49
points
MajesticHobo2
Joined 156 karma
- MajesticHobo2 parentIt’s a phase 1 clinical trial designed only to assess safety and determine the appropriate dosage. Future trials will focus on efficacy.
- Wouldn't platforms see the supposed XSS payloads in their logs and publish analyses of them, or at the very least, announce that they happened?
- I'm sure they can store far more than 20 TB now, but it is true that the content pool is much larger. I would guess it's not a favorable ratio.
- Thanks for making this! I've been looking for something like this for a while.
Look at the byte at offset 11 (0xb), it's there.xxd IMGP0847.DNG | grep 03e400: 0003e400: ffd8 ffc3 000e 0e10 800c 5002 0011 0001 ..........P.....- Yes:
dd status=none if=IMGP0847.DNG bs=1 skip=0x3e40b count=1 | xxd 00000000: 02 - You need to click the link that says "RAW (33.0MB)". The filename should be "IMGP0847.DNG".
- I AirDropped the PoC to my vulnerable iPhone. It didn't cause a crash until I tried to edit it in the Photos app.
- That's exactly why I don't agree that GETs should be broadly exempted from CSRF protections. I'm not talking about CORS at all.
- The problem boils down to the lack of equivalence between a site and an origin. The article explains how https://app.example.com and https://marketing.example.com may sit at very different trust levels, but are considered the same site by the browser. You don't want https://marketing.example.com to be able to make requests to https://app.example.com with your authentication cookies, but SameSite wouldn't prevent that.
- Not sure I agree with this part:
> Allow all GET, HEAD, or OPTIONS requests.
> These are safe methods, and are assumed not to change state at various layers of the stack already.
Plenty of apps violate this assumption and do allow GET requests to alter state.
- XFF handling is the bug that keeps on giving. I'd estimate I've seen incorrect parsing of it in at least half of the web applications I've audited professionally.
The funniest is when the app renders user IP addresses somewhere and you can get XSS through it.
- You can use FTP and SVN.
- There doesn't need to be any kind of "polyglot payload". Local network services and devices that accept only simple HTTP requests are extremely common. The request will go through and alter state, etc.; you just won't be able to read the response from the browser.
- Right, but now the vector for privilege escalation will have to be a logic bug in memory-safe sudo instead of either a memory corruption (see CVE-2021-3156) or a logic bug. It’s hard not to see this as a major improvement.
- Can you point me to some documentation or proof of concept for this? Would definitely like to change my workflow if this is the case.
- Related/funny: three years ago, someone found exactly such a bug because it was exploited against a Minecraft server they were running in screen (probably without the perpetrator understanding the root cause): https://lists.gnu.org/archive/html/screen-devel/2021-02/msg0...
- > Is the syntactically correct dummy value the same each time? If so, how does that lead to new coverage?
Per my understanding, the dummy value is constant but is only used once (to create the first valid TLV). Everything after that is a mutation of the original value that, due to the custom mutator logic, is a valid TLV. The mutations are where new coverage comes from.
> In any case, why bother with this "if invalid replace with dummy" step? Why not generate/mutate a valid TLV value from the start?
I'm guessing to handle both when there are seed files that are already valid (which you'll want to use instead of a dummy value), and when there aren't any valid seed files.
- 2 points
- Since a WireGuard peer only responds to cryptographically authenticated packets and UDP is connectionless — you don't get confirmation at the transport layer by way of a handshake or anything — WireGuard ports are invisible to you unless you own a private key whose corresponding public key is already approved by the peer.
- They also hire firms for regular security assessments (I did one of them) and publish the reports: https://support.1password.com/security-assessments/
- > Signal is very proud that once a long time ago the state came to them asking for user data and signal could only tell them they had no data to provide.
Have you looked at https://signal.org/bigbrother/ recently? There are five instances of this, one as recent as November 2021.
- Do you not stay logged in to HN?
- Phishing is still an issue that could be prevented with security keys. That said, I don't see most HN accounts being very interesting to phishers.
- You can listen to tapes from his teenage years in the late 50s, where he's singing in almost that exact early 70s croon. But his voice throughout most of the 60s was very different and, for the most part, intentionally so.
- You're trusting the client whether or not it can talk on the network. A malicious update that starts generating predictable passwords for websites doesn't need a network connection.
- This is true of any password manager.
- In addition to that, "Cultural Marxism" doesn't just refer to Marxism. It's an antisemitic canard used pretty much exclusively by the far right.
- Services hosted outside the US offer less protection against US intelligence agencies, not more.