Mastodon

Report URI

A 6-post collection

Begging for Bounties and More Info Stealer Logs

TL;DR — Tens of millions of credentials obtained from info stealer logs populated by malware were posted to Telegram channels last month and used to shake down companies for bug bounties under the misrepresentation the data originated from their service. How many attempted scams do you get each day? I woke up to yet another "redeem your points" SMS this morning, I'll probably receive a phone call from "my bank" today (edit: I was close, it was "Amazon Prime" 🤷‍♂️) and don't even get me started...

I Now Own the Coinhive Domain. Here's How I'm Fighting Cryptojacking and Doing Good Things with Content Security Policies.

If you've landed on this page because you saw a strange message on a completely different website then followed a link to here, drop a note to the site owner and let them know what happened. If, on the other hand, you're on this page because you're interested in reading about the illicit use of cryptomining on compromised websites and how through fortuitous circumstances, I now own coinhive.com and am doing something useful with it, read on. You know how people don't like ads? Yeah, me either (...

Add-ons, Extensions and CSP Violations: Playing Nice with Content Security Policies

You know what I really like? A nice, slick, clean set of violation reports from the content security policy (CSP) I run on Have I Been Pwned [https://haveibeenpwned.com/] (HIBP). You know what I really don't like? Logging on to Report URI [https://report-uri.com/] and being greeted with something like this: This blog post is about how add-ons and extensions in browsers cause CSP violations like the ones above and how they should be dealt with. Some brief background first as I'll be sharing this...

My Blog Now Has a Content Security Policy - Here's How I've Done It

I've long been a proponent of Content Security Policies (CSPs). I've used them to fix mixed content warnings on this blog after Disqus made a little mistake [https://www.troyhunt.com/disqus-mixed-content-problem-and-fixing-it-with-a-csp/], you'll see one adorning Have I Been Pwned [https://haveibeenpwned.com/] (HIBP) and I even wrote a dedicated Pluralsight course on browser security headers [https://pluralsight.pxf.io/c/1196446/424552/7490?u=https%3A%2F%2Fwww.pluralsight.com%2Fcourses%2Fbrowser...

Locking Down Your Website Scripts with CSP, Hashes, Nonces and Report URI

I run a workshop titled Hack Yourself First [https://www.troyhunt.com/workshops/] in which people usually responsible for building web apps get to try their hand at breaking them. As it turns out, breaking websites is a heap of fun (with the obvious caveats) and people really get into the exercises. The first one that starts to push people into territory that's usually unfamiliar to builders is the module on XSS. In that module, we cover reflected XSS which relies on the premise of untrusted dat...

I'm Joining Report URI!

What if I told you... that you can get visitors to your site to automatically check for a bunch of security issues. And then, when any are found, those visitors will let you know about it automatically. And the best bit is that you can set this up in a few minutes and add it to your site with zero risk. Or if you like, set it up so that it can automatically block certain types of attacks. It's not an expensive appliance, it's not a wacky browser extension and it's not some weird proprietary cod...