span class="entry-content post-content">Last week, I attended the NotSoSecure Advanced Web Hacking training. While there were plenty of interesting topics taught, one that caught my attention was Out-of-Band (OOB) Data Exfiltration using DNS.Back in 2018, NotSoSecure published an Out of Band Exploitation (OOB) CheatSheet. In that document, they cover methods
No one doubts the importance of cybersecurity in web development — and yet, often in the development cycle, we neglect to prioritize it across each sprint and into the final product. Making cybersecurity a priority throughout every development sprint cycle is necessary to combat the tide of digital attacks threatening the modern web. But how can you ensure y
Black Friday and the holiday season are approaching, and shoppers are forecast to spend record amounts again this year. Retail websites big and small can expect a lot of interest from shoppers looking for deals, and a lot of interest from cybercriminals looking to cash in on those shoppers, by stealing their credit card details with stealthy card skimmers.
As the world increasingly moves to a digital format, cybersecurity is becoming more important than ever. It’s especially significant since, according to a recent survey by Sophos, 51% of businesses in America experienced a ransomware attack in 2020. That’s a staggering number of security vulnerabilities that truly shouldn’t exist in the modern day and age.&n
Social media is no stranger to scams. However, recent trends show scammers have started to show more aggression toward businesses since the beginning of the pandemic. Being able to recognize these scams can help you prevent injury to your business.Social Media as a Newer Cybercrime Platform for Targeting BusinessesScammers go where the people are. Today, mor
A popular joke among technologists says that it’s always DNS, even when it initially didn’t seem that way. DNS issues come in many shapes and forms, including some often-overlooked security issues.DNS (short for the Domain Name System) continues to be described as “the phonebook of the Internet,” but many people, including most readers of this blog, will be
byPaul DucklinThe US government just announced its plans for HTTPS on all dot-gov sites.HTTPS, of course, is short for for “secure HTTP”, and it’s the system that puts the padlock in your browser’s address bar.Actually, the government is going one step further than that.As well as saying all dot-gov sites should be available over HTTP
What is the meaning of an origin?
Two websites are said to have same origin if both have following in common:
Scheme (http, https)
Host name (google.com, facebook.com, securelayer7.net)
Port number (80, 4567, 7777)
So, sites http://example.com and http://example.com/settings have same origin. But https://example.com:4657 and http://example.com:8080/setting
Ransomware has become an increasingly serious threat. Cryptowall, TeslasCrypt and Locky are just some of the ransomware variants that infected large numbers of victims. Petya is the newest strain and the most devious among them.
Petya will not only encrypt files but it will make the system completely useless, leaving the victim no choice but to pay for the r
WordPress (WP) is the most popular and widely used blogging platform. It supports every kind of website, from a simple blog to a full-featured business website. Twenty-six percent of all websites globally use WordPress. As a result of this popularity, hackers and spammers have taken keen interest in breaking the security of WP-operated sites.In this post, we
By Fernando ArnaboldiSecurity updates are a common occurrenceonce you have installed Drupal. In October 2014, there was a massive defacement attack that effected Drupal users who did not upgrade in the first seven hoursafter a security update was released. This means that Drupal updates must bechecked as frequently as possible (even though by default, Drup
Despite calls to eliminate Adobe Flash Player, researchers inside and outside the vendor continue to invest in and build mitigations against modern attacks.As recently as three weeks ago, Adobe announced it had rewritten its memory manager, laying the groundwork for widespread heap isolation, which is an important protection against use-after-free vulnerabil
An attacker in a man-in-the-middle position could abuse a STARTTLS downgrade vulnerability in the Cisco Jabber client-server negotiation in order to intercept communication.Cisco warned its customers yesterday, but has yet to patch the vulnerability, which affects the Cisco Jabber clients for Windows, iPhone, iPad and Android. Researchers Renaud Dubourguai
Well, if you thought you had it rough in 2014 because of big, bad Poodles and an irritating case of Heartbleed, things only got worse this year. Rather than intrusions permeating our IT systems and stealing our data, attacks got a bit more personal in 2015. Not only were privacy and civil liberties put at risk by legislators pushing overbearing rules based o
Recently it came to my attention that it was possible to abuse JSONP callbacks using a vulnerability known as SOME – Same Origin Method Execution which can be used by an attacker to widely abuse a user’s trust between the web application and the intended flow of execution. For example, using the SOME attack it is possible for an attacker to trick
Announce
Share high-quality web security related articles with you:)