Phasing out legacy cryptographic algorithms can always be an interesting endeavor as terminating to early breaks stuff and to late it can lead to a compromise. OpenSSH disabled DSA with version 7.0 in March 2015 as 5 years earlier it was discovered that DSA was compromised and labelled as insecure. Normally this shouldn’t be a […]
Category Archives: Security & Compliance
WhatsApp put an emoji their URL
Emoji characters already appeared in DNS, but now also in an URL. And Google shows them perfectly what makes me wonder if all parts of their code base are ready to handle this correctly or that it is an incident. WTF. Has everybody lost their minds? Seriously, how do I even enter this shit? pic.twitter.com/LTMzqC484f […]
Emoji in URLs are probably a bad idea…
On the dns-operations mailing list there were already discussions about parties who bought domains like ♀.com (xn--e5h.com), but the following is also an interesting development. Emoji in URLs are probably a bad idea… probably: https://t.co/agIckLlvSC ? #phishing #unicode #emoji pic.twitter.com/hMuuTWO1fn — x0rz (NOT@DEFCON) (@x0rz) July 17, 2017 When will we find pages with “special” Web […]
Is CWE-525 still relevant?
During a code upgrade for a web application from Symfony 2.8 to 3.3 it also became time to do some basic tests with Zed Attack Proxy. While most findings were logical and easy to fix, but one was different and it started with the finding below. Description: The AUTOCOMPLETE attribute is not disabled on an […]
Kali Linux 2016.2
Last week Kali Linux 2016.2 was released so it was time to make a new VirtualBox instance for it to see the difference from the release in January. But let’s automate a little bit to quickly rebuild virtual machines for Kali Linux. $ cd ~/Downloads $ wget http://cdimage.kali.org/kali-2016.2/kali-linux-2016.2-amd64.iso Let’s create the virtual machine and boot […]