These two sites tell you what sorts of information youâre leaking from your browser.
The Browser Hacker’s Handbook
Sep 24 2021
OWASP Top 10 2021: The most serious web application security risks
How is the list compiled?
âWe get data from organizations that are testing vendors by trade, bug bounty vendors, and organizations that contribute internal testing data. Once we have the data, we load it together and run a fundamental analysis of what CWEs map to risk categories,â the Open Web Application Security Project (OWASP)Â explains.
âThis installment of the Top 10 is more data-driven than ever but not blindly data-driven. We selected eight of the ten categories from contributed data and two categories from the Top 10 community survey at a high level.â
The reason for leaving space for direct input from application security and development experts on the front lines is the fact that it takes time to find ways to test new vulnerabilities, and they can offer knowledge on essential weaknesses that the contributed data may not show yet.
The list is then published so that it can be reviewed by practitioners, who may offer comments and suggestions for improvements.
OWASP Top 10 2021: What has changed in the last 4 years?
Aug 08 2021
Improving WordPress Security in 2021
What Is WordPress?
WordPress is a PHP-based content management system that may be used in conjunction with MySQL. The best part about WordPress is that it is free and open source software. It offers many plugins and themes that make it easier for non-technical users to deploy a website. It also allows continuous backup. And since it is open-source, there is no need to worry about security because most of the major flaws have already been addressed.
What Are the Basic WordPress Vulnerabilities and How Can I Patch Them?
Considering WordPress is open source and very customizable, there are a few issues to address while installing it on your server. Weâll go through some of the WordPress flaws and how to protect your installation.
Table of Contents
- Directory listing
- Changing the database name from default
- Using plugins for security
- Using Strattic
- Removing the version and readme files
- Disabling the WP-JSON API
- Using Wordfence
Aug 07 2021
The RedMonk Programming Language Rankings
This iteration of the RedMonk Programming Languages is brought to you by Microsoft. Developers build the future. Microsoft supports you in any language and Java is no exception; we love it. We offer the best Java dev tools, infrastructure, and modern framework support. Modernize your Java development with Microsoft.
While we generally try to have our rankings in July immediately after they are run, we generally operate these on a better late than never basis. On the assumption, then, that August is better than never, below are your RedMonk Q3 language rankings.
As always, these are a continuation of the work originally performed by Drew Conway and John Myles White late in 2010. While the specific means of collection has changed, the basic process remains the same: we extract language rankings from GitHub and Stack Overflow, and combine them for a ranking that attempts to reflect both code (GitHub) and discussion (Stack Overflow) traction. The idea is not to offer a statistically valid representation of current usage, but rather to correlate language discussion and usage in an effort to extract insights into potential future adoption trends.
Our Current Process
The data source used for the GitHub portion of the analysis is the GitHub Archive. We query languages by pull request in a manner similar to the one GitHub used to assemble the State of the Octoverse. Our query is designed to be as comparable as possible to the previous process.
- Language is based on the base repository language. While this continues to have the caveats outlined below, it does have the benefit of cohesion with our previous methodology.
- We exclude forked repos.
- We use the aggregated history to determine ranking (though based on the table structure changes this can no longer be accomplished via a single query.)
For Stack Overflow, we simply collect the required metrics using their useful data explorer tool.
With that description out of the way, please keep in mind the other usual caveats.
Jul 22 2021
Top 10 Tips to Protect Against OWASP Top 10 Vulnerabilities
OWASP Top 10 vulnerabilities is a list of the 10 most common security vulnerabilities in applications. The Top 10 OWASP web application security vulnerabilities are updated every 3-4 years. Last updated in 2017, the vulnerabilities featuring on the list are:
- Injection
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (XXE)
- Broken Access Control
- Security Misconfigurations
- Cross-Site Scripting (XSS)
- Insecure Deserialization
- Using Components with Known Vulnerabilities
- Insufficient Logging and Monitoring
OWASP Top 10 vulnerabilities help raise awareness of the latest threats facing websites and web applications. Organizations and developers can leverage this list to ensure secure coding, tune up security and keep their security posture fortified.
