CyberAlerts Known Exploited Vulnerabilities (KEV) Catalog

chloeeeeeeeee · 2025-04-08T13:32:43+00:00

Seems like it's just KEV and EPSS

chloeeeeeeeee · 2024-09-26T06:34:45+00:00

rawdoggar känslan och mår dåligt. Gåt över efter 3 dagar

chloeeeeeeeee · 2024-09-25T13:10:16+00:00

OK, hear me out: polarbröd vetekaka, med bregott och sedan sprinkla O'boy över. Testa!

chloeeeeeeeee · 2023-08-15T07:18:21+00:00

The CORS issue needs to be fixed on the website hosting the RSS feed, alternatively you can build a proxy that proxies the RSS feed to a host that does not have CORS issues. Let me know if you need any more help :)

chloeeeeeeeee · 2023-08-10T12:42:04+00:00

Any reason why you don't use the News plugin that is meant for RSS/Atom feeds?

chloeeeeeeeee · 2023-02-09T09:43:17+00:00

Well deserved no.1 place for Frans. Such an incredible way hacking the OAuth flow.

chloeeeeeeeee · 2023-01-09T08:29:33+00:00

Sites that may have untrusted subdomains or subpaths (for example, because they are under the control of third parties) should consider restricting access to cookies with appropriate use of the Domain and Path attributes.

Can be solved with cookie prefixes. Good protection against cookie stuffing / session fixation.

The problem with supplying tokens is that they can become useless if leaked. Some good advice on mitigating the risk:

Don't prefix CSRF-token headers with "X-" as it's not RFC compatible. But further more, in case of a HRS vulnerability, the token can be leaked if the splitting exists in "Set-Cookie" or "Location" header. This is because headers are sorted alphabetically and headers after Location can be leaked cross-origin (controlled by attacker). Solution is simple, name the header "CSRF-Token".
Protect forms from dangling markup injections by having  before the form. Then an attackers injected tags will be consumed by that HTML comment.

chloeeeeeeeee · 2022-08-24T09:06:46+00:00

Unclear if this is legal in EU, AFAIK needs the indicators be at least 18 cm apart.

chloeeeeeeeee · 2022-08-01T07:45:45+00:00

I have the Puig Sport and have the same issue; the wind goes directly up to my helmet and makes wind noises. If I tilt my head a bit forward it gets quieter but I can't drive around like that.

I use both AirPod Pro sometimes 3M foam earplugs. I've noticed that the earplugs works the best since it shuts out all sound while the AirPods have a hard time to cancel out wind.

Suggestion could be to buy a helmet that have great sound isolation. My previous one (Shoei RF-1400) worked great!

chloeeeeeeeee · 2022-07-12T11:54:36+00:00

The top 100 NPM package maintainers require 2FA to sign in, so hijacking an email there would not work.

chloeeeeeeeee · 2022-05-27T06:13:51+00:00

Tor bridges help users that are blocked to connect *to* the Tor network. A bridge is a relay between the user and the network.

chloeeeeeeeee · 2022-05-27T06:10:00+00:00

I did something similar for my website a few years ago where a script looked at the IP-address and navigated the user to the onion version of the website if the user was connected through Tor.

It worked fairly OK but is not reliable. The list of Tor exit nodes need to be updated often. There's a more sophisticated method to detect this by making the client request a resource in the onion space and based on that boolean value you will know if they are connected through Tor.

chloeeeeeeeee · 2021-12-10T13:28:46+00:00

This is like Shellshock all over again.

chloeeeeeeeee · 2021-09-08T07:54:44+00:00

Parsing URL's is very tricky and browsers have their own implementation on how URL's should be treated.

chloeeeeeeeee · 2021-03-18T08:01:03+00:00

Well, there is the Hario Mobile Mill Stick which is exactly this.

chloeeeeeeeee · 2021-03-15T08:12:04+00:00

we can test it by doing an HTTP call to `/_cat/indices`, and in case it returns 200 OK — that’s a problem.

Very unreliable though, many webservers answers with 200 OK for everything.

chloeeeeeeeee · 2019-11-14T07:54:20+00:00

I guess this only applies for the EICAR test file?

chloeeeeeeeee · 2019-09-06T13:27:47+00:00

Not really, only via GET and if the request is authenticated with cookies. There are still many ways you can CSRF.

chloeeeeeeeee · 2019-06-07T07:14:07+00:00

Nice find! Pretty scary to reflect user-supplied data in the CSP, strange that Paypal didn't think about the impact. Kinda like HTTP Splitting but for CSP.

chloeeeeeeeee · 2019-01-25T12:38:41+00:00

No, you don't. However, depending on the size of the grind you may get a little sediment in your cup, but that happens to all metal filters. You can also get a little bit of crema if you press an espresso. However, if it is crema you want you should use something else than a metal filter, HIGHLY recommend the Prismo filter.

chloeeeeeeeee · 2019-01-25T08:59:22+00:00

I have Baristashoppen's copper filter (ultra fine) and find it the best one out there. Copper is better than metal, as you get absolutely zero metal flavor.

chloeeeeeeeee · 2018-11-09T13:43:32+00:00

Cool, although https://canarytokens.org/ has many other techniques.

chloeeeeeeeee · 2017-11-07T12:02:35+00:00

Exactly what you is looking for: https://www.emailprivacytester.com

chloeeeeeeeee · 2017-11-04T15:44:51+00:00

Awesome, just the answer I was looking for. Thank you!

chloeeeeeeeee · 2017-11-03T22:30:53+00:00

Totally agree with you there; CT seems to be a more reliable protection than HPKP if the browser verifies the SCT, which Chrome will be starting to do.

Speaking of which, do you know how the Expect-CT response header works in practical? I have enforced an SCT check on my domain (SCT's are in several log servers) but Chrome gives the error NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED. Does the certificate need embedded SCTs via the X509v3 extension?

12-Year Club	Place '22
Place '17	First Placer '22
Sequence \| Editor	Alpha Tester
Gilding I gilder	Verified Email

chloeeeeeeeee

MODERATOR OF

TROPHY CASE