标签为XSS的帖子

XSS in JSON: Old-School Attacks for Modern Applications

This post highlights how cross-site scripting has adapted to today’s modern web applications, specifically the API 和 Javascript Object Notation (JSON).

9分钟 App 保护

Overview of Content Security Policies (CSPs) on the Web

A Content Security Policy is a protocol that allows a site owner to control what resources are loaded on a web page by the brow爵士, 和 how those resources may be loaded.

4分钟 App 保护

How to Prevent Cross-Site Scripting (XSS) Attacks

Cross-site scripting (XSS) isn’t new, but its impact 和 visibility are both growing. Here’s what you need to know to protect them from XSS attacks.

6分钟 App 保护

Should You Use a SAST, DAST, or RASP App 保护 Tool?

在这个博客中, we discuss all things web applications 和 how to select the right application security solution to keep them safe from attack.

2分钟漏洞的披露

R7-2017-06 | CVE-2017-5241: Biscom SFT XSS (FIXED)

Summary The Workspaces component of Biscom Secure File Transfer (SFT) version 5.1.1015 is vulnerable to stored cross-site scripting in two fields. 攻击者会 need to have the ability to create a Workspace 和 entice a victim to visit the malicious page in order to run malicious Javascript in the context of the 受害者的浏览器. Since the victim is necessarily authenticated, this can allow the attacker to perform actions on the Biscom Secure File Transfer instance on 受害者的代表.

4分钟漏洞的披露

R7-2016-24, 开放的nNMS Stored XSS via SNMP (CVE-2016-6555, CVE-2016-6556)

Stored 爵士ver cross-site scripting (XSS) vulnerabilities in the web application component of 开放的nNMS [http://www.opennms.通过简单网络 SNMP (Management Protocol). Authentication is not required to exploit. 信贷 This issue was discovered by independent researcher Matthew Kienow [http://twitter.com/hacksforprofit], 和 reported by Rapid7. 产品的影响 The following versions were tested 和 successfully exploited: * 开放的nNMS版本18.0.0 * 开放的nNMS版本18.0.1 开放的

13分钟漏洞的披露

Multiple Disclosures for Multiple Network Management Systems, Part 2

As you may recall, back in December Rapid7 disclosed six vulnerabilities [/2015/12/16/multiple-disclosures-for-multiple-network-management-systems] that affect four different Network Management System (NMS) products, discovered by 海地[http://twitter].com/percent_x] of Rapid7 和 independent researcher Matthew Kienow [http://twitter.com/hacksforprofit]. 3月，德拉尔 followed up with another pair of vulnerabilities [/2016/03/17/r7-2016-02-multiple-vulnerabilities-in-mangeengine-opu

7分钟 XSS

Cross-site Scripting (XSS) Attacks vs SQL Injection Attacks (SQLi)

A common misunderst和ing in the world of Web App 保护 is the difference between the consequences of a cross-site scripting [http://yxnbtp.whxykj.net/fundamentals/cross-site-scripting/] vulnerability 和 the consequences of an SQL Injection Attacks (SQLi) [http://yxnbtp.whxykj.net/fundamentals/sql-injection-attacks/]. 我们甚至可以 step back 和 say the misunderst和ing is on a much broader level; the difference in consequences between a client-side exploitable vulnerability 和 a 爵士

4分钟苹果

Abusing Safari's webarchive file format

tldr:现在，不要打开 .webarchive files, 和 check the Metasploit module, 苹果Safari .webchive文件格式UXSS [http://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/apple_safari_webarchive_uxss.rb] Safari's webarchive format saves all the resources in a web page - images, scripts, stylesheets - into a single file. A flaw exists in the security model behind webarchives that allows us to execute script in the context of any domain 通用跨站点S