Potential vulnerability in JSON response returning base 64 encoded image data, with the response being vulnerable to MIME sniffing

A JSON response in the API of a webapp is returning the base64 of a user-uploaded image, and there’s no X-Content-Type-Options Header to prevent MIME sniffing.

Could this be a potential vulnerability such as an XSS for the webapp by using steganography to edit the image with a payload, uploading it, and then MIME sniffing the JSON response? (or by any other means?)

Is this Ubuntu kernel version vulnerable to dirty cow? [closed]

I am attempting to escalate privileges on a CTF Ubuntu box but I am afraid to run dirty cow due to possible crash is this kernel version vulnerable to the exploit:

Linux ip- 3.13.0-162-generic #212-Ubuntu SMP Mon Oct 29 12:08:50 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux?

The Ubuntu version is Ubuntu 14.04

Dirty cow documentation shows Ubuntu 14 versions < 3.13.0-100.147 are vulnerable although I am confused as to if this version is vulnerable and want to be somewhat positive before running it on the CTF / CapturetheFlag machine.

Explain Like I’m 5 — Why are AMD processors not, or less, vulnerable to Meltdown and Spectre?

All these answers are abstruse and complex. Can someone please explain like I’m 5 by relying on, but varietizing, u/zoox101’s excellent analogy? I copy and paste it here with some trifling corrections and modifications, like differently gendering the librarian and the diary’s owner to avoid confusing pronouns.

At its heart, your computer works just like a library. It’s constantly reading and moving information just like students read and move books. And just like any good library, your computer has a friendly librarian: Ms Kernel.

Whenever you go to check out a book, you give Ms Kernel the title and she goes to fetch it for you. However, this library may contain some pretty secret stuff, so Ms Kernel always checks to make sure you’ve got permission to read the book you’re requesting.

Back in the old days, Ms. Kernel had to do all the work herself, and it was painfully slow. Recently computers are better designed, and can do multiple operations at once, meaning that Ms. Kernel now has a bunch of assistants helping her. This is great for the library, because now it can handle more people than ever before! However, it also creates a weakness that was only just discovered. Here’s how the weakness works.

You, a mischievous ne’er do well, want to read your rival Ed’s diary, which he keeps in the library. However, Ed hasn’t shared his diary with you, so Ms Kernel won’t let you check it out. So you decide to do something rather clever…Rather than asking for the diary directly, you ask Ms. Kernel to fetch two things:

  1. Ed’s diary

  2. a book where the first word in the title is the first word in Ed’s diary.

Back in the old days, this wouldn’t have been a problem. The first thing Ms. Kernel would have done, was to ask Ed if you could read her diary. When Ed said no, Ms. Kernel would’ve stopped.

However the assistants complicate things. To save time, Ms Kernel asks one assistant to ask Ed for permission, while the other goes to find the two books you requested. When the first assistant tells Ms Kernel that Ed said no, the second one gives Ms K the books which Ms. K sets on her desk.

Ms. Kernel tells you that you can’t have the books. However, because they’re sitting on the desk, you can read the titles. The first one’s called "Ed’s Diary" and the second one’s called "The Cat in the Hat". Because you requested a book whose title that begins with the same word as the first word in Ed’s diary, you know that the first word in the diary must be "The".

If you wanted to, you could repeat this process for every word in the diary, until you could read the whole diary.

This exploit endangers all libraries because it works in every library that has assistant librarians, which covers just about every modern processor out there. The only real panacea is to force the assistants to run the check before fetching the books, which will slow down the library as a whole. The biggest vulnerability is that the parallel processing (assistants) is leaving the cache (desk) in a different state than they found it, even though the permission check failed.

Thankfully, no known malware exploits this bug, but the safest thing to do is to update your devices as soon as a fix is released, to prevent them from being infiltrated in the future. The performance shouldn’t slow down most personal devices (small library, few assistants), but will decrease performance on larger machines (i.e. university supercomputers).

How can a vulnerable router be exploited?

Sometimes I come across articles that write about vulnerable IoT-devices and that there are a lot of routers that are not sufficiently protected.

I own a router myself which has SSH access and I was wondering what possible attack vectors exist because I can’t think of many except forwarding ports by looking up the ARP table and even then you need to know what kind of device is at the other end.

I also don’t understand how malware could for example take over my router and add it to a botnet when it is not possible to execute shell commands, usually you can only execute commands within a (I presume) secured environment and that is limited to a few commands. So they should not be able to upload a binary and execute it.

Command to check a website is vulnerable to Logjam

I am referring this post https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/ and trying to see a website is vulnerable to Logjam or not.

I try with www.google.com:443 but I am getting Server Temp Key: X25519, 253 bits. Does this mean Google is vulnerable to LogJam?

(The command to use is $ openssl s_client -connect www.example.com:443 -cipher "EDH")

I would like to try this in my SIT IP and port, which is not open to public, so I am not sure the way I do is correct or not.

As my understanding, Google will not likely be vulnerable to Logjam, right?

If you have a better way to verify, kindly advise.

Are Thunderbolt-enabled computers without Thunderbolt ports vulnerable to Thunderspy?

Could these two attack scenarios exploit the recently publicized vulnerability?

  • Using a Thunderbolt adapter like an USB-to-Thunderbolt adapter on a computer without any Thunderbolt port
  • Temporarily replacing hardware (mainboard) with hardware that has Intel’s Thunderbolt port

And if one or both would work: what would be a reliable way to protect against this on such computers (Thunderbolt-enabled or Thunderbolt not disabled and hardware-replaceable)?

Is this code code vulnerable? windows.location.href usage [closed]

Currently developing a small module and wanted to check with experts whether its code is vulnerable or not. This is part of my internship.

When a button is clicked it opens an android application from its webpage. If the webpage is visited from desktop, it will just have a redirect link. When using mobile browser, it will open the application. Implemented HTML encoding that encodes special characters such as double quotes, <>

Is this below code is secure or will it lead to XSS or redirection kind of attacks?

NOTE: Randomvalue is alphanumeric and it is passed as a part of url upon clicking the button. All values are sample.

<body> <script> function redirect() {    window.location.href="intent://randomvalue#Intent;scheme=owasp;package=com.owasp.top10.vuln;end";  } $  (document).ready(setTimeout(function () {redirect()}, 300)); <script> <a id="open" href="javascript:redirect()"> Open Application</a> 

How to inject a good XSS payload in a vulnerable site

please i need help here. I discovered a shady ponzi site with XSS vulnerability issues. The vulnerability is located in the registration page, all user input field is vulnerable, which consist of – email field, phone number field and password field.

Please guys, what good XSS payload can i use to exploit this vulnerability and how do i go about it.

Thanks alot.