Browsed by
Category: Security

XSS without Dots, Periods or Full Stops

XSS without Dots, Periods or Full Stops

I had to use it for GoogleCTF’s Wallaby Web 3 Challenge. My solution: Where 3221226219 is the decimal representation of the IP address of the server we used. Inside <script> tags one can use this[‘window’][‘location’] and this[‘document’][‘cookie’] Kris’s solution was to use

Borg Correctly HMACs IV + Ciphertext

Borg Correctly HMACs IV + Ciphertext

https://github.com/borgbackup/borg/blob/a2e356dccf697374bef1dfa487465e3c23f5e624/borg/key.py#L134 [python] data = b”.join((self.enc_cipher.iv[8:], self.enc_cipher.encrypt(data))) hmac = HMAC(self.enc_hmac_key, data, sha256).digest() [/python] ✔ Authenticates IV ✔ Encrypt-then-MAC I had a nice table about why Encrypt-then-MAC is the correct way, but I can’t find it. :(

Workaround for IP Leakage via BBCode IMG tags

Workaround for IP Leakage via BBCode IMG tags

(TorrentFreak)[https://torrentfreak.com/private-tracker-member-data-leaked-via-bbcode-exploit-160313/] writes “One of the BBCodes this site uses is [you]. If you place this in a forum or a private message it will insert the user’s logon name, that is viewing the page. If my username was ‘Randomusername’, and someone sent me a private message saying ‘Hello [you]!’, when I opened it, the BBcode would translate to ‘Hello Randomusername!’” “When you add [you] on the end of an image, you get something like this http://example.com/photo.php?u=[USERNAME_OF_PERSON_VIEWING].jpg.” TL;DR Use of [img]…

Read More Read More