[FD] Request For Comment: Possible Flaw of Bypassing CAPTCHA in AWS Login?

The process of AWS login has a feature: if you use "fresh" browser(no cookie, no cache, etc) to sign in, put correct email and correct password there, CAPTCHA is required("To better protect your account, please re-enter your password and then enter the characters as they are shown in the image b

[FD] Lock Browser 5.3 (Browser Security, Open Source, Python)

SUMMARY This open source tool strictly controls what web browser can access, which stops web browser from loading harmful content - Phishing, Non-Secure HTTP, or whatever that's not in your whitelist. SITUATION "Security flaws in Google Chrome, Microsoft Edge, and Apple Safari were all successf

[FD] HTTPS Only 3.1 (Detailed Analysis, Browser Security, Open Source, Python)

To secure browser which is very fragile, the approach of HTTPS Only 3.1 is exceptionally simple: 1. Only HTTPS URLs(no other protocols) 2. Whitelist of domains(anything outside of whitelist is blocked) Now, let's look at threats: 1. Man in the middle - it's fixed. 2. Phishing always requires the

[FD] Browser Security Tool: HTTPS Only 2.1 (Major Release, Open Source, Python)

When we browse the web, top threats are: 1. Remote code execution - everything is lost 2. Man in the middle - sniffing, and tampering 3. Phishing - simple, old, and still quite useful 4. Cross site scripting - data of the vulnerable domain is lost 5. CSRF - unauthorized action So, what if the brow

[FD] Browser Security Tool: HTTPS Only (Why, How, Open Source, Python)

(@moderators The original post was too brief. This one has details.) Summary This tool completely locks browser - just HTTPS, nothing else. This tool is extremely simple - less than 100 lines of code(Python and JavaScript). Why Firefox Add-on Firesheep Brings Hacking to the Masses http://www.pc

[FD] Open source tool for applying Google Chrome security updates

The Problem If you are a network administrator, keeping browser updated is the first thing to do for security. Chrome is a very good browser, but it's a little bit complicated to answer this simple question: what is the version of the latest stable Chrome? And for people in places such as China

[FD] Google Chrome Address Spoofing - Google's Opinion

It's public now: https://code.google.com/p/chromium/issues/detail?id=497588 Interesting Points: They did reproduce "I can reproduce this locally" They say it's DoS "seems like any renderer denial-of-service" (The browser does not crash!) They say it's not security issue "remove security flags

Re: [FD] Google Chrome Address Spoofing (Request For Comment)

fake page. But, anyone can do "BBB Accredited Business" "PayPal Partner" etc. Kind Regards, PS We love clever tricks. We love this: http://dieyu.org/ On 2015/6/30 7:08, David Leo wrote: Impact: The "click to verify" thing is completely broken... Anyone can be "

[FD] Google Chrome Address Spoofing (Request For Comment)

Impact: The "click to verify" thing is completely broken... Anyone can be "BBB Accredited Business" etc. You can make whitehouse.gov display "We love Islamic State" :-) Note: No user interaction on the fake page. Code: * index.html function next() { w.location.replace('Re: [FD] Safari Address Spoofing (How We Got It)

2015-06-02 Thread David Leo

c http://www.deusen.co.uk/items/bestsec/ We like it. We read it. On 2015/5/31 23:09, Michal Zalewski wrote: Well... http://lcamtuf.blogspot.com/2010/06/yeah-about-that-address-bar-thing.html On Thu, May 28, 2015 at 10:47 PM, David Leo wrote: Proof of concept: http://www.deusen.co.uk/items/iw

[FD] Safari Address Spoofing (How We Got It)

2015-05-31 Thread David Leo

Proof of concept: http://www.deusen.co.uk/items/iwhere.9500182225526788/ It works on fully patched versions of iOS and OS X. How it works: Just keep trying to load the web page of target domain. How We Got It: Safari changes address bar to new URL, BEFORE new content is loaded. BestSec http://ww

Re: [FD] Major Internet Explorer Vulnerability - NOT Patched

2015-02-07 Thread David Leo

are scripts. Thanks, Peter Peter Barkley | Senior Security Intelligence Analyst | Security Operations Centre | Royal Bank of Canada -Original Message- From: Fulldisclosure [mailto:fulldisclosure-boun...@seclists.org] On Behalf Of Zaakiy Siddiqui Sent: 2015, February, 04 6:46 P

[FD] Very Important Info About "Major Internet Explorer Vulnerability - NOT Patched"

2015-02-07 Thread David Leo

1. "Spartan - vulnerable (Windows 10)" http://www.deusen.co.uk/items/insider3show.3362009741042107/SpartanWin10_screenshot.png Thanks to Zaakiy Siddiqui! 2. http://www.dailymail.co.uk/robots.txt";); ?> Many asked for it. 3. It's Universal XSS, as we tested: Not only dailymail.co.uk - also Yahoo

Re: [FD] Major Internet Explorer Vulnerability - NOT Patched

2015-02-07 Thread David Leo

ny` or `same-origin` values), it executes successfully. Pending the payload being injected, most Content Security Policies are also bypassed (by injecting HTML instead of JavaScript, that is). It looks like, through this method, all viable XSS tactics are open! Nice find! Has this been reported t

Re: [FD] Major Internet Explorer Vulnerability - NOT Patched

2015-02-04 Thread David Leo

ing HTML instead of JavaScript, that is). It looks like, through this method, all viable XSS tactics are open! Nice find! Has this been reported to Microsoft outside (or within) this thread? -- Joey Fowler Senior Security Engineer, Tumblr On Sat, Jan 31, 2015 at 9:18 AM, David Leo mailto:david@

[FD] Major Internet Explorer Vulnerability - NOT Patched

2015-01-31 Thread David Leo

Deusen just published code and description here: http://www.deusen.co.uk/items/insider3show.3362009741042107/ which demonstrates the serious security issue. Summary An Internet Explorer vulnerability is shown here: Content of dailymail.co.uk can be changed by external domain. How To Use 1. Close