CSRF
Drupal Core: Behind the Vulnerability
Earlier this year, the Checkmarx Security Research Team conducted an investigation of the new version of Drupal Core (Drupal 9) – a content management system (CMS) written in PHP – uncovering several ...
Privilege Escalation on Meetup.com Enabled Redirection of Payments
The Checkmarx Security Research Team recently audited the security of several high-profile websites, including Meetup.com. For those who are not familiar with Meetup.com, it allows users to create an event where people ...
It’s Okay, We’re All On the SameSite
With Google’s recent announcement that all cookies without a SameSite flag will be treated as having SameSite=Lax set by default in Chrome version 80, surely Cross-Site Request Forgery will be dead? Well, ...
The Importance of the Content-Type Header in HTTP Requests
Dawid Czagan, Founder and CEO at Silesia Security Labs and author of Bug Hunting Millionaire, is listed in HackerOne’s Top 10 Hackers. In a recent article on his website, Czagan disclosed the ...
Navigation Apps: Leading the Way? Or Following You?
In the United States alone, 84% of adults are using navigation applications, according to a recent Gallup poll. Whether they’re downloading it in an app store or the navigation capability is already ...
Three C-Words of Web App Security: Part 2 – CSRF
This is the second in a three-part series, Three C-Words of Web Application Security. I wrote a sort of prologue back in April, called A Brief Evolution of Web Apps, just to ...
JSON CSRF with Parameter Padding
JavaScript Object Notation (JSON) format is one of the prominent data exchange formats of the contemporary web applications. When a web application implements JSON, Cross Site Request Forgery (CSRF) payload delivery gets ...
On GIFARs
The Black Hat Briefings 2008 are fast approaching. As I mentioned in my previous post on stealing password hashes I am speaking with Nate McFeters and Rob Carter; you can find the ...
