Tagged “security”

1. TIL how to build a chrome extension that steals everything Mar 23, 2023 security extension pii keystroke

   There's 3 components that will be used - background Service worker, Content script, and popup.

2. TIL executing a xss using a SVG image Mar 21, 2023 image svg security xss

   This user was able to upload a '.svg', that then executed a xss attack to steal local storage data.

3. TIL How to steal localData using an XSS attack Mar 20, 2023 security xss mdn

   But that's just a red flag that opens the door to bigger issues.

4. TIL types of malicious npm attacks Jan 28, 2023 security npm malware

   In the case of ionicons, the miscreants published 18 versions containing malicious form-stealing code; for example, icon-package (according to NPM download stats) has over 17,000 downloads. Other typo-squatting examples include umbrellaks instead of umbrellajs and so on.

5. TIL malware in node_modules Jan 27, 2023 malware npm security hacking

   The very first line fetches the victim's country code using their IP address. If the victim is from Russia, Ukraine, Belarus, or Kazakhstan, then the malware exits early.

6. TIL all the different security roles Jan 06, 2023 roles security certifications

   In appsec most notably offense vs defense. They are complimentary of course but the skills differ. For offense you need specific tools, need to get used to testing applications sometimes without source code access.

7. TIL fingerprinting with CSS Dec 09, 2022 security css

   Fingerprinting refers to building up enough metadata about a user that you can essentially figure out who they are. JavaScript has access to all sorts of fingerprinting possibilities, which then combined with the IP address that the server has access to, means fingerprinting is all too common.

8. TIL CSRF Attacks Dec 08, 2022 security hack forms

   Cross-site Request Forgery (CSRF) is submitting post data from a fake site. To prevent CSRF attacks, web applications should implement measures such as requiring a valid CSRF token to be included with each request, checking the referer header, and using secure cookies.

9. TIL Microsoft Teams can analyze your feelings Jul 28, 2022 ai security

   Microsoft Teams set up a new feature set. They're known as Purview classifiers that can help prevent abuse, harassment, other illegal activities on Teams.

10. TIL how to create randomware in nodejs Jun 30, 2022 security hacking node

    As a developer, it's important to know the power we have in our hands, and how to execute and defend against it/avoid it. Running randomware attacks is illegal.

11. TIL about going up and down in your bash history Jun 27, 2022 commandline terminal security

    Your bash history is saved with up/down arrow keys. Which means you shouldn't save your passwords on it.

12. TIL CSS Vulnerability in Yahoo Mail Jun 22, 2022 css security vulnerability email

    CSS doesn't immediately fail on parse errors. In 2009 it turned out Yahoo Mail was vulnerable to a fairly simple exploit. The attacker sends the user one email with a snippet of code and another email to run the code

13. TIL how CORs work Jun 14, 2022 security vulnerability webdev

    We kinda need images to work regardless of what site they're on. I should be able to steal a image from your website and host it somewhere else. Same with JS code (Like CDNs!) But we also don't want the problem above where I can test your cookies to see if you're logged into your bank account.

14. TIL obvious security vulnerabilities and prototype pollution Jun 08, 2022 vulnerabilities security javascript

    Object-based inheritance gives JavaScript the flexibility and efficiency that web programmers have come to love – but it also makes it vulnerable to tampering. Malicious actors can make application-wide changes to all objects by modifying object, hence the name prototype pollution.

15. TIL Never deserializing untrusted data Jun 05, 2022 php security vulnerability json

    This happened the most in PHP, because for some reason, PHP developers love to serialize/deserialize objects instead of using JSON, but I’d say almost every case we saw where a server was deserializing a client object and parsing it led to a horrible exploit.

16. TIL how PHP treats the loose comparison (==) sign Jun 04, 2022 php security

17. TIL what the Diffie-Hellman Key exchange is May 05, 2022 algorithm security

    SSH uses RSA to establish an initial secure, authenticated connection, then uses Diffe-Hellman to establish an ephemeral (ie: one time) key to establish forward-security.

18. TIL of the Billion Laughs Attack Mar 22, 2022 security ddos

19. TIL the word Sanitize is too overloaded Feb 11, 2022 xss security language developer

    Sanitize means too different things, depending on context. Use Filtering, Escaping, Validation, or Protect instead.

20. TIL a JWT decoder and how it works Jan 17, 2022 security json jwt

    JWT (JSON Web Tokens) are essentially just JSON objects that are hashed. This site decodes them and explains how it works

21. TIL Netflix's method of providing internal tooling at scale Oct 12, 2021 security netflix operations

    Netflix had a problem. Before any program can be deployed, it had to run through a rigorous security checklist.

22. TIL Stop users from copying input May 30, 2020 webdev security

    Functions to stop this

See all tags.