Jump to content

Search the Community

Showing results for tags 'concerns'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Occupation


Interests


Biography


Location

Found 2 results

  1. Lenovo has teamed up with Microsoft and McAfee to remove the Superfish adware from its machines, following concerns about security. Lenovo announced the partnerships in a public statement, promising that the tools will let users automatically block and remove the insecure, self-signing certificates used by Superfish. "We are working with McAfee and Microsoft to have the Superfish software and certificate quarantined or removed using their industry-leading tools and technologies," the firm said. "These actions have already started and will automatically fix the vulnerability even for users who are not currently aware of the problem." The Microsoft removal tool will be integrated into Windows Defender version 1.193.444.0. The tools are the latest step in Lenovo's bid to allay customer concerns that the firm put personal data at risk. The problem erupted on the Lenovo forum earlier in February when several customers reported finding Superfish installed on their machines. Superfish is adware that collects data such as web traffic information using fake, self-signed root certificates and then uses it to push advertisements to the user. Lenovo claims that the adware is installed on only a limited number of machines and does not affect its business-focused Thinkpad line. "We ordered Superfish preloads to stop and had server connections shut down in January based on user complaints about the experience," read the statement. "While this issue in no way impacts our ThinkPads, any tablets, desktops or smartphones, or any enterprise server or storage device, we recognise that all Lenovo customers need to be informed." Lenovo apologised for causing concern, but argued that the company never knowingly compromised its customers' privacy. "We apologise for causing these concerns among our users. We are learning from this experience and will use it to improve what we do and how we do it in the future," read the statement. "Superfish technology is purely based on contextual/image and not behavioural. It does not profile or monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted." Lenovo is one of many firms dealing with privacy and security concerns. Researchers at FireEye reported on 20 February that Apple had ignored a dangerous flaw in the iOS operating system, codenamed Masque Attack II. Source
  2. Table of Contents Abstract.........................................................................................................................................................1 1. Introduction..........................................................................................................................................2 1.1 Form Validation in HTML 4 ...........................................................................................................2 1.2 Form Validation in HTML5 ............................................................................................................3 2. HTML5 Security Concerns.....................................................................................................................4 2.1 Web Storage Attacks.....................................................................................................................4 3.1 Session Storage .............................................................................................................................5 3.2 Local Storage.................................................................................................................................5 3.3 localStorage API ............................................................................................................................6 3.3.1 Adding an Item..................................................................................................................6 3.3.2 Retrieving Items................................................................................................................6 3.3.3 Removing an Item .............................................................................................................6 3.3.4 Removing All Items............................................................................................................6 3.4 Session Storage API.......................................................................................................................7 3.4.1 Adding An Item..................................................................................................................7 3.4.2 Retrieving An Item.............................................................................................................7 3.4.3 Removing An Item.............................................................................................................7 3.4.4 Removing All Items............................................................................................................7 3.5 Security Concerns with Web Storage in HTML5 ...........................................................................7 3.6 Stealing Local Storage Data via XSS ..............................................................................................8 3.7 Stored DOM Based XSS Attacks....................................................................................................9 3.8 Example of a DOM Based XSS .....................................................................................................10 4. WebSockets Attacks ...........................................................................................................................11 4.1 Security Concerns of WebSockets Attacks..................................................................................11 4.1.1 Denial of Service Issues...................................................................................................11 4.1.2 Denial of Service on the Client Side ................................................................................11 4.1.3 Denial of Service on the Server Side ...............................................................................12 4.1.4 Data Confidentiality Issues..............................................................................................12 4.1.5 Cross-Site Scripting Issues in WebSocket........................................................................13 4.1.6 WebSocket Cross-Site Scripting Proof of Concept..........................................................13 4.1.7 Proof of Concept of WebSocket XSS ...............................................................................14 4.1.8 Origin Header..................................................................................................................15 5. XSS with HTML5 Vectors.....................................................................................................................16 5.1 Case 1 – Tags Blocked .................................................................................................................16 5.2 Case 2 - Attribute Context...........................................................................................................16 5.2.1 Example...........................................................................................................................16 5.3 Case 3 – Formaction attribute ....................................................................................................18 6. Cross Origin Resource Sharing (CORS)................................................................................................19 6.1 What is an Origin?.......................................................................................................................19 6.2 Crossdomain.xml.........................................................................................................................19 6.3 What is CORS?.............................................................................................................................20 6.3.1 Example...........................................................................................................................20 6.3.2 Security Issue...................................................................................................................20 6.3.3 Example...........................................................................................................................20 6.3.4 