The postMessage API is an alternative to JSONP, XHR with CORS headers and other methods enabling sending data between origins. It was introduced with HTML5 and like many other cross-document features it can be a source of client-side vulnerabilities.

When it comes to Amazon Web Services (AWS), both S3 and CloudFront lack domain validation. If a domain has a DNS entry pointing to either S3 or CloudFront but the domain is not actually claimed in S3 or CloudFront, it’s possible for anyone to claim the domain and serve their own content on the domain using these two AWS services. We will explain another problem with the lack of domain verification, combining trailing dot domains, conflict checks and how SSL common name matching works today.

Stealing all your passwords by just visiting a webpage. Sounds too bad to be true? That’s what I thought too before I decided to check out the security of the LastPass browser extension.

HTTP Public Key Pinning (HPKP) is very powerful if configured correctly. It has the ability to protect against the most sophisticated targeted attacks that seriously threaten the security on the Internet, for all of us. But, with great security comes great responsibility. If HPKP is deployed into a production environment without being thoroughly tested and designed, the website may be inaccessible for all the previous visited clients. The fear of incorrectly deploying an HPKP-policy could scare the security-responsible into not using the security mechanism at all. So is it worth it? Should you use HPKP?

Reverse engineering has been used by the military, big companies and many more. It is the act of taking something (computer, device, weapon, software) and “stripping” it to learn or analyze its inner working in detail. Compaq, one of IBM’s major competitors, did this in the early 1980s, using the reverse engineering process to dissect the IBM PC and build their own product. In this blog post, we list 7 tools for reverse engineering on the Microsoft Windows platform that have influenced the reversing community the most.

TL;DR: Exploit-mitigation techniques such as Address Space Layout Randomization, in conjunction with Data Execution Prevention, make executing traditional shellcode a non-trivial challenge. A common way to bypass aforementioned protections is to use Return-Oriented Programming, which reuses small pieces of code that end in a return instruction commonly referred to as a gadget. This article covers the thoughts and concepts in regards to solving this challenge.

Developers are leaking access tokens for Slack widely on GitHub, in public repositories, support tickets and public gists. They are extremely easy to find due to their structure. It is clear that the knowledge about what these tokens can be used for with malicious intent is not on top of people’s minds…yet. The Detectify team shows the impact, with examples, and explains how this could be prevented.

Detectify’s knowledge advisor Frans Rosén wrote a blog post for the Bugcrowd Blog about using a Braun Shaver to Bypass XSS Audit and WAF.