Hacking, AppSec, and Bug Bounty newsletter
2017-08-16 | Unit 42, DOM based XSS, and ReactJS script injection flaws
Wednesday, August 16
Happy hump day :)
Palo Alto Networks Unit 42 believes that North-Korea linked groups are making new attacks on U.S. Military Contractors. See: The Blockbuster Saga Continues
DOM Based XSS In mercantile.wordpress.org [15 upvotes] - $250 bounty for this report to WordPress by @pabster. Always nice to see that “bonus” bounty.
[parcel.grab.com] DOM XSS at /assets/bower_components/lodash/perf/ [8 upvotes] - $200 bounty for this report to Grab Taxi by @vagg-a-bond. Great usage of the CVSS calculator (and paying close attention to the company’s security policy). Well done!
You can see all the latest and greatest disclosures and bounties on www.hackerone.com/hacktivity
TWEET OF THE DAY
Cyber-insurance is purchased by CFOs from brokers, neither w/ InfoSec exp. Soon cyber-insurance will be sold to CISOs by InfoSec sales reps. - @jeremiahgrossman
OTHER ARTICLES WE’RE READING
How to make your own USB Rubber Ducky
Scottish Parliament hit by cyber attack in Westminster-like assault
Live Overflow: Reverse engineering PopUnder trick for Chrome 60
ABOUT ZERO DAILY
Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.
Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?
Have a news tip / story to highlight? We’d love to hear about it. Email: firstname.lastname@example.org
Get this email forwarded to you? Click here to subscribe to the Zero Daily
As it turns out, ReactJS is quite safe by design as long as it is used the way it’s meant to be used. For example, string variables in views are escaped automatically. However, as with all good things in life, it’s not impossible to mess things up. Script injection issues can result from bad programming practices…