Security News

Tackling cross-site request forgery (CSRF) on company websites
2021-03-23 06:00

The action of adding a page was vulnerable to CSRF. My pen test attack not only created a new page, but also stole administrative credentials from the site, using some unorthodox HTML. Now, the start of any CSRF attack is always the payload. The first thing to note here is that when an iframe loads, it sends a GET request to whatever is specified in the 'src' parameter. How would an attacker get the payload to fill the whole page? Well, as we demonstrated in our test, we can interact with the height and width properties of iframes using JavaScript.

Chrome 84 Brings 38 Security Patches, Resumes CSRF Protection Rollout
2020-07-15 15:11

Chrome 84 was released in the stable channel this week with a total of 38 patches, but also with additional security improvements, including the rollout of a previously announced SameSite cookie change. The release of Chrome 84 resumes the gradual rollout of the protection.

Google Rolls Back Recently Introduced Chrome CSRF Protection
2020-04-06 12:17

Google last week announced that it has started rolling back a cross-site request forgery protection introduced in early February with the release of Chrome 80 in the stable channel. Initially announced in May 2019, the protection involves Chrome enforcing a new secure-by-default cookie classification system, where cookies that haven't declared a SameSite value being treated as SameSite=Lax cookies.

Mozilla Adding New CSRF Protection to Firefox
2018-04-27 08:27

Mozilla announced this week that the upcoming Firefox 60 will introduce support for the same-site cookie attribute in an effort to protect users against cross-site request forgery (CSRF) attacks. read more

WordPress Fixes CSRF, XSS Bugs, Announces Bug Bounty Program (Threatpost)
2017-05-18 18:17

WordPress fixed six vulnerabilities with version 4.7.5 and announced a bug bounty program with HackerOne this week.

Siemens RUGGEDCOM NMS Equipment Vulnerable to CSRF, XSS (Threatpost)
2017-02-28 21:59

Siemens line RUGGEDCOM NMS products suffers from vulnerabilities that could allow an attacker to perform administrative actions.

WordPress 4.7.1 Fixes CSRF, XSS, PHPMailer Vulnerabilities (Threatpost)
2017-01-12 17:38

A new WordPress update, pushed this week, resolves eight security issues, including a handful of XSS and CSRF bugs.

Obihai Patches Memory Corruption, DoS, CSRF Vulnerabilities in IP Phones (Threatpost)
2016-08-22 19:58

Obihai Technology recently patched a slew of issues in its ObiPhone IP phone products that could have led to memory corruption, a buffer overflow, and denial of service conditions, among other outcomes.

PayPal Fixes CSRF Vulnerability in (Threatpost)
2016-07-22 17:33

PayPal recently fixed a vulnerability on its site that could've let an attacker change a user's profile without their permission.