Web Browser Address Bar Spoofing

Category: Web Security Readings - Last Updated: Thu, 15 Nov 2018 - by Ziyahan Albeniz
Web Browser Address Bar Spoofing

This blog post looks at two address bar spoofing incidents. The first involved the Homograph vulnerability, where attackers used the IDN feature to trick users by imitating legitimate characters. The second involved Edge and Safari, in which visitors redirected to another website were intercepted by attackers. Code samples are included. Read More

The Powerful Resource of PHP Stream Wrappers

Category: Web Security Readings - Last Updated: Wed, 14 Nov 2018 - by Ziyahan Albeniz
The Powerful Resource of PHP Stream Wrappers

This blog post examines how PHP stream wrappers can be used to bypass keyword based blacklists. It includes an examination of the generic functions that can be used to interact with streams, the concept of stream-context and steam filters. It also looks at PHP wrappers in RFI attacks and bypassing blacklists. Code samples are supplied throughout. Read More

The Dangers of Open Git Folders

Category: Web Security Readings - Last Updated: Thu, 18 Oct 2018 - by Ziyahan Albeniz
The Dangers of Open Git Folders

This blog post examines the research of Finnish computer scientist Vladimir Smitka on the dangers of open version control system Git files. We discuss his results, how prevalent it is, why the structure of Git makes it so convenient for hackers, how you can check if your Git folder is open and how to protect your folders. Read More

NoScript Vulnerability in Tor Browser

Category: Web Security Readings - Last Updated: Thu, 11 Oct 2018 - by Ziyahan Albeniz
NoScript Vulnerability in Tor Browser

This blog post discusses the 0-Day vulnerability introduced into the Tor Browser's NoScript script blocking extension, originally designed to allow users to block JavaScript from running, and how it could have been disabled it in order to potentially unmask Tor users with a JavaScript exploit. It includes an explanation of the exploit code. Read More

Final Nail in the Coffin of HTTP: Chrome 68 and SSL/TLS Implementation

Category: Web Security Readings - Last Updated: Thu, 30 Aug 2018 - by Ziyahan Albeniz
Final Nail in the Coffin of HTTP: Chrome 68 and SSL/TLS Implementation

In this blog post, our Security Researcher Ziyahan Albeniz examines the latest Chrome release, which makes secure web connections the new standard by checking the validity of secure TLS certificates. This article examines encryption keys, certificates and certificate authorities, HSTS, HPKP, SRI and CSP, and concludes with some code examples. Read More

Exploiting a Microsoft Edge Vulnerability to Steal Files

Category: Web Security Readings - Last Updated: Wed, 01 Aug 2018 - by Ziyahan Albeniz

This blog post documents our Security Researcher Ziyahan Albeniz's experiment in exploiting a Microsoft Edge browser vulnerability. He explains how a combination of SOP, the ability to email clickable links and a vulnerability in both the Windows Mail and Calendar applications actually enable the exploit. It includes his Proof of Exploit video. Read More