11分钟
App 保护
XSS in JSON: Old-School Attacks for Modern Applications
This post highlights how cross-site scripting has adapted to today’s modern web applications, specifically the API 和 Javascript Object Notation (JSON).
9分钟
App 保护
Overview of Content Security Policies (CSPs) on the Web
A Content Security Policy is a protocol that allows a site owner to control what resources are loaded on a web page by the brow爵士, 和 how those resources may be loaded.
4分钟
App 保护
How to Prevent Cross-Site Scripting (XSS) Attacks
Cross-site scripting (XSS) isn’t new, but its impact 和 visibility are both growing. Here’s what you need to know to protect them from XSS attacks.
6分钟
App 保护
Should You Use a SAST, DAST, or RASP App 保护 Tool?
在这个博客中, we discuss all things web applications 和 how to select the right application security solution to keep them safe from attack.
2分钟
漏洞的披露
R7-2017-06 | CVE-2017-5241: Biscom SFT XSS (FIXED)
Summary
The Workspaces component of Biscom Secure File Transfer (SFT) version 5.1.1015
is vulnerable to stored cross-site scripting in two fields. 攻击者会
need to have the ability to create a Workspace 和 entice a victim to visit the
malicious page in order to run malicious Javascript in the context of the
受害者的浏览器. Since the victim is necessarily authenticated, this can allow
the attacker to perform actions on the Biscom Secure File Transfer instance on
受害者的代表.
4分钟
漏洞的披露
R7-2016-24, 开放的nNMS Stored XSS via SNMP (CVE-2016-6555, CVE-2016-6556)
Stored 爵士ver cross-site scripting (XSS) vulnerabilities in the web application
component of 开放的nNMS [http://www.opennms.org/en] via the Simple Network
SNMP (Management Protocol). Authentication is not required to exploit.
信贷
This issue was discovered by independent researcher Matthew Kienow
[http://twitter.com/hacksforprofit], 和 reported by Rapid7.
产品的影响
The following versions were tested 和 successfully exploited:
* 开放的nNMS版本18.0.0
* 开放的nNMS版本18.0.1
开放的
13分钟
漏洞的披露
Multiple Disclosures for Multiple Network Management Systems, Part 2
As you may recall, back in December Rapid7 disclosed six vulnerabilities
[/2015/12/16/multiple-disclosures-for-multiple-network-management-systems] that
affect four different Network Management System (NMS) products, discovered by
Deral Heil和 [http://twitter.com/percent_x] of Rapid7 和 independent
researcher Matthew Kienow [http://twitter.com/hacksforprofit]. 3月,德拉尔
followed up with another pair of vulnerabilities
[/2016/03/17/r7-2016-02-multiple-vulnerabilities-in-mangeengine-opu
7分钟
XSS
Cross-site Scripting (XSS) Attacks vs SQL Injection Attacks (SQLi)
A common misunderst和ing in the world of Web App 保护 is the
difference between the consequences of a cross-site scripting
[http://2a7.forestnhill.com/fundamentals/cross-site-scripting/] vulnerability 和
the consequences of an SQL Injection Attacks (SQLi)
[http://2a7.forestnhill.com/fundamentals/sql-injection-attacks/]. 我们甚至可以
step back 和 say the misunderst和ing is on a much broader level; the
difference in consequences between a client-side exploitable vulnerability 和 a
爵士
4分钟
苹果
Abusing Safari's webarchive file format
tldr:现在,不要打开 .webarchive files, 和 check the Metasploit module,
苹果Safari .webarchive File Format UXSS
[http://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/apple_safari_webarchive_uxss.rb]
Safari's webarchive format saves all the resources in a web page - images,
scripts, stylesheets - into a single file. A flaw exists in the security model
behind webarchives that allows us to execute script in the context of any domain
通用跨站点S