Posts

  Mass assignment vulnerabilities! Mass assignment (also known as auto-binding) can inadvertently create hidden parameters.   by Wilomousky Assaf on September 09   Mass assignment (also known as auto-binding) can inadvertently create hidden parameters. It occurs when software frameworks automatically bind request parameters to fields on an internal object. Mass assignment may therefore result in the application supporting parameters that were never intended to be processed by the developer.

Safeguarding Your Systems: A Comprehensive Guide to XXE Protection

  Article by Assaf Wilomousky Introduction XML External Entity (XXE) attacks pose a significant threat to web applications that parse XML input. This article outlines effective strategies to protect your systems from XXE vulnerabilities, drawing on recommendations from the Open Web Application Security Project (OWASP) and industry best practices. Understanding XXE XXE attacks occur when an XML parser processes external entity references within XML documents. Attackers can exploit these references to access sensitive files, perform denial of service attacks, or execute server-side request forgery. OWASP Top 10 Context XXE is listed in the OWASP Top 10 Web Application Security Risks, highlighting its severity and prevalence in modern web applications. Protection Strategies Disable XML External Entities:                                  Configure XML parsers to disable external entity p...

DAP-1360U CMDi

Image
DAP-1360U CMDi TIMELINE 4/07/2020: Report to d-link 5/07/2020: D-link security team response - waiting for their verification 15/07/2020: D-link confirms CMDi, providing a firmware for me to test the fix 18/07/2020: Tested the latest provided firmware, the vulnerability does no longer exist. 01/10/2020: Going public - took time cause I'v been busy ;) 06/10/2020: CVE-2020-26582 DAP-1360 The D-Link DAP-1360 Wireless N Range Extender can provide your wired network with wireless connectivity, or upgrade your existing wireless network and extend its coverage. The vulnerability was found on H/W Ver. A1, F/W Ver. 2.5.5, a weakness was discovered based on the ping functionality in the web interface. I was provided with F/W 3.0.1 as the fix. DAP-1360U -  taken from  http://www.dlink.ru/il/products/2/2056.html ...