![OWASP A Complete Guide - 2021 Edition by [Gerardus Blokdyk]](https://m.media-amazon.com/images/I/515gPJ3zTgL.jpg)
![OWASP Testing Guide v4 by [OWASP OWASP]](https://m.media-amazon.com/images/I/419Ozw6vGtL.jpg)
May 07 2021
Data leak implicates over 200,000 people in Amazon fake product review scam
There is an ongoing battle between the e-commerce giant and dubious sellers, worldwide, who wish to hamstring competitors and gain an edge by generating fake reviews for their products.
This can include paying individuals to leave a glowing review or by offering free items in return for positive, public feedback.
How they operate and stay under Amazon’s radar varies, but an open ElasticSearch server has exposed some of the inner workings of these schemes.
On Thursday, Safety Detectives researchers revealed that the server, public and online, contained 7GB of data and over 13 million records appearing to be linked to a widespread fake review scam.
It is not known who owns the server but there are indicators that the organization may originate from China due to messages written in Chinese, leaked during the incident.Â
The database contained records involving roughly 200,000 – 250,000 users and Amazon marketplace vendors including user names, email addresses, PayPal addresses, links to Amazon profiles, and both WhatsApp and Telegram numbers, as well as records of direct messages between customers happy to provide fake reviews and traders willing to compensate them.
According to the team, the leak may implicate “more than 200,000 people in unethical activities.”
The database, and messages contained therein, revealed the tactics used by dubious sellers. One method is whereby vendors send a customer a link to the items or products they want 5-star reviews for, and the customer will then make a purchase.
Several days after, the customer will leave a positive review and will send a message to the vendor, leading to payment via PayPal — which may be a ‘refund,’ while the item is kept for free.
As refund payments are kept away from the Amazon platform, it is more difficult to detect fake, paid reviews.Â
Data leak implicates over 200,000 people in Amazon fake product review scam
May 07 2021
Firefox for Android gets critical update to block cookie-stealing hole
Usually, when browser updates come out, itâs obvious what to do if youâre running that browser on your laptop or desktop computer.
But we often get questions from readers (questions that we canât always answer) wondering what to do if theyâre using that browser on their mobile phone, where version numbering is often bewildering.
In the case of Firefoxâs latest update we can at least partly answer that question for Android users, because the latest 88.0.1 âpoint releaseâ of Mozillaâs browser lists only one security patch dubbed critical, namely CVE-2021-29953:
This issue only affected Firefox for Android. Other operating systems are unaffected. Further details are being temporarily withheld to allow users an opportunity to update.
The bug listed here is whatâs known as a Universal Cross-site Scripting (UXSS) vulnerability, which means itâs a way for attackers to access private browser data from website X while you are browsing on booby-trapped website Y.
Apr 20 2021
Web Application Securityâs Lost Year
Web Application Security More Critical Than Ever
Other findings from the report include:
- An overall prevalence of high-severity vulnerabilities such as remote code execution, SQL injection, and cross-site scripting;
- Medium-severity vulnerabilities such as denial-of-service, host header injection and directory listing, remained present in 63% of web apps in 2020;
- Several high-severity vulnerabilities did not show improvement in 2020 despite being well understood, such as the incidence of remote code execution, which increased by one percentage point last year.
COVID-19 pushed organizations and consumers to an even greater reliance on web applications. As organizations depend on web applications â ranging from web conferencing and collaboration environments to e-commerce sites â to handle what were once in-person tasks, web application security has become even more critical than ever. And thatâs what makes a lost year of web application security so troublesome.
Web attacks reached new highs during the pandemic, according to Interpol, and that puts the security of companies at greater risk.
âItâs very troubling to see this loss of momentum due to reduced attention to web application security,â said Invicti president and COO Mark Ralls in a formal statement. âAs we look ahead, we hope to see organizations adopt best practices and invest in security, so that they can continue to advance their web security posture, protect their customers, and avoid being the next big security breach headline.â
Apr 20 2021
Firefox 88 patches bugs and kills off a sneaky JavaScript tracking trick
Over the past two months or so, Mozillaâs Firefox browser has had a lot less media attention than Googleâs Chrome and Chromium projectsâŠ
âŠbut Mozilla probably isnât complaining this time, given that the last three mainstream releases of Chrome have included security patches for zero-day security holes.
