Shakedown Social

Tanya Janca | SheHacksPurple :verified: :verified:🎥 Missed one of my past conference talks? Let’s fix that.I’m sharing my favorites—packed with real-world advice, lessons, and a few laughs.“XSS Deep Dive” 📽️ <a href="https://twp.ai/4in9ro" rel="nofollow noopener" translate="no" target="_blank">https://twp.ai/4in9ro</a><a href="https://infosec.exchange/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#CyberSecurity</a> <a href="https://infosec.exchange/tags/SecurityAwareness" class="mention hashtag" rel="nofollow noopener" target="_blank">#SecurityAwareness</a> <a href="https://infosec.exchange/tags/appsec" class="mention hashtag" rel="nofollow noopener" target="_blank">#appsec</a> <a href="https://infosec.exchange/tags/owasp" class="mention hashtag" rel="nofollow noopener" target="_blank">#owasp</a> <a href="https://infosec.exchange/tags/xss" class="mention hashtag" rel="nofollow noopener" target="_blank">#xss</a>

acffh morst<a href="https://toad.social/@grumpybozo" class="u-url mention" rel="nofollow noopener" target="_blank">@grumpybozo</a> might be less vulnerable to browser based attacks from other websites such as Cross-Site Scripting <a href="https://toad.social/tags/XSS" class="mention hashtag" rel="nofollow noopener" target="_blank">#XSS</a> <a href="https://owasp.org/www-community/attacks/xss/" rel="nofollow noopener" translate="no" target="_blank">https://owasp.org/www-community/attacks/xss/</a>

🧿🪬🍄🌈🎮💻🚲🥓🎃💀🏴🛻🇺🇸When you are handling user data do you sanitize it...Update: To be clear, sending data to a database is considered "use"; it is a given that you sanitize data before putting it in SQL, or HTML(Boost for increased sample size)<a href="https://mastodon.social/tags/webDev" class="mention hashtag" rel="nofollow noopener" target="_blank">#webDev</a> <a href="https://mastodon.social/tags/development" class="mention hashtag" rel="nofollow noopener" target="_blank">#development</a> <a href="https://mastodon.social/tags/javaScript" class="mention hashtag" rel="nofollow noopener" target="_blank">#javaScript</a> <a href="https://mastodon.social/tags/database" class="mention hashtag" rel="nofollow noopener" target="_blank">#database</a> <a href="https://mastodon.social/tags/programming" class="mention hashtag" rel="nofollow noopener" target="_blank">#programming</a> <a href="https://mastodon.social/tags/webDevelopment" class="mention hashtag" rel="nofollow noopener" target="_blank">#webDevelopment</a> <a href="https://mastodon.social/tags/developer" class="mention hashtag" rel="nofollow noopener" target="_blank">#developer</a> <a href="https://mastodon.social/tags/software" class="mention hashtag" rel="nofollow noopener" target="_blank">#software</a> <a href="https://mastodon.social/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#security</a> <a href="https://mastodon.social/tags/xss" class="mention hashtag" rel="nofollow noopener" target="_blank">#xss</a> <a href="https://mastodon.social/tags/csrf" class="mention hashtag" rel="nofollow noopener" target="_blank">#csrf</a>

Dark Web Informer - Cyber Threat Intelligence :verified_paw: :verified_dragon:🚨UNVERIFIED🚨Allegedly, a threat actor is selling vulnerabilities related to Prototype Pollution and XSS, which allow for account takeover in <a href="https://infosec.exchange/tags/Amazon" class="mention hashtag" rel="nofollow noopener" target="_blank">#Amazon</a> subdomains.<a href="https://infosec.exchange/tags/DarkWeb" class="mention hashtag" rel="nofollow noopener" target="_blank">#DarkWeb</a> <a href="https://infosec.exchange/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#Cybersecurity</a> <a href="https://infosec.exchange/tags/Security" class="mention hashtag" rel="nofollow noopener" target="_blank">#Security</a> <a href="https://infosec.exchange/tags/Cyberattack" class="mention hashtag" rel="nofollow noopener" target="_blank">#Cyberattack</a> <a href="https://infosec.exchange/tags/Cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#Cybercrime</a> <a href="https://infosec.exchange/tags/Privacy" class="mention hashtag" rel="nofollow noopener" target="_blank">#Privacy</a> <a href="https://infosec.exchange/tags/Infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#Infosec</a> <a href="https://infosec.exchange/tags/XSS" class="mention hashtag" rel="nofollow noopener" target="_blank">#XSS</a> <a href="https://x.com/DarkWebInformer/status/1798703628070625636" rel="nofollow noopener" translate="no" target="_blank">https://x.com/DarkWebInformer/status/1798703628070625636</a>

