Security - sgml/signature GitHub Wiki
- evaluating python code inside curly brackets
- put expressions in form fields
- see if an expression evaluates by looking for it in the dev tools
- if it does, try to grab data from that scope in the devtools
- if that works, try the equivalent in the form field
Side Channel
Another type of non-intrusive but challenging-to-prevent attack is a "Side-Channel Attack". This attack gathers information from the physical implementation of a system rather than exploiting software vulnerabilities. Examples include:
- Power Analysis Attacks: Observing the power consumption of a device to extract cryptographic keys.
- Electromagnetic Attacks: Monitoring electromagnetic emissions from electronic devices to gather sensitive data.
- Timing Attacks: Analyzing the time taken to execute cryptographic algorithms to uncover private information.
Side-channel attacks can be particularly difficult to guard against because they exploit indirect information leaks rather than breaking through conventional security measures.
RCE
- https://medium.com/@akshukatkar/rce-with-flask-jinja-template-injection-ea5d0201b870
- https://royaljay.com/security/angular-expression-injections/
- https://www.reddit.com/r/webdev/comments/808ls4/mixing_vuejs_templates_with_serverside_templates/
- https://ryhanson.com/angular-expression-injection-walkthrough/
- https://blog.hackmetrix.com/should-you-care-about-xss-in-vuejs/
- https://github.com/dotboris/vuejs-serverside-template-xss
- https://snyk.io/vuln/npm:vue:20180802
- https://github.com/vuejs/vue/issues/7860
- https://vuejs.org/v2/guide/syntax.html#Using-JavaScript-Expressions
Obscurity
parse with awk, no worries:
- https://www.gnu.org/software/gawk/manual/html_node/Splitting-By-Content.html
- http://www.theunixschool.com/2012/06/awk-10-examples-to-group-data-in-csv-or.html
Process offline in batches; only use SMTP
- https://www.theguardian.com/technology/2008/oct/17/richard-stallman-computer-programming
- https://news.ycombinator.com/item?id=37699851
- https://cdevroe.com/2010/01/24/richard-stallman-s-approach-to-email/
Fax Machine CVE
Man-in-the-Middle
- https://www.schneier.com/blog/archives/2017/07/a_man-in-the-mi.html
- https://medium.com/@Alibaba_Cloud/protect-your-website-how-to-avoid-sms-traffic-flooding-attacks-d8d9561dcdeb
Multi-Factor
- https://cheatsheetseries.owasp.org/cheatsheets/Multifactor_Authentication_Cheat_Sheet.html
- https://media.defense.gov/2019/Sep/09/2002180346/-1/-1/0/TRANSITION%20TO%20MULTI-FACTOR%20AUTHENTICATION.PDF
Fax Machine
- https://www.cnbc.com/2018/02/10/milllennial-doctors-forced-to-use-fax-machines-causing-puzzlement.html
- https://thehackernews.com/2018/08/hack-printer-fax-machine.html
Notifications
Passwordless
- https://breakingdefense.com/2019/05/end-of-passwords-disa-tests-walkabout-identity-system/
- https://www.usajobs.gov/Help/how-to/account/limited-access/
Sandboxing
- http://www.cse.chalmers.se/~dave/papers/SafeWrappers.pdf
- https://medium.com/nassec-cybersecurity-writeups/tips-from-a-security-researcher-to-a-qa-engineer-to-enhance-software-quality-assurance-80a01e2be194
AOP
Culture
- https://www.adobe.com/content/dam/acom/en/security/pdfs/adb_security-culture-wp.pdf
- https://arxiv.org/pdf/1612.00766.pdf
- https://webkit.org/blog/8311/intelligent-tracking-prevention-2-0/
- https://clearcode.cc/blog/intelligent-tracking-prevention/
- https://moz.com/blog/machine-learning-and-link-spam-my-brush-with-insanity
- https://blog.acolyer.org/2019/07/08/software-engineering-for-machine-learning/
OTP