A zero-day is where the crooks find an exploitable security hole before the good guys do, and start abusing that bug to do bad stuff before a patch exists.
The name reflects the annoying fact that there were zero days that you could possibly have been ahead of the crooks, even if you are the sort of accept-no-delays user who always patches on the very same day that software updates first come out.
To be fair to the Chromium team, the most recent zero-day hole, patched in version 90 of the Chrome and Chromium projects, is best described as half-a-hole. You have to go out of your way to run the browser with its protective sandbox turned off, something that you will probably not do by choice, and are unlikely to do by mistake.
Apr 08 2021
Italian charged with hiring âdark web hitmanâ to murder his ex-girlfriend
In a brief yet fascinating press release, Europol just announced the arrest of an Italian man who is accused of âhiring a hitman on the dark webâ.
According to Europol:
The hitman, hired through an internet assassination website hosted on the Tor network, was paid about âŹ10,000 worth in Bitcoins to kill the ex-girlfriend of the suspect.
Heavy stuff, though Europol isnât saying much more about how it traced the suspect other than that it âcarried out an urgent, complex crypto-analysis.â
In this case, the word crypto is apparently being used to refer to cryptocurrency, not to cryptography or cryptanalysis.
In other words, the investigation seems to have focused on unravelling the process that the suspect followed in purchasing the bitcoins used to pay for the âhitâ, rather than on decrypting the Tor connections used to locate the âhitmanâ in the first place, or in tracing the bitcoins to the alleged assassin.
Fortunately (if that is the right word), and as we have reported in the past, so-called dark web hitmen often turn out to be scammers â after all, if youâve just done a secret online deal to have someone killed, youâre unlikely to complain to the authorities if the unknown person at the other end runs off with your cryptocoins:
Mar 31 2021
IETF deprecates TLS 1.0 and TLS 1.1, update to latest versions
IETF has formally deprecated the TLS 1.0 and TLS 1.1 cryptographic protocols because they lack support for recommended cryptographic algorithms and mechanisms
The Internet Engineering Task Force (IETF) formally deprecates Transport Layer Security (TLS) versions 1.0 (RFC 2246) and 1.1 (RFC 4346). Both versions lack support for current and recommended cryptographic algorithms and mechanisms. TLS version 1.2Â was recommended for IETF protocols in 2008Â and became obsolete with the introduction of TLS version 1.3 in 2018.
The TLS protocol was designed to allow client/server applications to communicate over the Internet in a secure way preventing message forgery, eavesdropping, and tampering.
The move to deprecate old versions aims at making products using them more secure.
The IETF now only recommends the use of the two latest versions TLS 1.2 and TLS 1.3.
Experts pointed out that older versions of the protocol were using cryptographic algorithms that were hit by multiple attacks over the years, including as BEAST, LUCKY 13, POODLE, and ROBOT.
Recently the US National Security Agency (NSA) published a guide urging organizations on eliminating obsolete Transport Layer Security (TLS) protocol configurations.
However, the number of organizations that are still using the deprecated versions of the protocol is still high.
Mar 25 2021
Chrome to Enforce HTTPS Web Protocol (Like It or Not)
If you type in securityboulevard.com, Chrome version 90 will send you directly to the secure version of the site. Surprisingly, thatâs not what it currently doesâinstead, Googleâs web browser relies on the insecure site to silently redirect you.
Thatâs slow. And itâs a privacy problem, potentially. This seemingly unimportant change could have a bigâif unseenâimpact.
So long, cleartext web. In todayâs SB Blogwatch, we hardly knew ye.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Making breakfast.
What a Difference an âsâ Makes
Whatâs the craic? Thomas Claburn reportsââChrome 90 goes HTTPS by defaultâ:
âLack of security is currently the norm in Chrome. ⊠The same is true in other browsers. ⊠This made sense in the past when most websites had not implemented support for HTTP.
âŠ
But these days, most of the web pages loaded rely on secure transport. ⊠Among the top 100 websites, 97 of them currently default to HTTPS. [So] when version 90 of Googleâs Chrome browser arrives in mid-April, initial website visits will default to a secure HTTPS connection.
