惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Hacker News: Ask HN
Hacker News: Ask HN
C
Cisco Blogs
The Hacker News
The Hacker News
T
Tor Project blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
The GitHub Blog
The GitHub Blog
A
Arctic Wolf
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
The Register - Security
The Register - Security
云风的 BLOG
云风的 BLOG
Simon Willison's Weblog
Simon Willison's Weblog
P
Palo Alto Networks Blog
Vercel News
Vercel News
C
CERT Recently Published Vulnerability Notes
I
InfoQ
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
M
MIT News - Artificial intelligence
I
Intezer
aimingoo的专栏
aimingoo的专栏
U
Unit 42
C
Cyber Attacks, Cyber Crime and Cyber Security
L
LINUX DO - 热门话题
Microsoft Security Blog
Microsoft Security Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
Cyberwarzone
Cyberwarzone
P
Proofpoint News Feed
P
Proofpoint News Feed
B
Blog
T
Threat Research - Cisco Blogs
博客园 - 叶小钗
Recorded Future
Recorded Future
Last Week in AI
Last Week in AI
N
News and Events Feed by Topic
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Know Your Adversary
Know Your Adversary
Engineering at Meta
Engineering at Meta
G
Google Developers Blog
PCI Perspectives
PCI Perspectives
Google DeepMind News
Google DeepMind News
WordPress大学
WordPress大学
Application and Cybersecurity Blog
Application and Cybersecurity Blog
MyScale Blog
MyScale Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
Schneier on Security
Schneier on Security
N
News | PayPal Newsroom
C
Cybersecurity and Infrastructure Security Agency CISA
H
Help Net Security
博客园 - 聂微东
H
Hackread – Cybersecurity News, Data Breaches, AI and More
G
GRAHAM CLULEY

Steve Hanov's Blog

How this Canadian Startup Bought Millions of Impressions for $8,000 How to Run a Fellowship Program Into the Ground (and get 18M impressions in the process) My Waterloo Intern went back to school. I'll miss him dearly but here's how I replaced him with Hermes I learned Mandarin. Here's what it taught me about B2C SaaS. The VC's Waterloo Coffee Tour: Where to Find Canada's Next Unicorn How I run multiple $10K MRR companies on a $20/month tech stack How to Save a Gemini Canvas as Markdown A Ralph Loop for Reading: Beating GPT 5.2 with a 4k Context Window (and 4 GPUs) I built a Chrome extension that lets an LLM “see” tweets Fighting Blog Comment Spam with Qwen3 and Ollama Make a web page screenshot service Automatically remove wordiness from your writing How to detect if an object has been garbage collected in Javascript My favourite Google Cardboard Apps O(n) Delta Compression With a Suffix Array Finding Bieber: On removing duplicates from a set of documents Let's read a Truetype font file from scratch A Quick Measure of Sortedness My thoughts on various programming languages A little VIM hacking
I found Security Vulnerability in your web application
2022-01-28 · via Steve Hanov's Blog
I found Security Vulnerability in your web application. For security purpose can we report vulnerability here,then will i get bounty reward in PayPal or Bitcoin for Security bug ?

Is it just me, or are security consultants swarming web sites, looking for bugs unasked, and emailing you demanding thousands of dollars in bounties for security flaws? If you search the web for the exact email above, you will get hundreds of hits. Whether the cost is to an unsolicited consultant, or due to a data breach, flaws in your product can be pricey. In this page, I'm going to write down some basic things to check in your website to make attacks harder, so at least you're not being shaken down for stupid mistakes.

I have ceased any bounty payments, because the things they generally find are not very likely to happen. I have to make a business decision: Do I want a perfect web application, or can I live with a few possible attacks? I am not Apple. I am not a bank. This is going to sound foolish, but at the end of the day I simply cannot afford to pay out half of my revenue each and every month for these things, because I still have to provide for my family.

Still, here is a list of the things I have learned. I am sure there is a larger list somewhere, but I have not found it.

Don't put sensitive information in URLs

When a user is logged in, what is in the URL at the top of the screen? Is there an identifier in there that should not be shared?

  • If the user pasted any URL on your site, while logged in, to Twitter, could anybody get access to something they should not? Could other users edit this user's files?
  • If a script on your page that you have no control over reads window.location and sends it back to its creator, is this a problem?

When possible, store sensitive identifiers in cookies that cannot be accessed in Javascript. More importantly, always verify on the server that the user has access to the data that he or she is requesting.

Verify any information you include in generated emails

One consultant found a way to send password reset emails from me to any user, and replace the URL in the email with his own. How did he do this? Because I was lazy.

In my code, I had abstracted the password reset emails into a reusable library. The code needed to know which web site it was resetting the password for when it created the email. So I just included it in the POST request. And this resulted in a costly bounty I had to pay.

Rate limit generated emails

On that note, can anyone make you send an unlimited number of emails? Any code that automatically sends an email needs rate limiting.

Prevent password guessing

It's a fact that most people's passwords can be guessed in less than 100 tries. That's why they should use a password manager and create longer and more random passwords.

So one of the first things a consultant will do is figure out your API call to login and run it through their script file of passwords. If they don't get stopped right away, then this will result in a significant bounty.

You need to rate login attempts, in at least two ways. You should of course limit the attempts for a particular login name. But then the consultant will just cycle through different login names. You will need to also limit it based on IP address or other information as well.

Put limits on file uploads

Can you accept an image on your website? Do you resize it on the server? Great, let me dig out my 18 megapixel .png file for you. It's only 1KB so your code will accept it. Without proper checks, it will crash your server.

Protect "secret" web urls

Do you have any secret web urls in your app for checking its status, or performing administration? Maybe you use go, and left in the code for /debug/pprof? All secret urls can be easily guessed using automated tools that just try every word or combination of characters and see if they get a 404 error.

Assuming the consultant can list all the secret urls on your web site, can they do anything bad?

UI Redressing

If you allow your web site to be placed into an IFRAME it opens up a lot of attacks. If the attacker can trick a user into clicking on their url, then they will open up your web site inside their own page, and super-impose their login button over yours, and steal ther user's passwords.

Of course, anyone can do this without the iframe permissions by creating an exact copy of your site. But the point is to make it a little harder for them. Here is some information on IFRAME breaking.