BC FOR LATER READ
Saved by @CodyyyGardner

#Learn365 Day-6: Cross-Site Leaks

Goldmine to Learn: https://t.co/TsqGRWxPq7

Cross-Site Leaks/XS-Leaks is a less explored security issue that usually comes from Side-Channel Attacks. I found this an interesting vector but unusual.

(1/n)

#BugBountyTips #infosec #AppSec

 (2/n)
This basically utilizes the web's core principle of composability in order to determine & extract useful information.

XS-Leaks take advantage of small pieces of information that are exposed during interactions between websites.
(3/n)
Cross-Site Oracle.

This can be considered as a querying mechanism. The information used for this attack is of binary form and called Oracles. It usually has an answer of "Yes" or "No". You can say True or False.
(4/n)
For Example: Does User Harsh Exists in the Application. Yes, means that the user is there in the application.
- An attacker requires to smartly form queries in order to successfully execute this attack and gain hold of sensitive information.
(5/n)
Some of the Attacks using Cross-Site leaks are:

1. XS-Search: An attacker try to abuse the query mechanism such as search functionality to leak and get hold of the user's information.

Remediation
- Same Site Lax Cookies
(6/n)
Usual Exploitation Workflow:

1. Define a timeline when there is a Hit vs Miss
2. Start attacking the Querying Endpoint.
3. For Example: ?search=h (Throws a Hit)
search for the next word appended to `h` i.e. ?search=ha otherwise change the word i.e. ?search=b
(7/n)
2. Error Events

Based on the Error Message returned by the application, it may be possible to enumerate sensitive information. This is similar to user enumeration techniques.

Reference: https://t.co/2iIVT0xei2
(8/n)
3. Frame Counting
The window.length provides the number of frames in the window. This attribute can provide valuable information about a page to an attacker.

References: https://t.co/XjOZL3yiZF
(9/n)
3. Navigation Attacks
Reference: https://t.co/lS3LT80Foa

4. Cache Probing
- Workes based on detecting whether the web page was cached or not.
Ref: https://t.co/ejAdOHaIFG

5. ID Attribute
Ref: https://t.co/11lwLzE2DD
(10/n)

6. Post Message Broadcasts
a. Sharing Sensitive message with untrusted origins
b. Leaking information based on varying content or on the presence of a broadcast

7. Abusing Browser Features
- CORB (Cross-Origin Read Blocking)
- CORP (Cross-Origin Resource Policy)
(n/n)

8. Timing Attacks
- Clock Based
- Network Timing
- Execution Timing
- Hybrid Timing
- Connection Pool

# Referneces
1. https://t.co/byryqh3bql
2. https://t.co/khunvHYDga
3. https://t.co/ssQ39okO55

I'll revisit this attack in near future & will try to find.

More from For later read

Adrian Yalland
Adrian Yalland
@AdrianYalland
A statement about Stephanie Hayden.

In January I became aware that Ms Hayden (who monitors this account despite being blocked) had made a series of defamatory allegations about myself and my wife.

The allegations were made on Twitter, via Hayden’s account, and were widely retweeted.

The allegations were that as a result of her making a police complaint, (1) the police were seeking to urgently speak to me.

Furthermore (2) that police has spoken to me on 26/12/20 and offered some kind of “robust” advice about my conduct on and off line.

Finally (3) that police attended my home address in November, where my wife mislead them as to my whereabouts.

Hayden commented about this at length on Twitter, said that both and I am my wife had lied, and that I had even given a false address in Hampshire.

I said at the time all the allegations were false.

The police “complaint” was nothing more than Hayden making yet another vexatious complaint to the police, as Hayden routinely does.

The police did not speak to me on 26/12/20, as alleged, or at all.
FOR LATER READ
John Cutler
John Cutler
@johncutlefish
"The engineers on my team just want to code. They don't want to have anything to do with product. They just want specs. What do I do?"

