OWASP Non-Human Identities Top 10
(owasp.org)
We're thrilled to introduce the OWASP Non-Human Identities Top 10 for 2025!
We're thrilled to introduce the OWASP Non-Human Identities Top 10 for 2025!
Caddy module to block IPs and prevent AIs from training on your website
(github.com/JasonLovesDoggo)
The Caddy Defender plugin is a middleware for Caddy that allows you to block or manipulate requests based on the client's IP address. It is particularly useful for preventing unwanted traffic or polluting AI training data by returning garbage responses.
The Caddy Defender plugin is a middleware for Caddy that allows you to block or manipulate requests based on the client's IP address. It is particularly useful for preventing unwanted traffic or polluting AI training data by returning garbage responses.
DoubleClickjacking: A New type of web hacking technique
(paulosyibelo.com)
“Clickjacking” attacks have been around for over a decade, enabling malicious websites to trick users into clicking hidden or disguised buttons they never intended to click.
“Clickjacking” attacks have been around for over a decade, enabling malicious websites to trick users into clicking hidden or disguised buttons they never intended to click.
Magic Links Have Rough Edges, but Passkeys Can Smooth Them Over
(rmondello.com)
Independent media venture 404 Media recently published a post titled, “We Don’t Want Your Password”. The piece is a cogent explanation of the problems with password-based accounts online followed by a defense of the website’s login strategy, magic links, in the face of feedback about them being inconvenient and difficult to use.
Independent media venture 404 Media recently published a post titled, “We Don’t Want Your Password”. The piece is a cogent explanation of the problems with password-based accounts online followed by a defense of the website’s login strategy, magic links, in the face of feedback about them being inconvenient and difficult to use.
SHA-256, ECDH, Ecdsa and RSA Not Approved by ASD in Australia for 2030
(medium.com)
I am a bit shocked … SHA-256, RSA, ECDSA and ECDH will not be approved for use in Australia by 2030. Basically, these four methods are used for virtually every Web connection that we create, and where ECDH is used for the key exchange, ECDSA or RSA is used to authenticate the remote server, and SHA-256 is used for the integrity of the data sent. The removal of SHA-256 definitely goes against current recommendations.
I am a bit shocked … SHA-256, RSA, ECDSA and ECDH will not be approved for use in Australia by 2030. Basically, these four methods are used for virtually every Web connection that we create, and where ECDH is used for the key exchange, ECDSA or RSA is used to authenticate the remote server, and SHA-256 is used for the integrity of the data sent. The removal of SHA-256 definitely goes against current recommendations.
Web Locks API
(mozilla.org)
The Web Locks API allows scripts running in one tab or worker to asynchronously acquire a lock, hold it while work is performed, then release it. While held, no other script executing in the same origin can acquire the same lock, which allows a web app running in multiple tabs or workers to coordinate work and the use of resources.
The Web Locks API allows scripts running in one tab or worker to asynchronously acquire a lock, hold it while work is performed, then release it. While held, no other script executing in the same origin can acquire the same lock, which allows a web app running in multiple tabs or workers to coordinate work and the use of resources.
Ancient Monkey: Pwning a 17-Year-Old Version of SpiderMonkey
(pspaul.de)
Last year, @swapgs and I found a fun bug in the popular enterprise VPN solution Zscaler.
Last year, @swapgs and I found a fun bug in the popular enterprise VPN solution Zscaler.
New passkey specifications will let users import and export them
(9to5mac.com)
Passkeys were introduced two years ago, and they replace traditional passwords with more secure authentication using a security key or biometrics. To make the technology even better, the FIDO Alliance published on Monday new specifications for passkeys, which ensure a way to let users import and export them.
Passkeys were introduced two years ago, and they replace traditional passwords with more secure authentication using a security key or biometrics. To make the technology even better, the FIDO Alliance published on Monday new specifications for passkeys, which ensure a way to let users import and export them.
Coming soon: Securely import and export passkeys
(1password.com)
Passkeys are superior to passwords in almost every way. They’re simpler to use because there’s nothing to memorize, type out, or paste in. They’re also always strong and come with multi-factor authentication built right in. In short, passkeys are awesome.
Passkeys are superior to passwords in almost every way. They’re simpler to use because there’s nothing to memorize, type out, or paste in. They’re also always strong and come with multi-factor authentication built right in. In short, passkeys are awesome.
CS 253 Web Security
(web.stanford.edu)
This course is a comprehensive overview of web security. The goal is to build an understanding of the most common web attacks and their countermeasures. Given the pervasive insecurity of the modern web landscape, there is a pressing need for programmers and system designers to improve their understanding of web security issues.
This course is a comprehensive overview of web security. The goal is to build an understanding of the most common web attacks and their countermeasures. Given the pervasive insecurity of the modern web landscape, there is a pressing need for programmers and system designers to improve their understanding of web security issues.
How to Hack the Breakthrough Prize (Ft. Session Confusion)
(varun.ch)
In 2023, I discovered a critical vulnerability in the Breakthrough Challenge website. After over one year since it was patched, I am disclosing the bug for the sake of transparency. I believe this class of vulnerability, which I am introducing as 'Session Confusion', is often overlooked.
In 2023, I discovered a critical vulnerability in the Breakthrough Challenge website. After over one year since it was patched, I am disclosing the bug for the sake of transparency. I believe this class of vulnerability, which I am introducing as 'Session Confusion', is often overlooked.
htmx Web Security Basics
(htmx.org)
As htmx has gotten more popular, it’s reached communities who have never written server-generated HTML before.
As htmx has gotten more popular, it’s reached communities who have never written server-generated HTML before.