iX-Workshop: OWASP Top 10 – Sicherheitsrisiken für Webanwendungen verstehen
Lernen Sie die wichtigsten Sicherheitslücken in Web-Anwendungen kennen und erfahren Sie, wie Sie sich erfolgreich schützen können.
#csrf
[Перевод] Современный подход к предотвращению CSRF/CORF-атак в Go
Команда Go for Devs подготовила перевод статьи о новом подходе к защите Go-приложений от CSRF/CORF-атак. Автор разбирает, как связка TLS 1.3, SameSite cookies и http.CrossOriginProtection из стандартной библиотеки позволяют отказаться от токенов — но только если соблюдены важные условия. Насколько безопасен такой подход? Разбираемся.
iX-Workshop: OWASP Top 10 – Sicherheitsrisiken für Webanwendungen verstehen
Lernen Sie die wichtigsten Sicherheitslücken in Web-Anwendungen kennen und erfahren Sie, wie Sie sich erfolgreich schützen können.
🔥 CVE-2025-13282 (HIGH): Chunghwa Telecom TenderDocTransfer allows unauth'd file deletion via CSRF & path traversal flaws. Block app/API ports, educate users, and back up data! No patch yet. Details: https://radar.offseq.com/threat/cve-2025-13282-cwe-352-cross-site-request-forgery--6b3e8d3f #OffSeq #CSRF #infosec #vuln
⚠️ CVE-2025-13283 (HIGH): Chunghwa Telecom TenderDocTransfer has a CSRF & path traversal vuln—lets unauth attackers copy/paste files via APIs. Phishing = risk of data leaks & DoS. Restrict & monitor now! https://radar.offseq.com/threat/cve-2025-13283-cwe-352-cross-site-request-forgery--0bcb621a #OffSeq #Vuln #CSRF #InfoSec
Mastodon! :aroaceheart: Intentando configurar #linkding con #docker y #nginx como #reverseProxy pero me da errores de #csrf
😩
El lado del mal - HackedGPT: Cómo explotar "Weaknesses" en ChatGPT para hacer Phishing o Exfiltrar Datos https://www.elladodelmal.com/2025/11/hackedgpt-como-explotar-weaknesses-en.html #ChatGPT #GPT #Phishing #PromptInjection #Bing #CSRF #IA #AI #Ciberseguridad #Hacking
Top Advanced XSS Payloads That Still Work in 2025
This article explores advanced Cross-Site Scripting (XSS) payloads that remain effective in 2025 despite modern security defenses. XSS continues to be a persistent vulnerability due to the complexity of modern web frameworks (React, Vue, Angular) that generate dynamic content with intricate JavaScript behavior patterns. The advanced payloads discussed focus on bypass techniques that overcome common defenses like Content Security Policy (CSP) filters and sanitization libraries. These sophisticated attack vectors leverage encoding obfuscation, DOM event manipulation, and framework-specific vulnerabilities to evade traditional filter-based defenses. The exploitation techniques include payload variations that target complex JavaScript execution contexts, utilizing obscure DOM events, and exploiting implementation flaws in client-side security controls. Modern XSS payloads often combine multiple evasion techniques including character encoding manipulation, filter bypass through context switching, and leveraging browser-specific parsing behaviors. The tools and methodologies mentioned focus on advanced testing frameworks that can identify XSS vulnerabilities in complex web applications. The significance of these payloads lies in their continued effectiveness against inadequate input validation and sanitization implementations. The impact ranges from session hijacking and credential theft to complete client-side system compromise. Bug bounty hunters and penetration testers need to understand these advanced techniques as they represent real-world threats that traditional security measures often fail to detect. The article emphasizes that despite framework improvements, XSS remains a critical vulnerability requiring continuous research and adaptation of both attack and defense strategies. #infosec #BugBounty #Cybersecurity #XSS #WebSecurity #Payload #Exploit #CSRF
https://medium.com/@xmxa-tech/top-advanced-xss-payloads-that-still-work-in-2025-58f11191df8f?source=rss------bug_bounty-5
iX-Workshop: OWASP Top 10 – Sicherheitsrisiken für Webanwendungen verstehen
Lernen Sie die wichtigsten Sicherheitslücken in Web-Anwendungen kennen und erfahren Sie, wie Sie sich erfolgreich schützen können.
Unser praxisnahes Intensivtraining „Hacking Extrem Web-Applikationen“ vermittelt Dir, wie echte Angreifer denken und wie Du Dich wirksam vor ihnen schützen kannst.
Was Dich erwartet:
✅ Realistische Angriffe auf Webanwendungen und Backends
✅ Vollständige Abdeckung der OWASP Top Ten
✅ Hands-on-Labs mit echten Tools und Exploits
✅ Durchführung durch erfahrene Experten für Applikationssicherheit
Themen:
✅ Informationsgewinnung
✅ Angriffe auf Web- und Applikationsserver, auf die Übertragung, Anwendung und das Backend
✅ Behandelte Systeme sind Unix- oder Windows-basierte Webserver, Datenbanken, Application Server, etc.
