Cross site scripting

Cross-site scripting XSS vulnerability in Mozilla Firefox before 26.0 and SeaMonkey before 2.23 makes it easier for remote attackers to inject arbitrary web script or HTML by leveraging a Same Origin Policy violation triggered by lack of a charset parameter in a Content-Type HTTP header...

CVE-2013-5612

CVE-2013-5612 is a cross-site scripting (XSS) vulnerability in Mozilla Firefox before 26.0 and SeaMonkey before 2.23 due to the absence of a charset parameter in the Content-Type header. Connected advisories confirm Firefox/SeaMonkey fixes in 2013–2014 releases (e.g., openSUSE SU-2013:1917, Mirac...

CVE-2013-5612

Cross-site scripting XSS vulnerability in Mozilla Firefox before 26.0 and SeaMonkey before 2.23 makes it easier for remote attackers to inject arbitrary web script or HTML by leveraging a Same Origin Policy violation triggered by lack of a charset parameter in a Content-Type HTTP header...

Moving From Do Not Track to Can Not Track

NEW YORK–The movement in the security and privacy communities to push the Do Not Track standard as an answer to the problem of pervasive online tracking by ad companies and other entities has resulted in the major browser vendors including DNT as an option for users, giving them a method for...

mod_accounting Module 0.5 - Blind SQL Injection

Affected Vendor: http://sourceforge.net/projects/mod-acct/files/ - Affected Software: modaccounting - Affected Version: 0.5. Other earlier versions may be affected. - Issue type: Blind SQL injection - Release Date: 20 Sep 2013 - Discovered by: Eldar "Wireghoul" Marcussen - CVE Identifier:...

[Syhunt Sandcat Browser v4.1] A Penetration-oriented browser (extented to Web Application Assessment)

Sandcat Browser 4 brings unique features that are useful for pen-testers and web developers. Sandcat is built on top of Chromium, the same engine that powers the Google Chrome browser, and uses the Lua programming language to provide extensions and scripting support. Features Live HTTP Headers —...

Debian Security Advisory DSA 2587-1 (libcgi-pm-perl - HTTP header injection)

It was discovered that the CGI module for Perl does not filter LF characters in the Set-Cookie and P3P headers, potentially allowing attackers to inject HTTP headers. OpenVAS Vulnerability Test $Id: deb25871.nasl 6611 2017-07-07 12:07:20Z cfischer $ Auto-generated from advisory DSA 2587-1 using...

Design/Logic Flaw

clientsiderequest.cc in Squid 3.2.x before 3.2.13 and 3.3.x before 3.3.8 allows remote attackers to cause a denial of service via a crafted port number in a HTTP Host header...

Amazon Linux AMI : httpd (ALAS-2012-46)

It was discovered that the fix for CVE-2011-3368 did not completely address the problem. An attacker could bypass the fix and make a reverse proxy connect to an arbitrary server not directly accessible to the attacker by sending an HTTP version 0.9 request, or by using a specially crafted URI...

11 Firefox Add-ons to Hack and PenTest

1. Tamper Data Tamper data is an great tool to to view and modify HTTP/HTTPS headers and post parameters. We can alter each request going from our machine to destination host with this. Thus it helps in security testing web application by modifying POST parameters. It can be used in performing XS...

CVE-2013-3372

Request Tracker RT 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote attackers to inject multiple Content-Disposition HTTP headers and possibly conduct cross-site scripting XSS attacks via unspecified vectors...

Web Servers Malicious HTTP Header Directory Traversal

There exists a directory traversal vulnerability On different web servers...

Microsoft Windows HTTP.sys Denial of Service (MS13-039) - Improved Performance (CVE-2013-1305)

A denial of service vulnerability has been reported in Windows Server 2012 and Windows 8. The vulnerability is due to an error in the way HTTP.sys handles a malicious HTTP header. Successful exploitation would result in a denial of service condition...

CVE-2013-2175

HAProxy 1.4 before 1.4.24 and 1.5 before 1.5-dev19, when configured to use hdrip or other "hdr" functions with a negative occurrence count, allows remote attackers to cause a denial of service negative array index usage and crash via an HTTP header with a certain number of values, related to the...

CVE-2013-2175

HAProxy 1.4 before 1.4.24 and 1.5 before 1.5-dev19, when configured to use hdrip or other "hdr" functions with a negative occurrence count, allows remote attackers to cause a denial of service negative array index usage and crash via an HTTP header with a certain number of values, related to the...

CVE-2013-2175

HAProxy 1.4 before 1.4.24 and 1.5 before 1.5-dev19, when configured to use hdrip or other "hdr" functions with a negative occurrence count, allows remote attackers to cause a denial of service negative array index usage and crash via an HTTP header with a certain number of values, related to the...

CVE-2013-2175

HAProxy vulnerability CVE-2013-2175 affects HAProxy 1.4 before 1.4.24 and 1.5 before 1.5-dev19. When configured to use hdr_ip or other hdr_* functions with a negative occurrence count, a remote attacker can cause a denial of service due to negative array index usage and a crash, via an HTTP heade...

Convert the SecurityHeadersInterceptor into a filter that applies to /*

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-30356. panel The X-XSS-Protection HTTP header should be sent on all responses with a value of "1; mode=block". As the current...

Convert the SecurityHeadersInterceptor into a filter that applies to /*

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-30356. panel The X-XSS-Protection HTTP header should be sent on all responses with a value of "1; mode=block". As the current...

Convert the SecurityHeadersInterceptor into a filter that applies to /*

The X-XSS-Protection HTTP header should be sent on all responses with a value of "1; mode=block". As the current implementation is done in an interceptor0 it is possible for some resources to be sent without the X-XSS-Protection header. 0 SecurityHeadersInterceptor is in the default interceptor...