How does a tiny repo cause git to run out of memory? The secret is that git de-duplicates “blobs” (which are used to store files) to make repositories smaller and allow using the same blob when a file remains unchanged between commits. Git also allows de-duplication of “tree” objects (which define the directory structure in a repository).
git-bomb
tries to make a billion files, however it only has 10 references to the file blob and only has 10 tree objects in all.
- Input injection
- Parsing XML
- Assert statements
- Timing attacks
- A polluted site-packages or import path
- Temporary files
- Using yaml.load
- Pickles
- Using the system Python runtime and not patching it
- Not patching your dependencies
We are left with A1, A4, A5 and A9 as somewhat relevant and a dozen of other attack vectors common app faces with no single mention.
A very plausible scenario of credentials sniffer injected through npm dependency chain.
I loved the "I’d see it in your source on GitHub!" section : so scary and true.
Journalists watch out—you may be unintentionally revealing sources.
Unlike previous text fingerprinting techniques, zero-width characters are not removed when formatting is removed from text
- HTTP/2
- TLS 1.3
- DOH: DNS over HTTP
- QUIC: a candidate replacement for the TCP protocol
since Google has already deployed QUIC in the Chrome browser and on its sites, it already accounts for more than 7% of Internet traffic.
Also mention this creepy & fascinating attack : http://codebutler.com/firesheep
Canary tokens are a free, quick, painless way to help defenders discover they've been breached (by having attackers announce themselves.)
Embeddable in :
- fake URLs ending in .html, .js, .php...
- emails to detect if you are spied on
- files in the cloud
- as file watchs do detect spies on filesystems
- desktop.ini for Windows directories or zip files
- MSSQL & MYSQL
- Word / PDF documents
- a JS resource is used elsewhere
few realize how absolutely devastating and omnipresent this vulnerability can be
Pour vous donner un exemple de la vulnérabilité des outils comme la messagerie Outlook, en 2016, l’Annudef’ (l’annuaire du ministère de la Défense) a été téléchargé deux fois et on ne sait toujours pas par qui.
😲😱😩
- XML internal entities
- Billion laughs attack / quadratic blowup
- XML external entity (XXE)
Or how I obtained direct publish access to 14% of npm packages (including popular ones)
"Here you have a trivially simple method of injecting legit-looking messages into text conversations with anyone, providing you know how your target stores the spoofee sender in their contacts. In the UK, that’s largely the difference between starting with 07, and +447.
The utterly exquisite reality is that, if your target then replies, that reply goes to the real sender, who is overwhelmingly likely to reply something like “what the hell are you on about?”, this being the first they’ve heard of this shady business. Does that look like backtracking or denial? I ain’t no Member of Parliament, but it sure sounds like it to me."
afl = american fuzzy lop
cf. http://lcamtuf.coredump.cx/afl/
"Luckily, afl-fuzz can leverage lightweight assembly-level instrumentation to its advantage - and within a millisecond or so, it notices that although setting the first byte to 0xff does not change the externally observable output, it triggers a slightly different internal code path in the tested app."
On peut facilement se créer l'équivalent d'un token d'authentification avec son smartphone. Il existe des applications respectant un protocole standardisé pour cela: OTP (One Time Password). L'intérêt de l'OTP est que vous n'avez pas besoin de connexion entre votre client OTP (votre smartphone) et le serveur. Ils peuvent générer et contrôler la validité des OTP de manière déconnectée. Ce système peut donc fonctionner même si vous n'avez pas de réseau GSM à portée.
Ce protocole permet de créer un code qui ne sera utilisable qu'une seule fois. Nous allons juste ajouter un champ de saisie dans le formulaire de login. Vous allez voir, ce n'est vraiment pas compliqué.
...password reset feature readily disclosing whether an email address already existed on the site...
Frankly, it's an exception when a site doesn't leak data through one of these enumeration risks in the password reset, registration and login features.
TL;DR : do not use autocomplete