Example...........................................................................................................................20 6.3.5 Proof of Concept .............................................................................................................22 7. GeoLocation API..................................................................................................................................23 7.1 Introduction ................................................................................................................................23 7.2 Security Concerns........................................................................................................................23 7.2.1 Example...........................................................................................................................23 7.2.2 Proof of Concept .............................................................................................................24 7.2.3 Chrome............................................................................................................................24 7.2.4 Firefox..............................................................................................................................24 8. Client Side RFI Includes.......................................................................................................................26 8.1 Vulnerability Example .................................................................................................................26 8.2 Example.......................................................................................................................................27 8.3 Request .......................................................................................................................................28 8.4 Safer Example .............................................................................................................................28 8.5 Open Redirects............................................................................................................................29 8.5.1 Example...........................................................................................................................29 9. Cross Window Messaging...................................................................................................................30 9.1 Sender’s Window........................................................................................................................30Copyright© 2014 RHA InfoSEC. All rights reserved. Page iv 9.2 Receiver’s Window......................................................................................................................30 9.3 Security Concerns........................................................................................................................31 9.3.1 Origin not being checked ................................................................................................31 9.3.2 Impact .............................................................................................................................31 9.3.3 DOM Based XSS...............................................................................................................31 9.3.4 Vulnerable Code..............................................................................................................32 10. Sandboxed Iframes.............................................................................................................................33 10.1 Security Concerns........................................................................................................................33 11. Offline Applications ............................................................................................................................34 11.1 Example.......................................................................................................................................34 11.2 Security Concerns........................................................................................................................35 12. WebSQL ..............................................................................................................................................37 12.1 Security Concerns........................................................................................................................37 12.2 SQL Injection ...............................................................................................................................37 12.3 Insecure Statement.....................................................................................................................37 12.4 Secure Statement........................................................................................................................38 12.5 Cross Site Scripting......................................................................................................................39 12.5.1 Example...........................................................................................................................40 13. Scalable Vector Graphics....................................................................................................................41 14. Webworkers........................................................................................................................................44 14.1 Creating a Webworker................................................................................................................44 14.1.1 Sending/Receiving a Message to/from Webworker.......................................................44 14.2 Cross Site Scripting Vulnerability ................................................................................................46 14.2.1 Example...........................................................................................................................46 14.3 Distributed Denial of Service Attacks..........................................................................................47 14.4 Distributed Password Cracking ...................................................................................................50 15. Stealing Personal Data Stored With Autocomplete Function ............................................................52 15.1 Example: Autocomplete Attribute in Action...............................................................................52 16. Scanning Private IP Addresses............................................................................................................54 16.1 WebRTC.......................................................................................................................................54 17. Security Headers to Enhance Security with HTML5 ...........................................................................56 17.1 X- XSS-Protection ........................................................................................................................56 17.2 X-Frame-Options.........................................................................................................................56 17.3 Strict-Transport-Security.............................................................................................................57 17.3.1 Example...........................................................................................................................58 17.4 X-Content-Type-Options.............................................................................................................58 17.4.1 Example...........................................................................................................................58 17.4.2 Example...........................................................................................................................59 17.5 Content-Security-Policy ..............................................................................................................59 17.5.1 Sample CSP......................................................................................................................60 Acknowledgements.....................................................................................................................................61 References ..................................................................................................................................................62 Read more: http://dl.packetstormsecurity.net/papers/attack/HTML5AttackVectors_RafayBaloch_UPDATED.pdf
×
×
  • Create New...