Cyber Security Informer

My Blog Now Has a Content Security Policy - Here's How I've Done It

Troy Hunt

FEBRUARY 1, 2018

I'm a fan (which is why I also recently joined Report URI ), and if you're running a website, you should be too. However, you can add a CSP via meta tag and indeed that's what I originally did with the upgrade-insecure-requests implementation I mentioned earlier when I fixed the Disqus issue.

CVE-2022-30190 (Follina) vulnerability in MSDT: description and counteraction

SecureList

JUNE 6, 2022

At the end of May, researchers from the nao_sec team reported a new zero-day vulnerability in Microsoft Support Diagnostic Tool (MSDT) that can be exploited using Microsoft Office documents. The data used to describe the link is placed in the tag with attributes Type=”[link] Target=”http_malicious_link!”

Data breaches

Data breaches Ransomware

A flaw in Microsoft OAuth authentication could lead Azure account takeover

Security Affairs

DECEMBER 3, 2019

An attacker could embed an iframe tag into a website with the “src” attribute set to the crafted link, then trick the victim into visiting it. Below the vulnerability timeline: 29/10/19 – The vulnerability found 30/10/19 – Vulnerability reported to Microsoft 31/10/19 – Report was closed by Microsoft – ?!? “While OAuth 2.0

Authentication

Authentication Accountability Social Engineering Advertising

New Pluralsight Course: Modern Web Security Patterns

Troy Hunt

APRIL 19, 2018

Me: Ok, but be conscious that means they can never change those scripts without you first modifying the integrity attribute on your script tags and you need time to push that out so as not to break the site. Let me paraphrase: Bank: We're thinking of using SRI to protect malicious modification of scripts we load in from a partner.

Banking

Banking DNS

Mmm. Pi-hole.

Troy Hunt

SEPTEMBER 26, 2018

No HTML tags. 2,663 requests (one of which was to Report URI , thank you very much!) Somewhere in the middle is a responsible approach, for example the sponsorship banner you see at the top of this blog. Companies I choose to partner with get to appear there and they get themselves 140 characters and a link. That is all.

DNS

DNS Risk

Add-ons, Extensions and CSP Violations: Playing Nice with Content Security Policies

Troy Hunt

NOVEMBER 14, 2018

A nice, slick, clean set of violation reports from the content security policy (CSP) I run on Have I Been Pwned (HIBP). Logging on to Report URI and being greeted with something like this: This blog post is about how add-ons and extensions in browsers cause CSP violations like the ones above and how they should be dealt with.

Media

Media Accountability Technology

Popping Blisters for research: An overview of past payloads and exploring recent developments

Fox IT

NOVEMBER 1, 2023

Furthermore, there has been a shift in payload type from Cobalt Strike to Mythic agents, matching with previous reporting. Matching with public reporting, we have also seen it as a follow-up in SocGholish infections. Discussing payloads Looking at the dropped payloads, we see that it mostly conforms with what has already been reported.

Computers and Electronics

Computers and Electronics Encryption DNS Ransomware

Locking Down Your Website Scripts with CSP, Hashes, Nonces and Report URI

Troy Hunt

NOVEMBER 14, 2017

That's pretty much XSS 101 - just get an alert box to fire - and reflecting a script tag is one of the most fundamental techniques attackers use to run their script on your website. My involvement has really ramped up in recent times though, especially with my announcement a couple of weeks ago about joining Report URI.

Hacking

Hacking Risk

Report URI Just Won the Best Emerging Technology Award!

Troy Hunt

JUNE 8, 2018

SCAwards2018 pic.twitter.com/Gv7hhzT9T2 — Report URI (@reporturi) June 5, 2018. Today, we're supporting hundreds of millions of reports every single day - many billions a month - and increasingly seeing some pretty big names send their CSP, HPKP, XSS, Expect-CT and Expect-Staple reports to us.

Technology

Technology Marketing

It's End of Life for ASafaWeb

Troy Hunt

NOVEMBER 5, 2018

In fact, over its entire lifespan Google Analytics reports only 227k people visiting the service. I'm also going to offer them a discount for Report URI (the project I run with Scott Helme) and point them to his Security Headers project. That's a traffic volume I've done in an hour on HIBP before!

Technology

Technology Architecture Marketing Internet

The JavaScript Supply Chain Paradox: SRI, CSP and Trust in Third Party Libraries

Troy Hunt

FEBRUARY 11, 2018

This tag was in the source code over at secure.donaldjtrump.com/donate-homepage yet it was pulling script directly off Igor Escobar's GitHub repository for the project. Let's compare the two scripts I've just mentioned, those being Report URI JS and Browsealoud. We will never modify Report URI JS 1.0.1

Government

Government Risk Software Technology

Cyber Security Informer

My Blog Now Has a Content Security Policy - Here's How I've Done It

CVE-2022-30190 (Follina) vulnerability in MSDT: description and counteraction

Trending Sources

A flaw in Microsoft OAuth authentication could lead Azure account takeover

New Pluralsight Course: Modern Web Security Patterns

Mmm. Pi-hole.

Add-ons, Extensions and CSP Violations: Playing Nice with Content Security Policies

Popping Blisters for research: An overview of past payloads and exploring recent developments

Locking Down Your Website Scripts with CSP, Hashes, Nonces and Report URI

Report URI Just Won the Best Emerging Technology Award!

It's End of Life for ASafaWeb

The JavaScript Supply Chain Paradox: SRI, CSP and Trust in Third Party Libraries

Stay Connected