http://www.quuxlabs.com/blog/2010/09/paper-token-gutenbergs-version-of-one-time-passwords/
Trusting Trust
https://dwheeler.com/trusting-trust/
References
- https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities
- https://owasp.org/www-pdf-archive/OWASP_Cheatsheets_Book.pdf
- https://www.mozilla.org/en-US/about/policy/lean-data/build-security/
- https://html5sec.org/
- https://blog.it-securityguard.com/bugbounty-papyal-xml-upload-cross-site-scripting-vulnerability/
- https://webstersprodigy.net/2012/02/04/serving-back-xml-for-xss/
- http://www.howtocreate.co.uk/crosssite.html
- https://labs.detectify.com/2018/09/04/xss-using-quirky-implementations-of-acme-http-01/
- http://www.dtic.mil/dtic/tr/fulltext/u2/1021683.pdf
- https://developer.android.com/docs/quality-guidelines/core-app-quality
- https://developer.android.com/guide/components/intents-filters#Types
- https://developer.android.com/training/articles/security-tips#DynamicCode
- https://arxiv.org/pdf/1704.03356.pdf
- https://cwe.mitre.org/data/index.html
- https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4090456/
- https://arxiv.org/ftp/arxiv/papers/1304/1304.7451.pdf
- https://www.websand.eu
- https://www.us-cert.gov/bsi/articles/best-practices/assembly-integration-and-evolution--security-concept-challenge-and-design-considerations-web-services-integration
- http://bofh.nikhef.nl/events/HitB/hitb-2014-amsterdam/praatjes/D2T2-Exploring-and-Exploiting-iOS-Web-Browsers.pdf
- http://obem.be/2014/07/28/oauth-2-on-android.html
- https://docs.oracle.com/cd/E17952_01/mysql-utilities-1.6-en/utils-task-using-ssl.html
- http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7970.pdf
- https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet
- https://www.owasp.org/index.php/Comprehensive_list_of_Threats_to_Authentication_Procedures_and_Data
- https://www.owasp.org/index.php/Phishing
- https://ethereum.stackexchange.com/questions/8565/lost-ethers-in-google-ad-phishing-scam
- https://webmasters.stackexchange.com/questions/85411/unable-to-locate-phishing-url-in-cpanel-file-manager
- https://www.owasp.org/images/a/ae/OWASP_Switzerland_Meeting_2015-06-17_XSLT_SSRF_ENG.pdf
- https://msdn.microsoft.com/en-us/library/ms537122
- https://www.linkedin.com/pulse/identity-bridge-how-api-gateway-bridges-oauth-jwt-saml-mark-o-neill/
- http://www.stearns.org/toolscd/current/ethereal/ethereal-user-guide.pdf
- https://www.oasis-open.org/committees/download.php/8958/sstc-saml-implementation-guidelines-draft-01.pdf
- http://canonical.org/~kragen/sw/netbook-misc-devel/wordlist
- https://www.iana.org/assignments/sip-parameters/sip-parameters.xhtml
- https://www.usenix.org/system/files/login/issues/usenix_dec11_login.pdf
- https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/xdomain.html
- http://www.dtic.mil/docs/citations/ADA545053
- http://www.dtic.mil/docs/citations/ADA453238
- http://www.dtic.mil/docs/citations/AD1000434
- http://www.dtic.mil/docs/citations/AD1014839
- http://www.dtic.mil/docs/citations/AD1006391
- http://www.dtic.mil/docs/citations/AD1046295
- https://documentation.cpanel.net/display/CKB/OWASP+ModSecurity+CRS
- https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-vila.pdf
- https://www.sans.org/reading-room/whitepapers/forensics/forensic-primer-usenet-evidence-32829
Basics
https://www.troyhunt.com/security-insanity-how-we-keep-failing-at-the-basics/
https://www.troyhunt.com/the-beginners-guide-to-breaking-website/
https://davidwalsh.name/disable-autocorrect
http://10rem.net/blog/2012/02/14/ux-anti-patterns-for-security-on-the-web-and-in-the-enterprise
