tools
<im… Continue reading XSS javascript does not execute (bug bounty)
If $1 contains untrusted user input for example $(whoami). Are any of the following bash examples vulnerable to command injection?
I’m having issues clearly understanding this behavior in Bash. Also, I have issues with echo -n "$1&quo… Continue reading Are these bash lines (handling untrusted user input) vulnerable to command injection?
The seqence below is a form submission on a personal site of mine and seems to be crashing the browser.
It crashes the browser tab (becomes unresponsive) of my site’s backend where I approve submissions, and it crashes gmail when displayin… Continue reading Is this sequence "ALTER …" an attack of some kind?
Recent reports describe how a new prompt injection technique uses hex encoding to bypass the internal content moderation safeguards in language models like ChatGPT-4o, allowing them to generate exploit code. This technique reportedly disgu… Continue reading How does hex-encoded prompt injection work to bypass protections in LLMs (i.e. ChatGPT)?
I am creating an application that takes information from another system and writes reports in CSV format. I am trying to mitigate CSV Injection vulnerabilities on it. I have done some research and I got started with OWASP – CSV Injection w… Continue reading Preventing CSV Injection
We are experiencing an issue on our WordPress site running WooCommerce, for the second time this year where a hacker is injecting some kind of script that is redirecting the stripe.js code from it’s native location at stripe to an offsite … Continue reading WordPress Site Hacked to redirect stripe.js offsite for credit card skimming – Can’t Find The Source