In a previous article, we talked about the different types of subdomain takeovers and how hackers can use them to attack SSO systems. The impact of a subdomain takeover can vary. At the very least, subdomain takeovers enable attackers to launch sophisticated phishing campaigns. In some cases, this can lead to Cross-Site Scripting (XSS) attacks or malicious redirects. And, when a site uses shared-session SSO, this could even lead to session theft and account takeovers! Unfortunately, subdomain...

Have you heard of password brute-force attacks? A brute-force attack is when attackers try to compromise an account by guessing its password. Let’s say an attacker is trying to compromise the account of the user “john” by brute-forcing the account password. The attacker will first generate a password list to use. They can either use a dictionary of common passwords found online, or a list of likely passwords generated based on knowledge of the user. Then, the attacker uses a script to rapidly...

GitHub reconnaissance is a tactic attackers use to gather information about their targets. Attackers analyze an organization’s GitHub repositories and check for sensitive data that has been accidentally committed or information, potentially leading to the discovery of a vulnerability. Today, we'll take a look at how attackers research your GitHub repositories. By looking at these recon techniques, you can find out what is revealed through your GitHub repositories and what you can do to...

SQL injection is one of the most common types of vulnerabilities found in web applications. Today, I'm going to explain what SQL injection attacks are and walk you through the process of exploiting a simple Spring Boot-based application. After we've exploited this simple Java app, we'll then learn how to fix the problem. Sound fun? Let's do it! Prerequisites Before starting, make sure you have the following tools installed: Java 8 HTTPie - A simple command line HTTP client ...

Typos have a long history, by turns serious and silly , going back to the dawn of the printed page . But thanks to the peculiarities of computer technology and the ingenuity of hackers, correctly typing website locations into your browser is no guarantee that they will show you the site you intended to view. When machines make typos even with correct human input, the errors can lead to an unusual form of cyber attack known as bitsquatting. The younger sibling of typosquatting, bitsquatting is...

Clichéd as the concept of a perfect storm is, it also feels more apt than ever to describe this year’s American election—and that’s only taking into consideration the cybersecurity challenges voters face. Since 2016, cybersecurity and election experts have been sounding an ever-louder clarion call that aggressive steps need be taken to ensure that computerized voting machines in the U.S. are secure enough to properly enroll registered voters, record their votes, and accurately count them, as...

kPop Fans The nature of a strategic cyber force is far richer and more varied than is traditionally acknowledged. Earlier this year, Korean pop (“kPop”) music fans came to wider attention when they actively engaged with online political discussions around Black Lives Matter. This is not the first time they have been a well organised online force, but as far as we know, this is the first time they’ve taken part in a broader popular movement. kPop fans have a years-long history of political...

There’s no doubt 2020 has already been a turbulent year: COVID-19, civil unrest, contentious elections, widespread economic instability, and major natural disasters like wildfires and hurricanes across the US are just a few of the major events making headlines. While digital threats often echo real-world events, perhaps none has had a greater impact on the threat landscape this year than COVID-19. As municipalities adopted social distancing measures and many workers shifted to remote work,...

With our second Disclosure conference in the bag, I wanted to take a look back at how things changed and what some of the key takeaways were. This year, like every other conference, we were forced to shift gears into a virtual format. This meant a lot of unknowns for us. For example, how do you preserve social interaction when everyone is isolated and scattered? How do you ensure that everyone gets an authentic conference experience instead of feeling like they are watching a TV program?...

Time flies and Disclosure is just a few days away (September 2 from 9:00am–6:00pm PDT)! Everyone involved is looking forward to experiencing this event together and, to make sure it is a safe environment for all participants, please take a quick look at the code of conduct . Content will be available on-demand after it debuts, but Q&A with the speaker and chat with fellow viewers will not be available when viewing on-demand. If you’ve already registered, it’s time to login and get...