Angus McIntyreWith all the talk about how crappy <a href="https://mastodon.social/tags/Google" class="mention hashtag" rel="nofollow noopener" target="_blank">#Google</a>'s search results are now, I've not seen much mention of how dangerous Google Ads have become. Websites offering downloads are stuffed with ‘ads’ that display “Click here”, "Download” or “Continue" buttons to trick users into downloading malware. Or a journal's submissions page gets taken over by an ad that says "Now accepting submissions” & links to a totally different site.Ad networks are starting to look like just another kind of <a href="https://mastodon.social/tags/XSS" class="mention hashtag" rel="nofollow noopener" target="_blank">#XSS</a> attack.

Teri RadichelA Firewall For AWS CloudShell ~~ ACM.446 Attempting to prevent outbound credential exfiltration via self-XSS ~~ <a href="https://infosec.exchange/tags/cloudshell" class="mention hashtag" rel="nofollow noopener" target="_blank">#cloudshell</a> <a href="https://infosec.exchange/tags/xss" class="mention hashtag" rel="nofollow noopener" target="_blank">#xss</a> <a href="https://infosec.exchange/tags/credentials" class="mention hashtag" rel="nofollow noopener" target="_blank">#credentials</a> <a href="https://infosec.exchange/tags/container" class="mention hashtag" rel="nofollow noopener" target="_blank">#container</a> <a href="https://infosec.exchange/tags/aws" class="mention hashtag" rel="nofollow noopener" target="_blank">#aws</a> <a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#security</a> <a href="https://infosec.exchange/tags/firewall" class="mention hashtag" rel="nofollow noopener" target="_blank">#firewall</a> <a href="https://medium.com/cloud-security/a-firewall-for-aws-cloudshell-8c07bc026415" rel="nofollow noopener" translate="no" target="_blank">https://medium.com/cloud-security/a-firewall-for-aws-cloudshell-8c07bc026415</a>

:mima_rule: Mima-sama<a href="https://makai.chaotic.ninja/tags/Sharkey" rel="nofollow noopener" target="_blank">#Sharkey</a>'s recent vulnerability and their handling of it is still miles better than <a href="https://makai.chaotic.ninja/tags/Lemmy" rel="nofollow noopener" target="_blank">#Lemmy</a>'s <a href="https://makai.chaotic.ninja/tags/XSS" rel="nofollow noopener" target="_blank">#XSS</a> exploit which actually took down a big instance and is something even more elementary than what Sharkey experienced. Like seriously, the first thing you do when <a href="https://makai.chaotic.ninja/tags/Markdown" rel="nofollow noopener" target="_blank">#Markdown</a> parsing is involved is to sanitize the hell out of it, both in the Markdown input and the HTML output. And you put up a strict <a href="https://makai.chaotic.ninja/tags/CSP" rel="nofollow noopener" target="_blank">#CSP</a> for good measure. Lemmy spectacularly failed on both counts, despite existing as a project for years and a lot more instances (and therefore users, which rivals <a href="https://makai.chaotic.ninja/tags/Mastodon" rel="nofollow noopener" target="_blank">#Mastodon</a>) using their software! I can cut some slack for the Sharkey devs here because: - they're relatively new (only months since the project started) - it only affected note imports from <a href="https://makai.chaotic.ninja/tags/Twitter" rel="nofollow noopener" target="_blank">#Twitter</a> which is already niche enough - it was easy to mitigate (just disable note import) - it didn't affect single-user instances IIUC - I haven't seen any Sharkey instance get actually exploited by this - they're taking steps to make sure this shit doesn't happen again (haven't seen this from Lemmy yet, and last I checked their CSP is still shit) So this is not worth blowing over in the <a href="https://makai.chaotic.ninja/tags/fediverse" rel="nofollow noopener" target="_blank">#fediverse</a>. Your assessment is exaggerated, this energy could've been spent somewhere else, and you owe the Sharkey devs an apology. <a href="https://makai.chaotic.ninja/tags/fediversemeta" rel="nofollow noopener" target="_blank">#fediversemeta</a> <a href="https://makai.chaotic.ninja/tags/security" rel="nofollow noopener" target="_blank">#security</a> RE: <a href="https://meowcity.club/fedi/tetra/p/1706812792.496325" rel="nofollow noopener" target="_blank">https://meowcity.club/fedi/tetra/p/1706812792.496325</a>

