The End of CoinHive and the Rise of Cryptojacking
CoinHive is a service that was created in September 2017. It allows users to mine Monero cryptocurrency using JavaScript. CoinHive has remarkably changed the income models of content developers over the course of its 18 month-long adventure. However, due in large part to the drop in hash rate (over 50%) ... Read More
Sound Hijacking – Abusing Missing XFO
A Clickjacking attack works by loading a malicious website inside a low-opacity iframe and overlaying it with an innocuous looking button, checkbox or link. This tricks the user into interacting with the vulnerable website beneath. The user is then forced to click the apparently safe UI element, triggering a set ... Read More
Brave Browser Sacrifices Security
Brave is a new, free an open-source web browser with a built-in adblocker. It was developed by a team led by Brendan Eich, inventor of JavaScript and a former Mozilla Foundation employee. The Brave browser uses the motto, ‘You are not a product’. It focuses on improving the privacy and ... Read More
Phishing by Open Graph Protocol
The Open Graph Protocol (OGP) was introduced by Facebook approximately eight years ago to give users a way to have control over the appearance of links on social media platforms. Whenever you click the Share button on Facebook, or other social media platforms, you interact with OGP technology that makes ... Read More
Remote Hardware Takeover via Vulnerable Admin Software
Increased digitization means that web browsers are integral to our daily lives. For example, I’m writing this article on a cloud-based word processing application, whereas a few years ago, I may only have had the option of using an executable desktop application. This growing capability means that the web will ... Read More
Cross Site Cookie Manipulation
For years, we’ve been told to keep the values of sensitive session cookies unpredictable and complex in order to prevent attacks such as session enumeration. And, it made sense. If the session ID is complex, long and cryptographically secure, it's almost impossible for an attacker to guess it. However, from ... Read More
Acquiring Data with CSS Selectors and Javascript on Time Based Attacks
jQuery is a JavaScript library that was released in August 2006 with the motto: 'write less, do more'. jQuery simplifies the process of writing code in JavaScript by making the element selectors, event chaining and handling easier. It’s safe to say that since the release of jQuery, a large number ... Read More
Two Interesting Session-Related Vulnerabilities
Sessions are an essential part of most modern web applications. This is why session-related vulnerabilities often have a sizable impact on the overall security of a web application. They frequently allow the impersonation of other users and can have other dangerous side effects. What Are Session Variables? For those not ... Read More
Clickjacking Attack on Facebook: How a Tiny Attribute Can Save the Corporation
The clickjacking attack introduced in 2002 is a UI Redressing attack in which a web page loads another webpage in a low opacity iframe, and cause changes of state when the user unknowingly clicks on the buttons of the webpage. In this article, we explain how the Clickjacking attack works ... Read More
The Importance of the Content-Type Header in HTTP Requests
Dawid Czagan, Founder and CEO at Silesia Security Labs and author of Bug Hunting Millionaire, is listed in HackerOne’s Top 10 Hackers. In a recent article on his website, Czagan disclosed the details of a vulnerability combining both Cross-site Request Forgery (CSRF) and Remote Code Execution (RCE) on routers, that ... Read More
