I’ve seen lot of social engineering / phishing campaigns that try to trick you to go some unsavory places, but rarely do they look convincing. So lets see how can we trick people into clicking on that link. https://[email protected] Now if you click the above link using Firefox browser – you will get a notification…
Have you ever wondered why a website you visit can’t access your cookies or session data from other sites you have open, like Facebook or Instagram? That’s thanks to the Same-Origin Policy. This policy restricts how one website can interact with resources from another website in your browser, ensuring your data remains secure and private.…
Content Security Policy (CSP) is one powerful setting that helps to defend your website. It particularly defends your site from vulnerabilities such as Cross-Site Scripting (XSS) and data injection attacks. It works by defining which sources of content are allowed to be loaded and executed on your web pages. How CSP Works CSP is implemented…
Rarely talked about, this is an interesting vulnerability. In 2012, GitHub faced a significant Mass Assignment vulnerability. An attacker discovered that GitHub’s enterprise system allowed users to set arbitrary parameters, including the admin flag, during account creation. The attacker exploited this by including the admin parameter in the account registration request, granting themselves administrative privileges.…
HTTP Request Smuggling occurs when an attacker exploits inconsistencies in how different web servers handle multiple HTTP requests sent in a single packet. This can lead to various types of attacks, including: HTTP Request Smuggling typically exploits the difference in interpretation of Content-Length and Transfer-Encoding headers between two servers. By carefully crafting HTTP requests, attackers…
When it comes to attacking web servers without any initial access, there are more ways than one may think of. Lets start from the most common and go from there: 1. Web Application Vulnerabilities Issues within the application itself can be exploited remotely to possibly gain control or access backend systems. Vulnerabilities such as SQL…
We are going to delve deeper uncovering the hidden patterns in passwords. First of all, we need password datasets / breached lists of once hacked passwords. For our part 2 we will analyze the common password collections from known breaches that can be found in ‘seclists’ libraries. For the purpose of this article I wrote…
In the digital age, passwords serve as the gatekeepers to our virtual lives, safeguarding everything from personal correspondence to financial information. This article provides a detailed exploration of password patterns, incorporating extensive statistics, examples, and insights to paint a full picture of current trends and their implications for security. This is the part 1 of…
One of the most important skills hacker can have is the ability to read code. Exploit code, specifically. Understand it and have the ability to tinker with it. One great resource for such endeavors is www.exploit-db.com. Go there, try to read their code. You don’t have to understand every single bit and byte of it,…
Welcome to the second part of Python for penetration testing. Today, we embark on a noble quest: to check if the digital gates (ports, for the uninitiated) of our fortresses (servers, in tech-speak) are up or inviting trouble. Gathering Your Tools Before our adventure begins, ensure your satchel is equipped with Selenium and python-docx, potent…