IT NewsPro-Russia hackers target inboxes with 0-day in webmail app used by millions - Enlarge (credit: Getty Images) A relentless team of pro-Russia... - <a href="https://arstechnica.com/?p=1978806" rel="nofollow noopener" translate="no" target="_blank">https://arstechnica.com/?p=1978806</a> <a href="https://schleuss.online/tags/wintervivern" class="mention hashtag" rel="nofollow noopener" target="_blank">#wintervivern</a> <a href="https://schleuss.online/tags/roundcube" class="mention hashtag" rel="nofollow noopener" target="_blank">#roundcube</a> <a href="https://schleuss.online/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#security</a> <a href="https://schleuss.online/tags/zero" class="mention hashtag" rel="nofollow noopener" target="_blank">#zero</a>-day <a href="https://schleuss.online/tags/biz" class="mention hashtag" rel="nofollow noopener" target="_blank">#biz</a>⁢ <a href="https://schleuss.online/tags/xss" class="mention hashtag" rel="nofollow noopener" target="_blank">#xss</a>

IT NewsThousands of WordPress sites have been hacked through tagDiv plugin vulnerability - Enlarge (credit: Getty Images) Thousands of sites running the ... - <a href="https://arstechnica.com/?p=1974522" rel="nofollow noopener" translate="no" target="_blank">https://arstechnica.com/?p=1974522</a> <a href="https://schleuss.online/tags/cross" class="mention hashtag" rel="nofollow noopener" target="_blank">#cross</a>-sitescripting <a href="https://schleuss.online/tags/vulnerabilities" class="mention hashtag" rel="nofollow noopener" target="_blank">#vulnerabilities</a> <a href="https://schleuss.online/tags/wordpress" class="mention hashtag" rel="nofollow noopener" target="_blank">#wordpress</a> <a href="https://schleuss.online/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#security</a> <a href="https://schleuss.online/tags/plugins" class="mention hashtag" rel="nofollow noopener" target="_blank">#plugins</a> <a href="https://schleuss.online/tags/biz" class="mention hashtag" rel="nofollow noopener" target="_blank">#biz</a>⁢ <a href="https://schleuss.online/tags/xss" class="mention hashtag" rel="nofollow noopener" target="_blank">#xss</a>