1/n Are you asking them do to X *and* do their "day job" as defined by their managers (and frankly your roadmap) ?

If so, start there...

2/n Do they have a reason to believe that doing X will in any way improve the quality of the product and make their lives easier? Have they ever seen X "work" ?

Show don't tell.

3/n Is there average day/week a quagmire of unnecessary meetings, wading through tech debt, struggling to get *anything* to work ... and jumping through process hoops to prove their worth?

If so...no they will not have bandwidth.

4/n How do incentives work on the engineering team? Maybe they want to help, but their "grade" is determined by something altogether different.

"I'd love to, but I am on the hook to deliver [some project] this quarter to make a good impression..."

Talk to eng management.

5/n Have they had any time to practice?

Or did they get thrown into the deep end the first time they were given a shot ... expected to brainstorm on demand, be as vocal as practiced PdMs and designers, and "participate" !

Make it safe to practice. Reasonable expectations.
FOR LATER READ , TECH
Advertisement
Venkatesh Rao
Venkatesh Rao
@vgr
stacks are eating the world

business used to be easiest to comprehend via a) market-based logic of horizontal vs. vertical STRUCTURE, b) professionalization/specialization based FUNCTION c) core competencies based BEHAVIORS

this has pretty much collapsed in the last decade

Structure = sclerosis
Functional specialization = bureaucracy
competencies = inertial habits

"Stack" thinking instead lets technology structure (rather than market structure) drive business org logic

Companies seem to do well when they identify an entire stack of technologies they are good at (not just point bits) and organize to conform to its logic. There is a "full-stack" dimension of technical specialization that is the spine of the org

It feels buzzwordy, but it really is getting to be that way. AI stack, decarbonization stack, mobility stack, electrification stack... some end-to-end pathway of turning physics into economics via layers of tech artistically baked together like a cake
CRYPTO , FOR LATER READ
Lyman Stone \u77f3\u4f86\u6c11
Lyman Stone 石來民...
@lymanstoneky
the strange reality of strict calvinism is that it makes a mockery of God's claims to hate, abhort, or even be theoretically opposed to evil

the calvinist solution to the problem of evil, which I have *literally heard from the lips of a faithful well-catechized Presbyterian* is, "well, all that happens is God's will, and to do His will is to manifest goodness, and goodness gives God joy, so God must rejoice in evil"

The hypothetical I gave was, "Suppose that there was a city of Christians, and a bomber flew over the city, and the guy at the controls tripped and accidentally armed and dropped a bomb, and wiped out the city: is that God's will? What does God think of that?"

His answer in addition to the above cited the Flood, Soddom, and Nineveh.

Because we all know that God's response to the Flood was, "I REALLY liked that, it was AWESOME, it satisfied my will and purposes to obliterate my creation!"

Once you have drunk the "but muh sovrintee" Kool-Aid you cannot escape the argument that literally everything that happens is not just God's will in some philosophical sense, but His will in the sense of "things that bring him pleasure."
FOR LATER READ
GAVNet
GAVNet
@GAValueNetwork
Daily Bookmarks to GAVNet 02/13/2021

Claudia Sahm on Twitter and ThreadReader

https://t.co/UNH4NEks6h

https://t.co/kFdktm5eeu

#UnemploymentBenefits #EconomicRecovery #StimulusChecks #PandemicResponse
FOR LATER READ

You May Also Like

Suchi Sharma
Suchi Sharma
@Suchi_sharma_
Yantrodharaka Anjaneya Temple, Hampi, Karnataka.

This temple dedicated to pawanputra Hanuman, near the banks of Tungabhadra river was built by dwaita philosopher and rajguru of the Vijayanagar empire, Sri Vyasaraja around +500 years ago.


:It is only in this temple that Hanuman appears in a prayer position. In this image, Bhagwan Hanuman’s crown has been formed by his tail.12 monkeys have been carved around this amulet.


