1151 matches found
Cloudflare: http://cdnjs.cloudflare.com/ Cross-site scripting 2
Hi, I found another flash based XSS located here : http://cdnjs.cloudflare.com/ajax/libs/extjs/3.4.1-1/resources/charts.swf?allowedDomain=%22catchealertdocument.domain;// best regards, Olivier Beg!...
Cloudflare: Content spoofing /CSRF at https://www.cloudflare.com/ajax/modal-dialog.html
Hi there, I noticed two things on the following url: https://www.cloudflare.com/ajax/modal-dialog.html 1. CSRF There are some csrf countermeasures in place e.g. X-Requested-With: XMLHttpRequest, however they're not validated on the server. This leads to an uncritical csrf: 2. Content spoofing Usi...
Cloudflare: jplayer.swf Cross-site scripting
Hello, I found a Cross-site scripting located here : http://cdnjs.cloudflare.com/ajax/libs/jplayer/2.2.0/Jplayer.swf?jQuery=alert&id=XSS Best regards, Olivier Beg...
Cloudflare: CSRF in Cloudflare login
I noticed that the login page at /login does not prevent CSRF logins. I recommend taking a look at the risks of not protecting login against CSRF and possibly protect the form against attacks like this with a token just like in the rest of the application...
CloudFlare Launches Bug Bounty Program
As the OpenSSL heartbleed saga unfolded over the last couple of weeks, one of the companies that was at the forefront of figuring out the scope and effects of the problem was CloudFlare. The company put up a challenge server, asking researchers to hit it with the heartbleed exploit to determine...
Certificate Revocations Shoot Up in Wake of OpenSSL Heartbleed Bug
The after effects of the OpenSSL heartbleed vulnerability continue to spread through the technology industry, nearly two weeks after the details of the flaw were disclosed. One of the latest repercussions is a huge increase in the number of SSL certificates being revoked, as site owners and hosti...
OpenSSL Fixes TLS Vulnerability
The maintainers of the OpenSSL library, one of the more widely deployed cryptographic libraries on the Web, have fixed a serious vulnerability that could have resulted in the revelation of 64 KB of memory to any client or server that was connected. The details of the vulnerability, fixed in versi...
CloudFlare Issues Transparency Report
CloudFlare claims government requests for user data are affecting fewer than .017 percent of their two million global customers The Web performance and security company yesterday issued the report in accordance with the Department of Justice’s new regulations for publishing information pertaining...
Largest Ever 400Gbps DDoS attack hits Europe uses NTP Amplification
The Distributed Denial of Service DDoS attack is the one of favourite weapon for the hackers to temporarily suspend services of a host connected to the Internet and till now nearly every big site had been a victim of this attack. Since 2013, Hackers have adopted new tactics to boost Distributed...
CloudFlare's Red October Crypto app with two-man rule style Encryption and Decryption
It is always important to secure our system against outside threats i.e. Hackers, but it also required to protect against insider threats. The potential of damage from an Insider threat can be estimated from the example of Edward Snowden who had worked at the NSA, and had authorized access to...
CloudFlare's Red October Crypto app with two-man rule style Encryption and Decryption
None...
Internet Bug Bounty: TLS Virtual Host Confusion
I am a security researcher at INRIA Paris in team PROSECCO http://prosecco.inria.fr We have been investigating a new class of attacks against the deployment of TLS on the Web. The main idea behind these attacks is that when two servers host different domains but share the same certificate which...
HackerOne: CSP not consistently applied
Also thought I'd formally submitted the issue we discussed yesterday, that sometimes the CSP response headers served are missing for browsers that don't support them, but then the page without these headers can be cached by Cloudflare. This makes it easier to mount a XSS attack...
Web Hosting software WHMCS vulnerable to SQL Injection; emergency security update released
WHMCS, a popular client management, billing and support application for Web hosting providers, released an emergency security update for the 5.2 and 5.1 minor releases, to patch a critical vulnerability that was publicly disclosed. The vulnerability was publicly posted by a user named as...
Web Hosting software WHMCS vulnerable to SQL Injection; emergency security update released
WHMCS, a popular client management, billing and support application for Web hosting providers, released an emergency security update for the 5.2 and 5.1 minor releases, to patch a critical vulnerability that was publicly disclosed. The vulnerability was publicly posted by a user named as...
Inside the Response to the New York Times Attack
Late Tuesday morning, one of the engineers in CloudFlare’s San Francisco office saw a message on Twitter saying that the New York Times Web site was down. Minutes later, more messages appeared, as security researchers and others began looking into the situation and realized that someone may have...
Registrar Hack at Root of NY Times and Twitter Attacks
UPDATE–The attack that took down the New York Times Web site Tuesday afternoon, along with domains belonging to Twitter and the Huffington Post, was accomplished through the use of compromised credentials belonging to a reseller for the registrar that those companies use to buy their domains...
China hit by massive DDoS attack causing the Internet inaccessibility for hours
During the weekend China's Internet was taken down by a powerful distributed denial of service DDoS attack on the .cn domain slowed and blocked Internet access inaccessibility for hours. Security expert clarified that China could have been perpetrated by sophisticated hackers or by a single...
China .cn Domain Available Again after DDoS Attack
Long fingered as the source of denial-of-service attacks and other hacks against foreign interests, China’s .cn domain was targeted on Sunday and approximately one-third of the sites registered to that domain were kept offline for a period of time. A statement from the China Internet Network...
Cloudflare Cross Site Scripting
Details below of an XSS vulnerability I discovered in Cloudflare markdown format - Glenn | /dev/alias http://blog.devalias.net http://devalias.net ----- Reference Number: DAHAX-2013-001 /dev/alias/hacks 2013-001 Notification Timeline: 10/07/2013, Request 38713...