Begging for Bounties and More Info Stealer Logs

Presently sponsored by: 1Password Extended Access Management: Secure every sign-in for every app on every device.

TL;DR — Tens of millions of credentials obtained from info stealer logs populated by malware were posted to Telegram channels last month and used to shake down companies for bug bounties under the misrepresentation the data originated from their service.

How many attempted scams do you get each day?

Continue reading Begging for Bounties and More Info Stealer Logs

I Now Own the Coinhive Domain. Here’s How I’m Fighting Cryptojacking and Doing Good Things with Content Security Policies.

Presently sponsored by: @Hack – from the masterminds behind Black Hat. Taking place in Saudi Arabia, 2021. Watch this space.

If you’ve landed on this page because you saw a strange message on a completely different website then followed a link to here, drop a note to the site owner and let them know what happened. If, on the other hand, you’re on this page because you’re interested in reading

Continue reading I Now Own the Coinhive Domain. Here’s How I’m Fighting Cryptojacking and Doing Good Things with Content Security Policies.

Add-ons, Extensions and CSP Violations: Playing Nice with Content Security Policies

Presently sponsored by: Netsparker – a scalable and dead accurate web application security solution. Scan thousands of web applications within just hours.

You know what I really like? A nice, slick, clean set of violation reports from the content security policy (CSP) I run on Have I Been Pwned (HIBP). You know what I really don’t like? Logging on to Report URI and being greeted with something like this:

This blog post

Continue reading Add-ons, Extensions and CSP Violations: Playing Nice with Content Security Policies

My Blog Now Has a Content Security Policy – Here’s How I’ve Done It

Presently sponsored by: Digicert: What are the keys to securing the Internet of Things and are you prepared? Learn how PKI can secure your devices.

I’ve long been a proponent of Content Security Policies (CSPs). I’ve used them to fix mixed content warnings on this blog after Disqus made a little mistake, you’ll see one adorning Have I Been Pwned (HIBP) and I even wrote a dedicated Pluralsight course on browser security headers. I’m a…

Continue reading My Blog Now Has a Content Security Policy – Here’s How I’ve Done It

Locking Down Your Website Scripts with CSP, Hashes, Nonces and Report URI

Presently sponsored by: Matchlight by Terbium Labs: Know when your exact data appears on the dark web. Contact us for a demo today.

I run a workshop titled Hack Yourself First in which people usually responsible for building web apps get to try their hand at breaking them. As it turns out, breaking websites is a heap of fun (with the obvious caveats) and people really get into the exercises. The first one…

Continue reading Locking Down Your Website Scripts with CSP, Hashes, Nonces and Report URI

I’m Joining Report URI!

Presently sponsored by: Worried your social media accounts got hacked? ZeroFOX can teach you how to protect yourself. Learn how.

What if I told you… that you can get visitors to your site to automatically check for a bunch of security issues. And then, when any are found, those visitors will let you know about it automatically. And the best bit is that you can set this up in a…

Continue reading I’m Joining Report URI!