Koto

Just when you think CVEs cannot get more ridiculous... 🤣

Interesting. I wonder what's the motivation for projects to opt-in to this, and how many did already. Sounds like it would incur prohibitive costs on the company and the bug hunter (explaining technical security bugs to lawyers is orders of magnitude more involved than to security engineers).

I wake up in the morning. I sit at my computer. The internet screams at me that the world is on fire. I am overwhelmed by the deluge of bad news and faceplant in front of the computer.

I would like this comic I drew in 2017 to stop being relevant pleeeaaaaase

Is Telegram really an encrypted messaging app? This blog is reserved for more serious things, and ordinarily I wouldn’t spend time on questions like the above. But much as I’d like to spend my time writing about exciting topics, som…

Telegram: not an encrypted messaging app ;) blog.cryptographyengineering.com/2024/08/25/t...

Want to support security researchers from Dragon Sector in covering legal costs piling up after they went public with logic bombs in train firmware?
IBAN for donations is available here:
www.ccc.de/en/updates/2...

Talks for context
media.ccc.de/v/37c3-12142...
streaming.media.ccc.de/38c3/relive/...

Do I hear CSP? :)

Chesterton’s Fence: A Lesson in Thinking A core component of making great decisions is understanding previous decisions. If we don’t understand how we got “here,” we run the risk of making things much worse.

TIL about Chersterton's Fence fs.blog/chestertons-... - it puts a nice label to an intuition that I find very useful to apply in practice - from refactoring code, through process engineering. Understand first why the mess exists, in that form, before attempting to clean it up and revolutionize.

To this day I think my demise will be through some npm shenanigans. And it's fair, I deserve it. It should Javascript->RCE.

Blog: The Great Google Password Heist: 15 years of hacking passwords to test our security (and build team culture!) The Leaving Tradition in Google's security team, which could be described as a type of small-scale offensive security exercise, is a great (and fun) example of team culture. Curious? See this blog pos...

I don't often post about my work but bughunters.google.com/blog/6355265... is actually super cool thing my team is doing. These short term redteams focused on just stealing our passwords were always amazing to highlight how severely broken complex systems are. The internal writeups are so, so fun!

transliterate.js Translate any JavaScript code to foreign writing systems. Created by Martin Kleppe aka @aemkei.

Pro tip for if you have XSS but you can only use upper case:

aem1k.com/transliterat...

transliterate.js by @aemkei.bsky.social works great!

There's no such thing as a "9.2" or "9.8" vulnerability. There's more science in Pitchfork's 0.0-10.0 album rating scale than in CVSS. I am completely serious. Pitchfork reviewers actually put their reviews in context with previous reviews by the artist. That's how bad CVSS is: worse than Pitchfork.

Modern solutions against cross-site attacks (frederikbraun.de/modern-solut...): An article about cross-site leak attacks and browser-based defenses. You will also learn why web security best practices is always opt-in and finally how YOU can get increased security controls.

Not sure how I missed that, but we now actually have Ken Thompson's C compiler backdoor code from the classic "Reflections on Trusting Trust". An excellent writeup by @swtch.com - research.swtch.com/nih.

Interesting choice! Most, myself included, prefer Blindsight. Both are really good though, still waiting for the grand finale that will likely never come :)

Custom lists are super cool! I enjoy reading social posts, but want to make sure I never miss a quality writeup or technique. To achieve this, I'm building a 'high signal web security' list of topic-focused accounts, which you can pin next to 'Following' if you want :)
bsky.app/profile/jame...

For posterity - nope, it does not :/

a photo of a building at break of dawn, high contract, with bright windows.

1..2..3 testing testing. Does BlueSky support UltraHDR images?

CVEs of SSH A talk about recent high-profile issues related to the SSH ecosystem.

We're doing a cool online talk tomorrow btw – hexarcana.ch/workshops/cv...

You totally should rename it to Cevisshe :)

@webappsec.dev has go.bsky.app/Uf8dZhz, it's a good one.

This hit close to home.

Exploring the DOMPurify library: Bypasses and Fixes. Tags:Article - Article - Web - mXSS Exploring the DOMPurify library: Bypasses and Fixes

Read this! Beautiful blog post, and so much to learn from it

mizu.re/post/explori...

Maybe, but that metric is not likely even correlated to 'most commonly exploited'.

Time to make some smart introductory websec post here, no? I guess all I have is:

Hello world, good bye XSS?

not yet, no.

bsky.app/profile/kkot... ? Half of who I follow are web security personas, you'll recognize most of them :)

I'm in the process of creating a *web security* starter pack and need your help finding more webbies here. Please share and recommend folks passionate about web security in comments below so we can get this community started here 🙂
go.bsky.app/Uf8dZhz

Photos from a stroll through Atarazanas Food Market in #malaga - it turned out to be an extremely vibrant, colorful, lively place.

#photography

If you're into web security take a look at my LocoMocoSec keynote slides from this summer about "Google's Recipe for Scaling (Web) Security": speakerdeck.com/lweichselbau...