IFrame Vulnerability Classification

I was participating in a bug bounty on a website we will call example.com, when I ran into a very strange edge case which I am not sure I should report. The website uses ads and tracking similar to google analytics from a website we can call tracking.com. When visiting the example website there is an iframe to the tracking website. The source of the iframe can be seen below.

<body> <script type="text/javascript">      ((function (e, t)      {            var n = function () {                var e = t.createElement("iframe");                e.src = "https://tracking.com/container/?utm_source=[INJECT];                e.style.cssText = "position: absolute";                t.body.appendChild(e)           }            if (t.readyState === "complete")           {                n()           }           else           {                if (typeof e.addEventListener !== "undefined")                {                     t.addEventListener("DOMContentLoaded", n, false)                }                else                {                     e.attachEvent("onload", n, false)                }           }      })(window, document)); </script> </body> 

The example website also has a parameter called utm_source, into which javascript can be injected into the iframe (where I placed [INJECT] in the code above). For example, visiting https://example.com/?utm_source=";</script><script>alert(document.domain)</script> yields the alert embedded page at tracking.com says tracking.com. The issue is that the tracking website is not in scope of the bug bounty and I am not even sure that the issue is caused by the tracking website. It seems like the example website allows the user to inject arbitrary JS into the iframe of the tracking website. Is this a bug worth reporting or am I missing some easy way of escaping the iframe?

So far I have tried injecting </iframe> and things like e.onload=alert(1)to escape the iframe but have not been successful. Since the example and tracking websites are on different domains I cannot access things in the parent website (example) from the tracking website due to the “X-Frame-Options” header set to “SAMEORIGIN”.

As a beginner this bug has me very confused as to how it should be classified and if it is exploitable in any way. Any tips would be greatly appreciated!

Does TLS 1.3 mitigate the BREACH vulnerability?

Section 5.4 of the TLS 1.3 specification describes record padding.

One of the mitigations for BREACH is to add random padding.

Therefore, I’m wondering:

  1. Does TLS 1.3 require random record padding? I’m also unclear on if this padding is optional or required, and if it is always random.
  2. If TLS 1.3 random record padding is done, am I correct in thinking that it does mitigate BREACH?

Assuming both of those questions are answered affirmatively, I believe that would mean that any site that uses TLS 1.3 (and supports no earlier version of SSL/TLS) would not be vulnerable to BREACH.

Vulnerability management benchmarks

Despite the continuous effort in our company to resolve vulnerabilities, we are still report a significant number of vulnerabilities after each scan we perform.

We would like to understand if there are industry benchmarks or ratios, like number of vulnerabilities per asset out there that we can use to compare ourselves with.

Is any of you aware of any industry benchmark in this regard?

Thanks

Would it be a big security vulnerability if someone wrote a browser extension to retrieve personal information on Google’s behalf?

I am a 6th grader working in a project and came across the following question:
On most browsers, you can inject JavaScript code into the browser, for example by typing in javascript:alert(‘Injecting javascript code’). On Google Chrome, if you do this on Google Drive, instead of the title being “drive.google.com says”, the title is “Google Drive”. Would this be a security threat in any way if someone wrote a malicious extension to ask for personal information on Google’s behalf?

Is SerializationException sign of Serialization/Deserialization vulnerability?

I am doing a bug bounty. I intercepted the POST request to the inscription in the target website. I modified the first name and last name POST params to inject bad char (in order to SQL inject) but the API/Registration service sends me a response with 400 error code for bad request and body content : {"__type":"SerializationException"}

This type of response remind me Serialization/Deserialization vulnerability. I never exploited this vulnerability but I read content about that. I know the target sends the request to Amazon web server.

This is the request intercepted and modified from BURP :

POST / HTTP/1.1 Host: XXXX.us-east-1.amazonaws.com User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://XXX.domain.com/sign-up Content-Type: application/x-amz-json-1.1 X-Amz-Target: AWSCognitoIdentityProviderService.SignUp X-Amz-User-Agent: aws-amplify/0.1.x js Origin: https://XXX.domain.com Content-Length: 365 DNT: 1 Connection: close    {"ClientId":"3ck15a1ovXXXXX97vs3tbjb52","Username":"an-email@my-domain.com","Password":"Apassword","UserAttributes":[{"Name":"email","Value":"an-email@my-domain.com"},{"Name":"birthdate","Value":"1980-01-01"},{"Name":"given_name","Value":"<>'\"\é`"},{"Name":"family_name","Value":"<>'\"\é`"},{"Name":"locale","Value":"en-us"}],"ValidationData":null} 

This is the response :

HTTP/1.1 400 Bad Request Date: Fri, 01 May 2020 08:08:38 GMT Content-Type: application/x-amz-json-1.1 Content-Length: 35 Connection: close x-amzn-RequestId: a2cf8b37-a837-4dfc-a385-058bxxxxxxx Access-Control-Allow-Origin: * x-amzn-ErrorType: SerializationException: Access-Control-Expose-Headers: x-amzn-RequestId,x-amzn-ErrorType,x-amzn-ErrorMessage,Date    {"__type":"SerializationException"} 

I know the website uses theses technologies :

Vue.js HTTP/2 webpack Adobe DTM 

Note : I read on internet that Adobe DTM is programmed in Java. Hasard ?

At this point, which tests should be try and this message is the sign of a potential serialization/deserialization?

Microsoft DS vulnerability?

simply asking this out of curiosity I heard that Microsoft DS is a port that is commonly used by hackers to hack computers with due to its ability to transfer files. Two questions first, how do they transfer files with Microsoft DS and do they need an exploit to be able to have the malware run?

Do BSD jails protect against some vulnerability class that LXC doesn’t?

You can find many claims online regarding BSD jails being “better” in some way than Linux namespaces for containment, but they typically lack technical details. From what I understand, the attack surface is pretty much equivalent (shared kernel syscalls, drivers in exposed devices, shared networking stack, shared filesystem access and memory pages).

To make this question not opinion based, given a reasonably configured system, so:

  • not using host root inside containment
  • not sharing extra services/filesystems which can be exploited
  • not forwarding more capabilities than necessary for the contained environment
  • using current best-practice configuration for either system

Are there any specific vulnerability classes or attack surfaces which are present in recent LXC+cgroups which are mitigated/impossible in FreeBSD/OpenBSD/… jails? I’m ignoring here coding bugs related to specific implementations that have immediate fixes – I’m only interested in security problems which are prevented by design in the other solution.