Chrome to Enforce HTTPS Web Protocol (Like It or Not)
Mar 23 2021
Tackling cross-site request forgery (CSRF) on company websites
CSRF arises because of a problem with how browsers treat cross origin requests. Take the following example: a user logs into site1.com and the application sets a cookie called âauth_cookieâ. A user then visits site2.com. If site2.com makes a request to site1.com, the browser sends the auth_cookie along with it.
Normally this doesnât matter, if itâs a GET request then the page is served, and the same-origin policy stops any funny business. But what if site2.com makes a POST request instead? That request came from the same computer as the valid session and uses the correct authentication cookie. Thereâs no way to tell the difference, and any state-changing operation can be performed.
During the course of a recent penetration test I noticed that, on the application I was assessing, admins had the ability to add web pages: a pretty reasonable action for the site in question. Unfortunately, the action of adding a page was vulnerable to CSRF. My pen test attack not only created a new page, but also stole administrative credentials from the site, using some unorthodox HTML.
Now, the start of any CSRF attack is always the payload. The first thing to note here is that when an iframe loads, it sends a GET request to whatever is specified in the âsrcâ parameter. Normally this is a standard page, and the content is displayed. But what if you framed a âlog-offâ page which invalidated your authentication cookie and then redirected you back to âindex.htmlâ?
Well, turns out it does exactly what it says on the tin, but, importantly, it doesnât redirect the entire page, only the contents of the iframe. The following code logs a user out without causing a redirect, so any malicious JavaScript injected will still execute.
Source: Tackling cross-site request forgery (CSRF) on company websites
Rethinking Cross-Site Request Forgery in Light of Big Data
![Emerging Trends in ICT Security: Chapter 20. CSRF and Big Data: Rethinking Cross-Site Request Forgery in Light of Big Data (Emerging Trends in Computer Science and Applied Computing) by [Maria Angel Marquez-Andrade, Hamzeh Roumani, Natalija Vlajic]](https://m.media-amazon.com/images/I/51rZSmhSKbL.jpg)
Mar 18 2021
Exploiting Spectre Over the Internet
Google has demonstrated exploiting the Spectre CPU attack remotely over the web:
Today, weâre sharing proof-of-concept (PoC) code that confirms the practicality of Spectre exploits against JavaScript engines. We use Google Chrome to demonstrate our attack, but these issues are not specific to Chrome, and we expect that other modern browsers are similarly vulnerable to this exploitation vector. We have developed an interactive demonstration of the attack available at https://leaky.page/ ; the code and a more detailed writeup are published on Github here.
The demonstration website can leak data at a speed of 1kB/s when running on Chrome 88 on an Intel Skylake CPU. Note that the code will likely require minor modifications to apply to other CPUs or browser versions; however, in our tests the attack was successful on several other processors, including the Apple M1 ARM CPU, without any major changes.
Mar 13 2021
What is HTTPS?
HTTPS secures the connection to the website you are visiting. Iâm sure you have seen this in action; look at the address bar in the browser and find the lock icon on the left-hand side. Is the lock closed? Then the connection is secure. Is it open, or is there another type of icon or message? Then itâs not secure and vulnerable to attack. Using a site over a non-secure connection means hackers/criminals could intercept the data you send to the site, like your password and email address. Here, Iâll explain what HTTPS is and why it plays a role in (technical) SEO.
Table of contents
- HTTP vs HTTPS
- How does it benefit your user?
- How does it benefit SEO?
- Make the switch to HTTPS
- HTTPS is the default
Mar 04 2021
Another Chrome zero-day exploit â so get that update done!
Almost exactly a month ago, or a couple of days under an average month given that February was the short one, we warned of a zero-day bug in Googleâs Chromium browser code.
Patch now, we said.
And weâre saying it again, following Googleâs otherwise cheery release of version 89.0.4389.72:
The Chrome team is delighted to announce the promotion of Chrome 89 to the stable channel for Windows, Mac and Linux. This will roll out over the coming days/weeks.
Weâve never quite understood Googleâs mention of rolling out updates over âdays/weeksâ in an update bulletin that includes 47 security fixes, of which eight have a severity level of High.
