Missing events/timelocks for owner/admin only functions that change critical parameters

Handle defsec Vulnerability details Impact Owner/admin only functions that change critical parameters should emit events and have timelocks. Events allow capturing the changed parameters so that off-chain tools/interfaces can register such changes with timelocks that allow users to evaluate them...

CrowdSec - An Open-Source Massively Multiplayer Firewall Able To Analyze Visitor Behavior And Provide An Adapted Response To All Kinds Of Attacks

CrowdSec is a free, modern & collaborative behavior detection engine, coupled with a global IP reputation network. It stacks on fail2ban's philosophy but is IPV6 compatible and 60x faster Go vs Python, uses Grok patterns to parse logs and YAML scenario to identify behaviors. CrowdSec is engineere...

5 high-profile DDoS attacks that should chill you to the bone

Distributed denial of service DDoS attacks are malicious attempts to make an online service unavailable to users, usually by temporarily interrupting or suspending the services of its hosting server. Data revealed in the 2021 DDoS Threat Landscape Report strongly suggests attacks are constantly...

Missing events/timelocks for owner/admin only functions that change critical parameters

Handle 0xRajeev Vulnerability details Impact Owner/admin only functions that change critical parameters should emit events and have timelocks. Events allow capturing the changed parameters so that off-chain tools/interfaces can register such changes with timelocks that allow users to evaluate the...

reputation risk via upgradable contracts

Handle gpersoon Vulnerability details Impact The contract SwappableYieldSource is upgradable. This means the owner could upgrade and change the contract so any new functionality. Amongst others the owner could retrieve all the tokens of the Yieldsource and transfer them out. The project could sti...

The True Impact of Ransomware Attacks

One of the most damaging myths about ransomware attacks is, “If your company does regular system backups, you don’t have to worry. Just restore from the backup.” While system backups are crucial — power outages, natural disasters, or even mistakes by employees can destroy data just as quickly as ...

reputation risks with updateSolution

Handle gpersoon Vulnerability details Impact GovDev.sol has a function updateSolution to upgrade parts of the contract via the Diamond construction. Via updateSolution any functionality can be changed and all the funds can be accessed/rugged. Even if this is well intended the project could still ...

ARTIF - An Advanced Real Time Threat Intelligence Framework To Identify Threats And Malicious Web Traffic On The Basis Of IP Reputation And Historical Data.

ARTIF is a new advanced real time threat intelligence framework built that adds another abstraction layer on the top of MISP to identify threats and malicious web traffic on the basis of IP reputation and historical data. It also performs automatic enrichment and threat scoring by collecting,...

Summer of Cybercrime Continues: What To Do

We recently coined this as the Summer of Cybercrime. Major ransomware attacks continue to hit companies globally. The attacks can cause significant damage, from a financial, reputation and productivity standpoint...

Malicious owner can drain the market at any time using SafetyWithdraw

Handle 0xRajeev Vulnerability details Impact The withdrawERC20Token in SafetyWithdraw inherited in TracerPerpetualSwaps is presumably a guarded launch emergency withdrawal mechanism. However, given the trust model where the market creator/owner is potentially untrusted/malicious, this is a...

Missing events for critical parameter changing operations by owner

Handle 0xRajeev Vulnerability details Impact The owner of TracerPerpetualSwaps contract, who is potentially untrusted as per specification, can change the market critical parameters such as the addresses of the Liquidation/Pricing/Insurance/GasOracle/FeeReceiver and also critical values such as...

#Rapid7Life Belfast: Why I Joined

Starting a new job at a new company can be daunting, particularly during a global pandemic. With interviews via Zoom, onboarding gone remote, first days at home instead of in a brand new office, and so many other shifts since the onset of the pandemic, switching jobs and companies is probably not...

Sifchain: Clickjacking

Bug Bounty ReportVulnerability Report Vulnerability Name: UI Redressing Clickjacking Vulnerability Description: Clickjacking classified as a User Interface redress attack, UI redress attack, UI redressing is a malicious technique of tricking a user into clicking on something different from what t...

QIWI: account impersonate through broken link

hi team, hope you are good, A link in qiwi.com was broken and anyone could create that account which leads to account impersonate poc:- F1310817 Steps To Reproduce 1 Visit https://qiwi.com/sm 2 the link will redirect you to http://unbouncepages.com/savemyphone/ which is throwing a error "The...

Sifchain: Wrong Url in Main page of sifchain.finance

Hello Sifchain team, I found that all the social media button is working properly except telegram button on the main page of sifchain.finance Misconfiguration on button can create bad reputation of a company as well as a genuine customer could not reach to a company through the mis-configured...

How to Test and Improve Your Domain's Email Security?

No matter which type of business you are in, whether small, medium, or large, email has become an irrefutable tool for communicating with your employees, partners, and customers. Emails are sent and received each day in bulk by companies from various sources. In addition, organizations may also...

Importance of Application Security and Customer Data Protection to a Startup

When you are a startup, there are umpteen things that demand your attention. You must give your hundred percent probably even more! to work effectively and efficiently with the limited resources. Understandably, the application security importance may be pushed at the bottom of your things-to-do...

X (Formerly Twitter): Github Account hijack through broken link in developer.twitter.com

Description A link in https://developer.twitter.com/en/docs/twitter-api/tools-and-libraries was broken and anyone could create that account which leads to account impersonate Steps To Reproduce 1 Visit https://developer.twitter.com/en/docs/twitter-api/tools-and-libraries 2 Scroll down to...

What's New in Web Security

With Akamai's web security portfolio, the top focus this October is on the web application firewall WAF, with exciting new capabilities: API Discovery and Adaptive Security Profiles. Along with the rest of the industry, Akamai has observed a long-term shift in the applications that we're...

Cisco Email Security Appliance URL Filter Bypass Vulnerability

Cisco Email Security Appliance ESA is an email security appliance from Cisco in the U.S. AsyncOS Software is the operating system that runs on it. A URL filter bypass vulnerability exists in the Cisco AsyncOS anti-spam protection mechanism used by the Cisco Email Security Appliance. The...