Broken access control is things like direct object vulnerabilities and authorisation bypasses _as well_ as broken authentication controls. I'm not saying you're wrong, and agree that security should never be a 'premium'…
Friendly reminder that this is about frequency, as opposed to severity. 'Cryptographic Failures' is everything from theoretical vulnerabilities which require millions of dollars to exploit, through to systems with no…
This. I want a shell that will contextually spit out plaintext in interactive mode, then a JSON object when scripted or piped. Pretty sure this is what Powershell does, but the UI just feels so damn unnatural.
I really like Reveal.js. I feel the design constraints enforced (size / amount of text per slide) is awesome, but at the same time very limiting for technical presentations where large amounts of text data is pretty…
On the flipside, it's more plausible for an actor to get malicious code into a project in order to infect a target. Sure it has to be obscure enough to pass any code reviews during PR and/or involves compromising a…
I agree with CSP, but as I've commented on another thread I recommend CSP _with_ other mitigation factors due to DOM/HTML injection, and browser support.
I think the best solution is CSP _and_ injection mitigations - even without XSS there is still DOM injection which can be equally damaging reputationally. iirc, IE11 (under Windows 7, specifically) does not support CSP.…
Ping me on twitter. @yoloClin
Is anyone able to provide a map of modern frameworks? With React-native, React-redux, Angular, Vue and probably a bunch of others. I'm really not sure what's relevant now and what was relevant 6 months ago. I'm…
HTML Code Golf - How to make really small _extremely fragile_ HTML that doesn't break Firefox or Chrome, currently at least FTFY
Hey thanks for this, nushell looks really interesting! I really like the idea of an objective shell but don't like the verbosity of PowerShell inputs. I think if you go through my post history I actually describe…
What I'm talking about is a UI/UX problem that cannot be solved by key layout, I even experimented with a Ergodox and ended up in keybind hell really quickly because supporting one application others very quickly.
I fee like UI/UX needs to be completely redesigned and dvorak isn't even half (or any) of the battle. Single-key copy/paste, undo/redo, keyboard driven UIs, etc etc. I say this as I type on dvorak and while I love it, I…
Mike Zamansky has a pretty decent series which focuses mostly on third party package features - https://www.youtube.com/watch?v=49kBWM3RQQ8&list=PL9KxKa8NpF...
I had multiple friends pull me aside about similar email and asked to deal with it confidentially, I've probably had other friends pay up in attempt to avoid humiliation. I think it's well worth talking to friends and…
I'm from a country with public health care, so this comes as an interesting shock - would employees immediately lose health benefits if made redundant / fired etc? Seems to incentivize getting rid of people when they…
I'm more curious about how DB rollbacks occur in situations where a PR changes DB and is then reverted.
Irrespective of who's right or wrong it's pretty unnecessary to call each other names just because you don't agree, particularly when the question is theoretical and has almost no real world impact.
Transport encryption with PKI.
The issue is an injection attack. The ability to insert either unsanitised HTML data or data reflected inside the context of a JavaScript code block which results in JavaScript execution (by <script> tags, being able to…
IMO, using DNS for anything other than hostname lookups is a complete hack. I'm looking at you, SPF.
Secrets stored in cookies really shouldn't be accessible, the Set-Cookie HttpOnly flag should stop all JS access to a cookie. The HttpOnly flag still submits a cookie when you do an ajax GET/POST, but you cannot access…
It would have been much easier to say that if weaponised, an XSS vulnerability can access resources across the entire domain as if they were the victim, and should effectively be considered an account hijack of any…
I don't disagree that segregation is still important, but it really depends on specific environment technical details and threat models. Firewalling AD networks, for instance, really won't help if the administrative…
There's no reason it can't work in say development environments - the simplest approach is to configure whitelisted directories which permit execution in most solutions. It's not perfect but it helps prevent execution…
Broken access control is things like direct object vulnerabilities and authorisation bypasses _as well_ as broken authentication controls. I'm not saying you're wrong, and agree that security should never be a 'premium'…
Friendly reminder that this is about frequency, as opposed to severity. 'Cryptographic Failures' is everything from theoretical vulnerabilities which require millions of dollars to exploit, through to systems with no…
This. I want a shell that will contextually spit out plaintext in interactive mode, then a JSON object when scripted or piped. Pretty sure this is what Powershell does, but the UI just feels so damn unnatural.
I really like Reveal.js. I feel the design constraints enforced (size / amount of text per slide) is awesome, but at the same time very limiting for technical presentations where large amounts of text data is pretty…
On the flipside, it's more plausible for an actor to get malicious code into a project in order to infect a target. Sure it has to be obscure enough to pass any code reviews during PR and/or involves compromising a…
I agree with CSP, but as I've commented on another thread I recommend CSP _with_ other mitigation factors due to DOM/HTML injection, and browser support.
I think the best solution is CSP _and_ injection mitigations - even without XSS there is still DOM injection which can be equally damaging reputationally. iirc, IE11 (under Windows 7, specifically) does not support CSP.…
Ping me on twitter. @yoloClin
Is anyone able to provide a map of modern frameworks? With React-native, React-redux, Angular, Vue and probably a bunch of others. I'm really not sure what's relevant now and what was relevant 6 months ago. I'm…
HTML Code Golf - How to make really small _extremely fragile_ HTML that doesn't break Firefox or Chrome, currently at least FTFY
Hey thanks for this, nushell looks really interesting! I really like the idea of an objective shell but don't like the verbosity of PowerShell inputs. I think if you go through my post history I actually describe…
What I'm talking about is a UI/UX problem that cannot be solved by key layout, I even experimented with a Ergodox and ended up in keybind hell really quickly because supporting one application others very quickly.
I fee like UI/UX needs to be completely redesigned and dvorak isn't even half (or any) of the battle. Single-key copy/paste, undo/redo, keyboard driven UIs, etc etc. I say this as I type on dvorak and while I love it, I…
Mike Zamansky has a pretty decent series which focuses mostly on third party package features - https://www.youtube.com/watch?v=49kBWM3RQQ8&list=PL9KxKa8NpF...
I had multiple friends pull me aside about similar email and asked to deal with it confidentially, I've probably had other friends pay up in attempt to avoid humiliation. I think it's well worth talking to friends and…
I'm from a country with public health care, so this comes as an interesting shock - would employees immediately lose health benefits if made redundant / fired etc? Seems to incentivize getting rid of people when they…
I'm more curious about how DB rollbacks occur in situations where a PR changes DB and is then reverted.
Irrespective of who's right or wrong it's pretty unnecessary to call each other names just because you don't agree, particularly when the question is theoretical and has almost no real world impact.
Transport encryption with PKI.
The issue is an injection attack. The ability to insert either unsanitised HTML data or data reflected inside the context of a JavaScript code block which results in JavaScript execution (by <script> tags, being able to…
IMO, using DNS for anything other than hostname lookups is a complete hack. I'm looking at you, SPF.
Secrets stored in cookies really shouldn't be accessible, the Set-Cookie HttpOnly flag should stop all JS access to a cookie. The HttpOnly flag still submits a cookie when you do an ajax GET/POST, but you cannot access…
It would have been much easier to say that if weaponised, an XSS vulnerability can access resources across the entire domain as if they were the victim, and should effectively be considered an account hijack of any…
I don't disagree that segregation is still important, but it really depends on specific environment technical details and threat models. Firewalling AD networks, for instance, really won't help if the administrative…
There's no reason it can't work in say development environments - the simplest approach is to configure whitelisted directories which permit execution in most solutions. It's not perfect but it helps prevent execution…