"Zero-Days" Without Incident - Compromising Angular via Expired npm Publisher Email Domains
The Hacker Blog - Matthew Bryant
by Matthew Bryant (mandatory)
2y ago
NOTE: If you’re just looking for the high level points, see the “The TL;DR Summary & High-Level Points” section of this post. Recently I took an interest in the npm registry due to it’s critical role in the security of managing packages for all of JavaScript and Node. After registering an account and creating an example package, I began looking through various web endpoints to understand what sort of system I was dealing with. While browsing various popular packages, I noticed one fairly unique thing to the registry: email addresses for all users are public. For example, requesting my own ..read more
Visit website
Video Downloader and Video Downloader Plus Chrome Extension Hijack Exploit - UXSS via CSP Bypass (~15.5 Million Affected)
The Hacker Blog - Matthew Bryant
by Matthew Bryant (mandatory)
3y ago
Note: This post is going to be a bit different from the previous Chrome extension vulnerability writeups. I’m going to actually walk through the code along with you to show you how tracing through an extension generally works. For this reason the whole thing is a bit lengthy. While scanning various Chrome extensions with tarnish I found the popular Chrome extensions Video Downloader for Chrome version 5.0.0.12 (8.2 million users) and Video Downloader Plus (7.3 million users) suffers from a Cross-site Scripting (XSS) vulnerability in their browser action page. All that is required to exploit th ..read more
Visit website
Poisoning the Well – Compromising GoDaddy Customer Support With Blind XSS
The Hacker Blog - Matthew Bryant
by Matthew Bryant (mandatory)
3y ago
This is the first part of a series of stories of compromising companies via blind cross-site scripting. As companies fix the issues and allow me to disclose them, I will post them here. Blind cross-site scripting (XSS) is an often-missed class of XSS which occurs when an XSS payload fires in a browser other than the attacker’s/pentester’s. This flavour of XSS is often missed by penetration testers due to the standard alert box approach being a limited methodology for finding these vulnerabilities. When your payloads are all <script>alert(1)</script> you’re making the assumption th ..read more
Visit website
XSS Hunter – A Modern Approach to Testing for Cross-site Scripting (XSS)
The Hacker Blog - Matthew Bryant
by Matthew Bryant (mandatory)
3y ago
Cross-site Scripting (XSS) origins go (arguably) back to a lab in Microsoft in 1999. With the first disclosure of the issue titled “Malicious HTML Tags Embedded in Client Web Requests“, this research sparked an entire generation of an attack that somehow still seems to persist in modern web applications today. Despite this vulnerability being well-known and high impact, the testing methodologies for this issue seem to be the same as ever. How can this be? alert(‘Testing for XSS this way is antiquated’); It is bizarre that when you search for “how to test for XSS” almost every resource mentions ..read more
Visit website
The “Unhackable” WordPress Blog – Finding Security In the Static
The Hacker Blog - Matthew Bryant
by Matthew Bryant (mandatory)
3y ago
Using the word “unhackable” is generally considered a bad ideaTM due to this being a largely unobtainable feat with software. In this post I attempt to get as close to “unhackable” as possible with my own personal blog (the one you’re reading right now). I have designed the process in such a way that it could be applied to any CMS (such as a corporate drupal site, for example). The main idea being that you can take a super vulnerable site and compile it into a static set of files for viewing. WordPress Is Just Too Vulnerable One of the major motivators for this effort is the question I’ve been ..read more
Visit website
[Cross-Post] Fishing the AWS IP Pool for Dangling Domains
The Hacker Blog - Matthew Bryant
by Matthew Bryant (mandatory)
3y ago
Hey guys, If you’ve ever pointed your DNS to an EC2 instance or other Amazon service, you might wanna read this piece of research I did while work at Bishop Fox that shows how attackers can take over your domains by drawing from Amazon’s IP pool: http://www.bishopfox.com/blog/2015/10/fishing-the-aws-ip-pool-for-dangling-domains/ [Cross-Post] Fishing the AWS IP Pool for Dangling Domains was originally published by Matthew Bryant (mandatory) at The Hacker Blog on October 08, 2015 ..read more
Visit website

Follow The Hacker Blog - Matthew Bryant on FeedSpot

Continue with Google
Continue with Apple
OR