Für alle, die Applikationssicherheit nicht nur verstehen, sondern erleben möchten.
Melde Dich jetzt an und sichere Dir Deinen Platz:
👉 https://cirosec.de/trainings/hacking-extrem-web-applikationen/
#Webanwendungen #Backends #OWASPTopTen #HandsOnLabs #Applikationssicherheit #Informationsgewinnung #Webserver #TLS #Sessions #SQLInjection #XSS #CSRF #SSRF #CommandInjection #Logikfehler #DateiUploads #XMLInjection #Schwachstellen
El lado del mal - ChatGPT Atlas: Client-Side Attack CSRF para Contaminar la Memoria con un Prompt Injection que te hackea tu Windows con Vibe Coding https://www.elladodelmal.com/2025/10/chatgpt-atlas-client-side-attack-csrf.html #ChatGPT #Atlas #CSRF #AI #IA #PromptInjection #VibeCoding #Hacking #Exploit #InteligenciaArtificial #Bug
🛡️ CVE-2025-12479 (CRITICAL, CVSS 10): Azure Access BLU-IC2/IC4 (≤1.19.5) lack CSRF tokens, allowing full remote compromise—no patch yet. Apply WAFs, enforce header checks, and restrict access. https://radar.offseq.com/threat/cve-2025-12479-cwe-352-cross-site-request-forgery--adbd5512 #OffSeq #Vuln #CSRF #AzureSecurity
📰 ChatGPT Flaw Allows 'Memory Poisoning' via CSRF Attack
New ChatGPT exploit allows attackers to poison the AI's persistent memory via a CSRF flaw. This 'memory tainting' can lead to account takeover and code execution. 🤖🧠 #ChatGPT #AI #Vulnerability #CSRF
Microsoft corrige falha ‘mais grave de sempre’ no ASP.NET Core que permite roubo de credenciais
🔗 https://tugatech.com.pt/t73134-microsoft-corrige-falha-mais-grave-de-sempre-no-asp-net-core-que-permite-roubo-de-credenciais
#ASPNET #ciberataque #computador #CSRF #cve #grave #http #microsoft #segurança #servidor #vulnerabilidade #vulnerabilidades #web #windows
🛡️ HIGH severity alert: CVE-2025-9890 in mndpsingh287 Theme Editor (WordPress, all versions ≤3.0) allows RCE via CSRF if admins click malicious links. Restrict admin access, use WAFs, and monitor for patches. https://radar.offseq.com/threat/cve-2025-9890-cwe-352-cross-site-request-forgery-c-55937c52 #OffSeq #WordPress #CSRF #Vuln
A modern approach to preventing CSRF in Go - A modern approach to preventing CSRF in Go
Alex Edwards writes about the new http.C... - https://simonwillison.net/2025/Oct/15/csrf-in-go/#atom-everything #browsers #security #csrf #go
🌗 Go 語言防禦 CSRF 攻擊的現代化方法
➤ 善用 Go 標準函式庫,實現更簡潔安全的 CSRF 防護
✤ https://www.alexedwards.net/blog/preventing-csrf-in-go
本文探討 Go 語言中防禦跨站請求偽造 (CSRF) 攻擊的新方法,主要聚焦於 Go 1.25 標準函式庫新增的 `http.CrossOriginProtection` 中介軟體。作者解釋此中介軟體如何利用 `Sec-Fetch-Site` 和 `Origin` HTTP 標頭來判斷請求來源,進而自動阻擋非同源的危險請求。文章深入分析此機制的運作原理、潛在限制,以及如何透過強化 HTTPS 和 TLS 1.3 設定來提升防護效果,同時建議可輔以 SameSite Cookie 作為縱深防禦策略。
+ 這個 `http.CrossOriginProtection` 聽起來很實用!終於不用再額外引入第三方套件了,大大簡化了開發流程。
+ 感謝作者詳細的分析,尤其是關於舊版瀏覽器和 TLS 1.3
#Go #Web 開發 #安全性 #CSRF #HTTP #瀏覽器
🚀 Ah yes, the 2025 revelation! Turns out you can prevent #CSRF in #Go by... drumroll... using the built-in middleware! 🎉 Who knew that reading the #documentation could save time and effort? 🤔📚
https://www.alexedwards.net/blog/preventing-csrf-in-go #Middleware #TechTips #HackerNews #ngated
iX-Workshop: OWASP Top 10 – Sicherheitsrisiken für Webanwendungen verstehen
Lernen Sie die wichtigsten Sicherheitslücken in Web-Anwendungen kennen und erfahren Sie, wie Sie sich erfolgreich schützen können.
Client Info
Server: https://mastodon.social
Version: 2025.07
Repository: https://github.com/cyevgeniy/lmst