Teri RadichelParsing and Validating Lambda Parameters, Headers, and Variables ~~ ACM.325 Creating a Validation Function to Mitigate Injection Attacks ~~ <a href="https://infosec.exchange/tags/AWS" class="mention hashtag" rel="nofollow noopener" target="_blank">#AWS</a> <a href="https://infosec.exchange/tags/Lambda" class="mention hashtag" rel="nofollow noopener" target="_blank">#Lambda</a> <a href="https://infosec.exchange/tags/validation" class="mention hashtag" rel="nofollow noopener" target="_blank">#validation</a> <a href="https://infosec.exchange/tags/injection" class="mention hashtag" rel="nofollow noopener" target="_blank">#injection</a> <a href="https://infosec.exchange/tags/parameters" class="mention hashtag" rel="nofollow noopener" target="_blank">#parameters</a> <a href="https://infosec.exchange/tags/headers" class="mention hashtag" rel="nofollow noopener" target="_blank">#headers</a> <a href="https://infosec.exchange/tags/variables" class="mention hashtag" rel="nofollow noopener" target="_blank">#variables</a> <a href="https://infosec.exchange/tags/xss" class="mention hashtag" rel="nofollow noopener" target="_blank">#xss</a> <a href="https://infosec.exchange/tags/code" class="mention hashtag" rel="nofollow noopener" target="_blank">#code</a> <a href="https://infosec.exchange/tags/attack" class="mention hashtag" rel="nofollow noopener" target="_blank">#attack</a> <a href="https://infosec.exchange/tags/appsec" class="mention hashtag" rel="nofollow noopener" target="_blank">#appsec</a> <a href="https://medium.com/cloud-security/parsing-and-validating-lambda-parameters-and-environment-variables-334721882e81" rel="nofollow noopener" translate="no" target="_blank">https://medium.com/cloud-security/parsing-and-validating-lambda-parameters-and-environment-variables-334721882e81</a>

Graham CluleyWordPress plugin vulnerability puts two million websites at risk.<a href="https://grahamcluley.com/wordpress-plugin-vulnerability-puts-two-million-websites-at-risk/" rel="nofollow noopener" target="_blank">https://grahamcluley.com/wordpress-plugin-vulnerability-puts-two-million-websites-at-risk/</a><a href="https://mastodon.green/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#cybersecurity</a> <a href="https://mastodon.green/tags/xss" class="mention hashtag" rel="nofollow noopener" target="_blank">#xss</a> <a href="https://mastodon.green/tags/wordpress" class="mention hashtag" rel="nofollow noopener" target="_blank">#wordpress</a> <a href="https://mastodon.green/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#vulnerability</a>

Tod BeardsleyOn the back of <a href="https://infosec.exchange/@albinolobster" class="u-url mention" rel="nofollow noopener" target="_blank">@albinolobster</a>’s <a href="https://infosec.exchange/tags/CVSS" class="mention hashtag" rel="nofollow noopener" target="_blank">#CVSS</a> agreement research[1]: is it possible for an <a href="https://infosec.exchange/tags/XSS" class="mention hashtag" rel="nofollow noopener" target="_blank">#XSS</a> exploit to function without a “user interaction” component?The easy case I can think of are the <a href="https://infosec.exchange/tags/zeroclick" class="mention hashtag" rel="nofollow noopener" target="_blank">#zeroclick</a> style exploits - merely browsing a web page triggers the exploit. But of course, the user must do the browsing. Is mere browsing passive enough to qualify as “no user interaction?”1: <a href="https://infosec.exchange/@vulncheck/109796076956316819" rel="nofollow noopener" target="_blank">https://infosec.exchange/@vulncheck/109796076956316819</a>

Tod BeardsleyHey hey. <a href="https://infosec.exchange/@Rapid7Official" class="u-url mention" rel="nofollow noopener" target="_blank">@Rapid7Official</a> just published a fairly wide-ranging advisory affecting a bunch of Document Management Systems. It's <a href="https://infosec.exchange/tags/XSS" class="mention hashtag" rel="nofollow noopener" target="_blank">#XSS</a>, yawn who cares right? But when you are able to pop a DMS via an unsolicited PDF, well, now you've got a stew going.Also, if you're a user of any of these on-prem DMSes, can you make some noise about these? I wasn't able to raise a single vendor via normal <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#vulnerability</a> disclosure channels, which is surprising for tech / <a href="https://infosec.exchange/tags/opensource" class="mention hashtag" rel="nofollow noopener" target="_blank">#opensource</a> / freemium companies.Thanks for all the research work, Matthew-who-is-not-on-Mastodon!<a href="https://www.rapid7.com/blog/post/2023/02/07/multiple-dms-xss-cve-2022-47412-through-cve-20222-47419/" rel="nofollow noopener" target="_blank">https://www.rapid7.com/blog/post/2023/02/07/multiple-dms-xss-cve-2022-47412-through-cve-20222-47419/</a>

Recent searches

Search options

Administered by:

Server stats:

#xss