Security
Collections
- Risk-Based Authentication using Auth0 Actions and Have I Been Pwned APIs
- SecurityZines - graphical way of learning concepts of Application & Web Security.
- JWT vs. Opaque Tokens - https://news.ycombinator.com/item?id=33018135
- Chromium based browsers leak user local IP via WebRTC foundation attribute
- https://news.ycombinator.com/item?id=33327678
- This can be disabled in Brave by turning "WebRTC IP handling policy" to "Disable non-Proxied UDP" in "settings - > Privacy and Security".
- WebRTC was already known to leak local IP. Which can be dangerous if you're behind a VPN.
- https://news.ycombinator.com/item?id=33327678
- PDF vulnerability
- Dangerzone - Take potentially dangerous PDFs, office documents, or images and convert them to a safe PDF.
- Password requirements: myths and madness
- Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More
- RIP, Passwords. Here’s What’s Coming Next.
- Oh-Auth - Abusing OAuth to take over millions of accounts
Not verifying access tokens as required by OAuth specifications allows an attacker to harvest credentials from a malicious site and hijack accounts on other trusted platforms.
- Companies embracing SMS for account logins should be blamed for SIM-swap attacks
- Second Factor SMS: Worse Than Its Reputation - Attackers can intercept SMS one-time passwords through techniques like SIM swapping or exploiting SS7 network vulnerabilities.
- Researchers: Weak Security Defaults Enabled Squarespace Domains Hijacks - "Wait, what if the user's email address isn't verified?"
- Don’t Let Your Domain Name Become a “Sitting Duck”
- NIST will standardise prohibition of requirement of composing passwords from various character styles, and requirement for periodic password changes.
- ABC News hacks into popular robot vacuum, watches owner through camera
- Valetudo is a cloud replacement for vacuum robots enabling local-only operation.
- Attacking APIs using JSON Injection
This endpoint had no sanitization on the parameters throughout the processing of the JSON body. Moreover, the library Samsung relied on (json-c) was compiled with
JSON_TOKENER_STRICT=0, which allows for defining strings with both single and double quotes. You can read a great writeup here from Cisco TALOS. This became CVE-2018-3879, and when chained with CVE-2018-3880, had a CVSS rating of 9.9. JSON Injection → SQL Injection → Buffer Overflow → ROP = PWNED - Hundreds of code libraries posted to NPM try to install malware on dev machines
The IP address returned by a package Phylum analyzed was: hxxp://193.233.201[.]21:3001. While the method was likely intended to conceal the source of second-stage infections, it ironically had the effect of leaving a trail of previous addresses the attackers had used in the past.
Attacks like this one rely on typosquatting, a term for the use of names that closely mimic those of legitimate packages but contain small differences, such as those that might occur if the package was inadvertently misspelled.
A comprehensive guide to the dangers of Regular Expressions in JavaScript
This article explains how certain regex patterns can cause exponential backtracking on long strings, leading to regular expression denial of service (ReDoS) vulnerabilities.
Two real world examples caused major outages at Stack Overflow and CloudFlare due to unintentionally vulnerable regex use.
The article details how issues like excessive use of wildcards, quantifiers and overlapping patterns can cause catastrophic backtracking.
It also offers techniques for testing regex safety and fixing vulnerable patterns, such as limiting matches, using string methods instead of regex, and refactoring nested groups.
Overall, the article effectively raises awareness of the ReDoS threat within seemingly benign regex code.
Children