http://www.solomoncloudsolutions.com/uploads/5/2/7/9/52794453/microsoftdynamicsslsecurity.pdf
Binary
Templating
- https://html5sec.org
- https://nvd.nist.gov/vuln/detail/CVE-2000-1050
- http://tomcat.apache.org/security-4.html
- https://www.securityfocus.com/bid/4997
- https://docs.oracle.com/cd/A97688_16/generic.903/a97679/jspxml.htm
- https://www.developer.com/tech/article.php/626351/JavaServer-Pages-Comments-Declaration-and-Expressions.htm
- https://www.mindedsecurity.com/fileshare/ExpressionLanguageInjection.pdf
- http://www.oracle.com/technetwork/java/seccodeguide-139067.html
- https://github.com/facebook/react/issues/3473
- https://lolware.net/2015/08/19/reactjs-xss-testing.html
- https://vip.wordpress.com/2015/03/25/preventing-xss-in-javascript/
- https://labs.detectify.com/2017/01/18/stored-xss-ing-millions-of-sites-through-html-comment-box/
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180620-anyconnect-dos
Same Origin Policy
- https://marc.info/?l=bugtraq&m=102796732924658&w=2
- https://dev.to/rdegges/please-stop-using-local-storage-1i04
- https://labs.detectify.com/2016/12/15/postmessage-xss-on-a-million-sites/
- https://www.sec-1.com/blog/wp-content/uploads/2016/08/Hunting-postMessage-Vulnerabilities.pdf
- https://hackerone.com/reports/398054
- https://medium.com/bugbountywriteup/exploiting-post-message-to-steal-users-cookies-7df43a00289a
Service Worker
- https://github.com/w3c/ServiceWorker/issues/940
- https://ahussam.me/Amazon-leaking-csrf-token-using-service-worker/
- https://dzone.com/articles/using-csp-nonces-effectively-with-a-service-worker
Reflected XSS
https://dzone.com/articles/reflected-xss-explained-how-to-prevent-reflected-x
https://buer.haus/2015/01/21/admin-google-com-reflected-cross-site-scripting-xss/
https://www.theregister.co.uk/2017/05/12/googles_php_api_client_has_xss_vulnerability/
https://seclists.org/fulldisclosure/2017/May/42
https://medium.com/@protector47/how-to-hack-wordpress-website-via-xmlrpc-php-61c813fa3740
DOM XSS
https://hackerone.com/reports/46072
http://danlec.com/blog/xss-via-a-spoofed-react-element
https://www.securityweek.com/javascript-library-introduced-xss-flaw-google-search
https://www.slideshare.net/kseniadmitrieva/how-to-react-to-javascript-insecurity
https://medium.com/javascript-security/avoiding-xss-in-react-is-still-hard-d2b5c7ad9412
https://medium.com/dailyjs/exploiting-script-injection-flaws-in-reactjs-883fb1fe36c1
https://medium.com/@arkadiusz.machalica/how-to-render-static-markup-with-react-e0d192ac3a8c
https://www.owasp.org/images/f/f4/ASDC12-Unraveling_some_of_the_Mysteries_around_DOMbased_XSS.pdf
http://blog.k3170makan.com/2016/02/stealing-secrets-with-css-cross-origin.html
https://github.com/cure53/XSSChallengeWiki/wiki/ES6-Challenge
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
https://cure53.de/es6-for-penetration-testers.pdf
https://github.com/facebook/react/issues/10506
Research Papers
https://bok.idpro.org/article/41/galley/57/view/
https://www.azed.gov/sites/default/files/2020/11/NetworkSecurityIT11199900.pdf
https://www.hpc.mil/images/hpcdocs/ipv6/masterthesis_johannes_weber_ipv6securitytestlaboratory.pdf
https://www.govinfo.gov/media/Authentication_Definitions.pdf
https://apps.dtic.mil/sti/pdfs/AD1046565.pdf
https://armypubs.army.mil/epubs/DR_pubs/DR_a/pdf/web/p385_30.pdf
https://www.safety.marines.mil/Risk-Management/
https://armypubs.army.mil/epubs/DR_pubs/DR_a/pdf/web/ARN17343_P25_2_7_Admin_FINAL.pdf
https://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf
https://www.nccoe.nist.gov/sites/default/files/legacy-files/fs-pam-fact-sheet.pdf