Filippo Valsorda founded Geomys last year as an "organization of professional open source maintainers", providing maintenance and support for critical packages in the Go language ecosystem backed by clients in …| Simon Willison’s Weblog
Recently, I received a bounty for a vulnerability discovered on an e-commerce site allowing the personal information — including the delivery address — of a user to be changed. Let’s talk about it!| zhero_web_security
Web safety matters. XSS is like sneaky bad notes, while CSRF tricks sites as if it's you. Both misuse website trust. We'll explore how they work and how to protect sites, including using CSRF tokens. Learn about online security with us!| Escape DAST - Application Security Blog
When researching for another project this week, I came across a couple of CVEs, with no exploits, for Apache’s Any23 service. As I couldn’t find any exploit code online, I decided to try and write my own. One CVE, CVE-2021-40146 is a RCE vulnerability, with no exploit code online. Follow the link and you’ll see […]| Sharp Security
CSRF and DNS-rebinding to RCE in Selenium Server (Grid)| www.gabriel.urdhr.fr
Cross-origin/same-site request forgery to RCE in chromedriver| www.gabriel.urdhr.fr
Introduction to UPnP| www.gabriel.urdhr.fr
DNS rebinding and CSRF vulnerabilites on Samsung TV DIAL implementation| www.gabriel.urdhr.fr
DNS rebinding vulnerabilities in Freebox| www.gabriel.urdhr.fr
A message I’m very used to seeing – but does XSS have to mean game over for web security? There’s a persistent belief among web security people that cross-site scripting (XSS) is a “gam…| Neil Madden
Published on| offsec.almond.consulting
Over the last 2 years, ASDA have processed over 19+ million transactions on a demonstrably insecure site.| Paul Moore
A brief demonstration of how a default configuration can destroy your privacy & security. Hijacking a VoIP phone with just a browser.| Paul Moore