Security

Collections

• Risk-Based Authentication using Auth0 Actions and Have I Been Pwned APIs
• SecurityZines - graphical way of learning concepts of Application & Web Security.
• JWT vs. Opaque Tokens - https://news.ycombinator.com/item?id=33018135
• Chromium based browsers leak user local IP via WebRTC foundation attribute
  • https://news.ycombinator.com/item?id=33327678
    • This can be disabled in Brave by turning "WebRTC IP handling policy" to "Disable non-Proxied UDP" in "settings - > Privacy and Security".
    • WebRTC was already known to leak local IP. Which can be dangerous if you're behind a VPN.
• PDF vulnerability
  • Dangerzone - Take potentially dangerous PDFs, office documents, or images and convert them to a safe PDF.
• Password requirements: myths and madness
  • https://news.ycombinator.com/item?id=34098369
• Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More
• RIP, Passwords. Here’s What’s Coming Next.
• Oh-Auth - Abusing OAuth to take over millions of accounts

  Not verifying access tokens as required by OAuth specifications allows an attacker to harvest credentials from a malicious site and hijack accounts on other trusted platforms.

• Companies embracing SMS for account logins should be blamed for SIM-swap attacks
• Second Factor SMS: Worse Than Its Reputation - Attackers can intercept SMS one-time passwords through techniques like SIM swapping or exploiting SS7 network vulnerabilities.
• Researchers: Weak Security Defaults Enabled Squarespace Domains Hijacks - "Wait, what if the user's email address isn't verified?"
• Don’t Let Your Domain Name Become a “Sitting Duck”

A comprehensive guide to the dangers of Regular Expressions in JavaScript

This article explains how certain regex patterns can cause exponential backtracking on long strings, leading to regular expression denial of service (ReDoS) vulnerabilities.
Two real world examples caused major outages at Stack Overflow and CloudFlare due to unintentionally vulnerable regex use.

The article details how issues like excessive use of wildcards, quantifiers and overlapping patterns can cause catastrophic backtracking.
It also offers techniques for testing regex safety and fixing vulnerable patterns, such as limiting matches, using string methods instead of regex, and refactoring nested groups.
Overall, the article effectively raises awareness of the ReDoS threat within seemingly benign regex code.

---

Children

1. 5 Software Security Goals All CTOs Should Prioritize
2. API Security Best Practices - curity
3. How to Secure Anything
4. Security tools