Browsing tag
Microsoft last week rolled out updates for the Edge browser with fixes for two security issues, one of which concerns a security bypass vulnerability that could be exploited to inject and execute arbitrary code in the context of any website. Tracked as CVE-2021-34506 (CVSS score: 5.4), the weakness stems from a universal cross-site scripting (UXSS) […]
I have read a couple of books recently about different vulnerabilities in order to be able to better protect my projects/websites. Today, I want to share a story about how I managed to use this knowledge in practice. Disclaimer This material is posted for educational purposes only. The author is not responsible for its usage […]
Admins of thousands of websites are waiting for the update launching According to reports of specialists in digital forensics from the International Institute of Cyber Security, the administrators of phpMyAdmin, one of the most popular and widely used MySQL database management systems, have just launched an updated version of its software with the purpose […]
Security bugs could expose details about drone owners Researchers at a cybersecurity and digital forensics firm identified a couple vulnerabilities in the website and apps of the popular drone manufacturer DJI. A vulnerability was revealed last Thursday, after the company managed to patch the security error. However, the time it took the company to fully […]
The flaws could allow code execution Ethical hacking specialists have recently published a vulnerability report jointly with the enterprise systems monitoring software provider Opsview. The publication is related to five vulnerabilities in the company’s Opsview Monitor product, which is a virtual device deployed within an organization’s network infrastructure. The product comes bundled with a web management console that […]
Researchers have discovered countless zero-day vulnerabilities that can be used to disrupt critical systems Experts in enterprise network security from the International Institute of Cyber Security reported the finding of 17 vulnerabilities in different smart city systems that could affect core services. At an event held in Las Vegas last Monday, a team of enterprise network security […]
This type of abusive conduct is possible because of a configuration flaw in the login handlers included with all browsers, login managers that allow browsers to memorize a user’s username and password for particular sites and auto-insert it in login fields when the user revisits that site again. Experts say that web trackers can install […]
On a recent engagement, our testers were faced with a single page web application which was used to generate PDF documents. This web application contained a multi-step form that ultimately let the user download a PDF document containing the details they had entered. As a user progressed through the form, the data entered would occasionally […]
A Trend Micro product ServerProtect for Linux 3.0 Contain 6 Major and very critical vulnerabilities Discovered. ServerProtect Protecting against viruses, rootkits, and data-stealing malware while simplifying and automating security operations on servers and storage systems. This 6 vulnerabilities allowing remote code execution as root in the Victims Machine by via Man-in-the-Middle Attack and exploiting vulnerabilities […]
This is the story of how I found and exploited XSS (content injection) in the pgAdmin4 1.3 desktop client. (Before I get too much further if you use pgAdmin 4 go update to 1.4 I’ll wait) The Spark This all started the one day when I speculated that pgAdmin 4 was a web application, due […]
Most expected WordPress 4.7.3 is now available for update. This security update covers six security issues that exists with WordPress version 4.7.2. Security issues: Cross-site scripting (XSS) via media file metadata. Reported by Chris Andrè Dale, Yorick Koster, and Simon P. Briggs. Control characters can trick redirect URL validation. Reported by Daniel Chatfield. Unintended files can be […]
xsscrapy, a tool, that examines given URL to find cross-site scripting and some SQL injection vulnerabilities. Python xsscrapy Linux operating system May need additional libraries depending on OS (libxml2 libxslt zlib libffi openssl and sometimes libssl-dev) Step 1: Download and install xsscrapy from GitHub or type the following command given below: wget -O https://bootstrap.pypa.io/get-pip.py […]
Google says it paid over $1.2 million just for XSS bugs. Google released two new tools called CSP Evaluator and CSP Mitigator that help security researchers identify weaknesses that are often exploited to launch XSS attacks. Both tools revolve around CSP, or Content Security Policy, a security mechanism implemented by all major browsers, albeit in […]
The security expert Issam Rabhi (@issam_rabhi) has discovered a cross-site scripting vulnerability in Google France. The giant already fixed it. A security expert from French security outfit Sysdream, Issam Rabhi (@issam_rabhi), discovered a cross-site scripting vulnerability in Google France. Yes, you‘ve got it right, the website of the IT giant was affected by one of the […]
WordPress is a free, open source content management system (CMS) for creating websites, and is considered to be the most popular blogging system in use. WordPress’ appeal to website developers stems from its free plugins and themes that are easily installed over the basic platform. These add-ons allow WordPress users to personalize and expand their websites and blogs. […]
A critical bug on eBay’s website opened the door for malicious hackers to create fake login pages to steal passwords and harvest credentials. An independent security researcher found the flaw in early December, and reported it to eBay on December 11. After an initial response asking for more information the following day, eBay stopped responding […]
Developers at LinkedIn fixed a persistent cross site scripting vulnerability in the social network this week that could have been exploited to spread a worm on the service’s help forums. It was a very a quick turnaround for the company according to the researcher, who said LinkedIn fixed the issue a mere three hours after he reported it. […]
Developers at Automattic, the parent company behind the blogging platform WordPress, fixed a nasty stored cross-site scripting error this week in Akismet, an anti-spam plugin that figures into millions of websites. The bug was fixed Tuesday in an update, 3.1.5, according to Christopher Finke, an engineer at Automattic that works on Akismet. Akismet filters spam […]
Researcher finds reflected XSS bug in Drupal 8.Drupal 8 isn’t even out yet but security experts have been hard at work auditing the code and reporting security bugs, helping the open source community strengthen one of its most beloved Content Management Systems (CMSs). Sandeep Kamble, a security researchers for SecureLayer7, has uncovered an XSS (cross-site […]
After a few critical bugs were recently discovered and patched in the core WordPress engine—a rarity with WordPress-related security issues—order has apparently been restored with the discovery of a critical vulnerability in a popular plugin. Insecure plugins have been at the heart of numerous attacks launched from compromised WordPress site. One was patched this week in […]