Collaborate Disseminate
I am trying to identify if issues found by a security tool are in fact false positive or actual issues. I am having a hard time understanding the issue in general as I am new to security and what I can do to fix the issues. Below are the t… Continue reading Identifying false positives while running a security tool program [closed]
I have found an XSS bug in a chat form on a bug bounty target. When I enter in the chat form input <button onclick="alert(1)">click</button> and after that I click the button a popup alert appears. I`ve sent the bug b… Continue reading Found XSS in chat form in bug bounty but they say it’s only self XSS. How to leverage it?
I’m in a debate of where to securely store an OAuth 2.0 access token. There are two opinions:
On the browser (inside of a HttpOnly cookie)
On the server/inside the a database
The argument against using the cookie storage mitigating the i… Continue reading Storing an OAuth 2.0 access token
Every month Microsoft releases software updates to fix vulnerabilities across the company’s vast line of technology products. The ritual, known as Patch Tuesday, often involves security experts urging users to update their software, and researchers gaining some public recognition after months of quietly working to mitigate the flaws. A new study from antivirus vendor Trend Micro found that cybercriminal forums continue to advertise exploits for a vulnerability years after a patch has been released, though, with sellers adjusting prices to market demand and bundling multiple old exploits together to maximize profits. The study, which spanned nearly two years and numerous illicit marketplaces, found that nearly half of the software exploits requested on forums were for vulnerabilities that were at least three years old. The demand for exploits is also catered to the popularity of software: Microsoft products accounted for 47% of the exploits that forum users requested, according to Trend […]
The post Market for software exploits is often focused on Microsoft flaws, years-old technology appeared first on CyberScoop.
I’m currently working on an existing PWA (Progressive web app) build in VUEJS. Currently i’m using Auth0 for user authentication and it works fine. But it seems a bit overkill and client finds it very hard to manage his users in Auth0 (mul… Continue reading Progressive web app, Access token storage
I’m trying to learn Secure Programming and I’m experimenting with Mutillidae. I’m at XSS and I’m trying to post such an entry, it will add an entry to the DB such will add an entry as the seer of the entry. But I couldn’t found a way to do… Continue reading How to post a new entry in OWASP 2 Mutillidae from someone else’s name? [closed]
In the wake of the disruption to Colonial Pipeline, a popular Russian-language criminal forum has claimed it will ban the sale of ransomware tools, according to multiple researchers who monitor the site. XSS, a prominent underground forum for hacking tools and other scams, on May 13 said the platform would forbid “ransomware sales, ransomware rental and ransomware affiliate programs,” according to the threat intelligence firm Digital Shadows. The XSS administrator also claimed it would remove all posts mentioning ransomware. The forum post claimed it was because ransomware was attracting too much “hype” and attention from outsiders, but ransomware operators frequently engage in self-serving public relations stunts. The development pointed to newfound pressure that ransomware operators were feeling following the breach of the IT systems at Colonial Pipeline, the main artery for delivering fuel to the East Coast. The ransomware incident forced Colonial Pipeline to shut down for days. Though service […]
The post Russian cybercrime forum XSS claims to ban ransomware following Colonial Pipeline hack appeared first on CyberScoop.
The DarkSide ransomware affiliate program responsible for the six-day outage at Colonial Pipeline this week that led to fuel shortages and price spikes across the country is running for the hills. The crime gang announced it was closing up shop after its servers were seized and someone drained funds from an account the group uses to pay affiliates. Continue reading DarkSide Ransomware Gang Quits After Servers, Bitcoin Stash Seized
Hello I was experimenting with XSS payloads and couldn’t help wonder the syntax for
javascript:alert(0)
The most basic payload for XSS makes sense, since the tag is used for JavaScript in HTML.
<script>alert(0)</script>
But … Continue reading XSS Payloads: <script> vs javascript:
My organization has scanned our code using Checkmarx and the low severity issue Potential Clickjacking on Legacy Browsers was detected due to a JavaScript function firing on an HTML image click event.
We have implemented the following sugg… Continue reading Implementing Checkmarx suggested clickjacking fix introduces high severity Client DOM XSS vulnerability