In fact, we suggest going out manually and making sure youâve got your Chrome update already, without waiting for those day/weeks to elapse until the update finds you.
If youâre using a Chromium-based product from another browser maker, check with that vendor for information about whether their build is affected by this bug, and if so whether the patch is downloadable yet.
Feb 17 2021
âScamClubâ gang outed for exploiting iPhone browser bug to spew ads
Digital ad company Confiant, which claims to âimprove the digital marketing experienceâ for online advertisers by knowing about and getting rid of malicious and unwanted ads, has just published an analysis of a malvertising group it calls ScamClub.
According to Confiant, this group is behind a massive number of those annoying and scammy popup campaigns you will almost certainly have seen, where you visit an apparently honest web page and then get pestered with online surveys.
Weâve warned our readers many times about the risks of online surveys â even ones that donât obviously or explicitly lead to attempted malware infections.
At best, you will often end up giving away a surprising amount of personal data, typically in return for a minuscule chance of winning a free product (fancy phones, high-value gift cards and games consoles are typically used as lures).
âScamClubâ gang outed for exploiting iPhone browser bug to spew ads
Feb 17 2021
Browser Tracking Using Favicons
Interesting research on persistent web tracking using favicons. (For those who donât know, favicons are those tiny icons that appear in browser tabs next to the page name.)
Abstract: The privacy threats of online tracking have garnered considerable attention in recent years from researchers and practitioners alike. This has resulted in users becoming more privacy-cautious and browser vendors gradually adopting countermeasures to mitigate certain forms of cookie-based and cookie-less tracking. Nonetheless, the complexity and feature-rich nature of modern browsers often lead to the deployment of seemingly innocuous functionality that can be readily abused by adversaries. In this paper we introduce a novel tracking mechanism that misuses a simple yet ubiquitous browser feature: favicons. In more detail, a website can track users across browsing sessions by storing a tracking identifier as a set of entries in the browserâs dedicated favicon cache, where each entry corresponds to a specific subdomain. In subsequent user visits the website can reconstruct the identifier by observing which favicons are requested by the browser while the user is automatically and rapidly redirected through a series of subdomains. More importantly, the caching of favicons in modern browsers exhibits several unique characteristics that render this tracking vector particularly powerful, as it is persistent (not affected by users clearing their browser data), non-destructive (reconstructing the identifier in subsequent visits does not alter the existing combination of cached entries), and even crosses the isolation of the incognito mode. We experimentally evaluate several aspects of our attack, and present a series of optimization techniques that render our attack practical. We find that combining our favicon-based tracking technique with immutable browser-fingerprinting attributes that do not change over time allows a website to reconstruct a 32-bit tracking identifier in 2 seconds. Furthermore,our attack works in all major browsers that use a favicon cache, including Chrome and Safari. Due to the severity of our attack we propose changes to browsersâ favicon caching behavior that can prevent this form of tracking, and have disclosed our findings to browser vendors who are currently exploring appropriate mitigation strategies.
Source: Browser Tracking Using Favicons
Feb 14 2021
PayPal addresses reflected XSS bug in user wallet currency converter
PayPal has fixed a reflected cross-site scripting (XSS) vulnerability that was discovered in the currency converter feature of user wallets on February 19, 2020, close one year ago.
The âreflected XSS and CSP bypassâ vulnerability was reported by the bug bounty hunter âCr33pb0yâ through the HackerOne platform.
âAn endpoint used for currency conversion was found to suffer from a reflected XSS vulnerability, where user input was not being properly sanitized in a parameter in the URL. This could lead to a malicious user injecting malicious JavaScript, HTML, or any other type of code that the browser may execute. The malicious script will execute in the browser page DOM of another user typically without their knowledge or consent.â reads the summary published by PayPal.
PayPal has implemented additional validation checks and sanitizer controls for user input in the currency exchange feature before being returned in the response.
According to PayPal, the flaw resided in the currency conversion endpoint and was caused by a failure to properly sanitize the input in a parameter in the URL.
An attacker could have exploited the flaw to inject malicious code (JavaScript, HTML, or any other language) that will be executed within the browser.
« Previous Page — Next Page »
