Security - sgml/signature GitHub Wiki

  • evaluating python code inside curly brackets
  • put expressions in form fields
  • see if an expression evaluates by looking for it in the dev tools
  • if it does, try to grab data from that scope in the devtools
  • if that works, try the equivalent in the form field

Side Channel

Another type of non-intrusive but challenging-to-prevent attack is a "Side-Channel Attack". This attack gathers information from the physical implementation of a system rather than exploiting software vulnerabilities. Examples include:

  • Power Analysis Attacks: Observing the power consumption of a device to extract cryptographic keys.
  • Electromagnetic Attacks: Monitoring electromagnetic emissions from electronic devices to gather sensitive data.
  • Timing Attacks: Analyzing the time taken to execute cryptographic algorithms to uncover private information.

Side-channel attacks can be particularly difficult to guard against because they exploit indirect information leaks rather than breaking through conventional security measures.

RCE

Obscurity

parse with awk, no worries:

Process offline in batches; only use SMTP

Fax Machine CVE

Man-in-the-Middle

Multi-Factor

Fax Machine

Notifications

Passwordless

Sandboxing

AOP

Culture

OTP

http://www.quuxlabs.com/blog/2010/09/paper-token-gutenbergs-version-of-one-time-passwords/

Trusting Trust

https://dwheeler.com/trusting-trust/

References

Basics

https://www.troyhunt.com/security-insanity-how-we-keep-failing-at-the-basics/

https://www.troyhunt.com/the-beginners-guide-to-breaking-website/

https://davidwalsh.name/disable-autocorrect

http://10rem.net/blog/2012/02/14/ux-anti-patterns-for-security-on-the-web-and-in-the-enterprise

https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion

http://www.solomoncloudsolutions.com/uploads/5/2/7/9/52794453/microsoftdynamicsslsecurity.pdf

Binary

https://crypto.stackexchange.com/questions/63450/why-doesnt-steganography-increase-the-size-of-an-uncompressed-image

Templating

Same Origin Policy

Service Worker

Reflected XSS

https://dzone.com/articles/reflected-xss-explained-how-to-prevent-reflected-x

https://buer.haus/2015/01/21/admin-google-com-reflected-cross-site-scripting-xss/

https://www.theregister.co.uk/2017/05/12/googles_php_api_client_has_xss_vulnerability/

https://seclists.org/fulldisclosure/2017/May/42

https://medium.com/@protector47/how-to-hack-wordpress-website-via-xmlrpc-php-61c813fa3740

DOM XSS

https://hackerone.com/reports/46072

http://danlec.com/blog/xss-via-a-spoofed-react-element

https://cure53.de/fp170.pdf

https://www.securityweek.com/javascript-library-introduced-xss-flaw-google-search

https://www.slideshare.net/kseniadmitrieva/how-to-react-to-javascript-insecurity

https://medium.com/javascript-security/avoiding-xss-in-react-is-still-hard-d2b5c7ad9412

https://medium.com/dailyjs/exploiting-script-injection-flaws-in-reactjs-883fb1fe36c1

https://medium.com/@arkadiusz.machalica/how-to-render-static-markup-with-react-e0d192ac3a8c

https://www.owasp.org/images/f/f4/ASDC12-Unraveling_some_of_the_Mysteries_around_DOMbased_XSS.pdf

http://blog.k3170makan.com/2016/02/stealing-secrets-with-css-cross-origin.html

https://github.com/cure53/XSSChallengeWiki/wiki/ES6-Challenge

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

https://cure53.de/es6-for-penetration-testers.pdf

https://github.com/facebook/react/issues/10506

Research Papers

https://bok.idpro.org/article/41/galley/57/view/

https://www.cisa.gov/sites/default/files/publications/Cloud%20Security%20Technical%20Reference%20Architecture.pdf

https://www.azed.gov/sites/default/files/2020/11/NetworkSecurityIT11199900.pdf

https://www.govinfo.gov/content/pkg/GOVPUB-C13-5db24e87f9132e0807e4f9a92d2bc162/pdf/GOVPUB-C13-5db24e87f9132e0807e4f9a92d2bc162.pdf

https://www.hpc.mil/images/hpcdocs/ipv6/masterthesis_johannes_weber_ipv6securitytestlaboratory.pdf

https://www.govinfo.gov/content/pkg/GOVPUB-C13-3cee6719f04b98ad3d753a966b662c51/pdf/GOVPUB-C13-3cee6719f04b98ad3d753a966b662c51.pdf

https://www.govinfo.gov/content/pkg/GOVPUB-C13-14573868b226d8f4b535dea60dc6c1f7/pdf/GOVPUB-C13-14573868b226d8f4b535dea60dc6c1f7.pdf

https://www.govinfo.gov/media/Authentication_Definitions.pdf

https://apps.dtic.mil/sti/pdfs/AD1046565.pdf

https://armypubs.army.mil/epubs/DR_pubs/DR_a/pdf/web/p385_30.pdf

https://www.safety.marines.mil/Risk-Management/

https://www.spa.usace.army.mil/Portals/16/docs/business/smallbusiness/2021%20BOOH/B3-Cyber_Security.pdf?ver=B-E2odYFMUwjqankJCgFCA%3D%3D

https://armypubs.army.mil/epubs/DR_pubs/DR_a/pdf/web/ARN17343_P25_2_7_Admin_FINAL.pdf

https://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf

https://www.nccoe.nist.gov/sites/default/files/legacy-files/fs-pam-fact-sheet.pdf