Update 8/16/19 - It appears that not long after I published this, Chrome sent an update that now mimics FireFox. In Chrome you now get a new tab that has a URL of "about:blank#blocked". When working on a recent test I noticed something pretty interesting when I had found what I thought was a Cross-Site Scripting vulnerability. I have posted previously on the ability to execute XSS when you control the HREF attribute of a link tag. This is done by setting a url to javascript:alert(9);. This … [Read more...] about Interesting Browser Difference
blog
Ep. 113: What is your mother’s maiden name?
In this episode, James talks about some of the risks and recommendations around security questions and their implementation. For more info go to https://www.developsec.com or follow us on twitter (@developsec). DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to see how we can help. … [Read more...] about Ep. 113: What is your mother’s maiden name?
XSS in Script Tag
Cross-site scripting is a pretty common vulnerability, even with many of the new advances in UI frameworks. One of the first things we mention when discussing the vulnerability is to understand the context. Is it HTML, Attribute, JavaScript, etc.? This understanding helps us better understand the types of characters that can be used to expose the vulnerability. In this post, I want to take a quick look at placing data within a <script> tag. In particular, I want to look at how embedded … [Read more...] about XSS in Script Tag
Ep. 112: Application Fingerprinting
Does your application give away details about it server, framework, or other components? How is this information used by an attacker? Check out this episode to learn more. For more info go to https://www.developsec.com or follow us on twitter (@developsec). DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to see how we can help. … [Read more...] about Ep. 112: Application Fingerprinting
Ep. 111: Authentication Alerts
Would you know if someone authenticated to your account? With the breaches we see in the news, and attacks like credential stuffing, there must be a way to be alerted to account access. James talks about authentication alerts, what they are, and why you may want to use them. For more info go to https://www.developsec.com or follow us on twitter (@developsec). DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to … [Read more...] about Ep. 111: Authentication Alerts
Ep. 110: Implementation Matters
James discusses how implementation matters with security controls and how it changes priorities. This came about after reading the following story: https://www.theverge.com/2018/12/31/18162541/vein-authentication-wax-hand-hack-starbug For more info go to https://www.developsec.com or follow us on twitter (@developsec). DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to see how we can help. … [Read more...] about Ep. 110: Implementation Matters