And my history is now all about that organization when I just want to debug a buffer overflow.

Talking to you, AddressSanitizer (ASan)

tw: A$ 

Obviously they sure know that's not true - but A$ just doesn't do things right.

Show thread

tw: A$ 

the name of "Autism Speaks" itself is kinda offensive; I can't stop thinking it as "Autism Patients Cannot Speak So We Made Them Speak".

CVE-2021-29954 is an example of "SaaS vulnerabilities that get CVE". If customer has to do something, it's a CVE.

"Firefox for Android" only - maybe it's intent-related?

Show thread

(Context: Scratch Desktop was renamed to "Scratch" or Scratch app in early October 2020, just before the RCE vulnerability is reported.)

Show thread

Schools here are lending laptops to their students, with some basic software like Microsoft Teams and Scratch Desktop. Yes, "Scratch Desktop".

I hope students do not open unknown project files. Guess I should wait a decade before publishing CVE-2020-7750 POCs to ExploitDB.

Hmm, CVE-2021-29944 is also discovered by the same person. 29944 is prevented by CSP (so i hope that UXSS is not abusing CSP-bypass?)

Show thread

88.0.1 fixing UXSS reported by Wladimir Palant, who is known for reporting several UXSS issues to other browser extension users. "Android only" is kinda sus.

Imagine that your CVE entry gets rejected because the description is too specific and GitHub deletes the file in CVEProject/cvelist repo.

And now everyone becomes Microsoft. My vulnerability is "Scratch SVG Renderer Cross-site Scripting Vulnerability". No one can mention that it is a critical RCE issue, and is triggered by opening sb2 files.

GitHub is going to require repositories that include Proof-of-Concept of vulnerabilities to have file.

It still doesn't require other big repositories to have

That file is used by researchers to notify them of a vulnerability. Not by the police, to charge members of red team.

This week in (21w17a):
- Mojang made "entities destroyed" S2C packet singular.
- New setters that have validations. Yes, in any programs, reachable assertions are fixed by removing the assertion, not by fixing root cause. is the one that is hard to triage using classical CVSS. It's basically a backdoor that only certain people can use. For those people it's a 7.5, but for those who aren't, it's not exploitable.

Perhaps AC and PR both set to High could explain the issue; CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N

Is there any labor unions for those who can't work/are unemployed?

apple502j boosted

i think my isp blocks port 80 but not 443 lmao

apple502j boosted

it is time (tomorrow) to see the gendery doctors for gendery things!

Very long post on XSS 

- CWE-434 for ability to upload HTML file
- CWE-830 for ability to load unknown JS file from URL
- CWE-427 for dependency confusion, 404 URL hijacking, etc
- CWE-444 for HTTP request smuggling
- and more!

Show thread

Very long post on XSS 

analyzers and researchers: Don't map all XSSs to CWE-79. CWE-79 should only be used when escaping is forgotten on raw HTML:

- CWE-74/CWE-77 for template injection, as traditional methods won't apply to those
- CWE-113 for header injection
- CWE-94 for general JavaScript injection, use CWE-95 for eval() misuse
- CWE-436 for sanitizer bypass (ones that don't interpret how they should.)
- CWE-182 for mXSS (i.e. sanitizer makes safe input dangerous)
- CWE-653 for missing contextIsolation in Electron app
- CWE-358 for browser CSP bypass
- CWE-357 for missing selfXSS protection
- CWE-346, or more specifically CWE-940 (onmessage) or CWE-941 (postMessage) for XSS based on these
- CWE-494 for script tag w/o integrity check
- CWE-300 for script loaded via HTTP
- CWE-470 for constructor.constructor sandbox escape
- CWE-1321 (my CWE!) for prototype pollution
- CWE-843 for querystring array confusion

Show more

A public Mastodon instance run by the same people who run owo (the file sharing website). Everyone is welcome... as long as you like to uwu. Please read the rules before registering an account on this instance.