:They represent the 12 days Sri Vyasaraja prayed to Hanuman ji. Each monkey holds the tail of the monkey in front of him but is facing backward. Seed syllables have also been carved around the amulet.


:It is believed that Sri Vyasaraja used to draw a picture of lord Hanuman here on the rocks before offering prayers using charcoal and the sketch disappeared after prayers.This incidence happened for 12 days in a row until he pleaded to bhagwan to appear in front of him.


On the 12th day, Hanuman ji appeared in front of Sri Vyasaraja and blessed him. Hanuman asked Sri Vyasaraja to constrain him in a hexagonal amulet & install him in that place.
ALL
Antonio Garc\xeda Mart\xednez
Antonio García Martíne...
@antoniogm
Ok, I'll hop on this Elizabeth Warren/Native American testing bandwagon (gently and non-politically).

I've been a @23andMe customer for a while, and have followed their ancestry updates closely.

All is more or less as expected....except for this bit about Native American.


The family is almost completely composed of Spanish peasants (from various regions) who emigrated, along with a massive wave in the late 19th-cent./early 20th-cent., to Cuba back when it was a booming economy (richer than Spain's) and worth emigrating to (Communism killed that).

Also, the native population of Cuba was annihilated early on---was the first place the Spanish colonized after all. Having a native background in Cuba would be like having the same in, say, Massachusetts, particularly if you're (say) mostly Irish. Just really, really unlikely.

(Note: the North African/Arab background is less mysterious. The Iberian peninsula was part of the Muslim world for centuries. It would be odd *not* to have some Arab/Middle Eastern background coming from Spain. Given the family is mostly from Northern Spain, it's small though.)

I have a Spanish passport, have been back to the ancestral villages in Spain, seen the church where my grandmother was baptized, my grandfather told me stories about growing up as the child of Spanish colonists in rural Cuba. The native bit just clashes with all the family lore.
ALL
Advertisement
Aditya Todmal
Aditya Todmal
@AdityaTodmal
MASTER THREAD on Short Strangles.

Curated the best tweets from the best traders who are exceptional at managing strangles.

• Positional Strangles
• Intraday Strangles
• Position Sizing
• How to do Adjustments
• Plenty of Examples
• When to avoid
• Exit Criteria

How to sell Strangles in weekly expiry as explained by boss himself. @Mitesh_Engr

• When to sell
• How to do Adjustments
• Exit


Beautiful explanation on positional option selling by @Mitesh_Engr
Sir on how to sell low premium strangles yourself without paying anyone. This is a free mini course in


1st Live example of managing a strangle by Mitesh Sir. @Mitesh_Engr

• Sold Strangles 20% cap used
• Added 20% cap more when in profit
• Booked profitable leg and rolled up
• Kept rolling up profitable leg
• Booked loss in calls
• Sold only


2nd example by @Mitesh_Engr Sir on converting a directional trade into strangles. Option Sellers can use this for consistent profit.

• Identified a reversal and sold puts

• Puts decayed a lot

• When achieved 2% profit through puts then sold
OPTIONSLEARNINGS , ALL , OPTIONS STRATEGY
Elon Musk\u2019s Meme \U0001f171\ufe0fot
Elon Musk’s Meme 🅱️ot...
@theMemesBot
Thats a gg, Satan
FUN
Vibhu Vashisth
Vibhu Vashisth
@VIBHU_Tweet
RISHI PINGALA:THE ANCIENT INDIAN SAGE DISCREDITED FOR HIS MAJOR CONTRIBUTIONS TO MATHEMATICS & PHI

Have you ever heard about,"The Golden Ratio"?
The Golden Ratio or Phi(Greek) is a mathematical ratio of nature. Mother Nature is the most exquisite artist in herself.


&Its this Phi she uses to create all the beauty in World.
If anyone uses this ratio correctly in their art,it can turn into a spell-binding piece of work.Such is the significance of'Phi'.But my thread isn't about it.Its about somethin called'Fibonacci Series'&who actually made it


Phi is related to Fibonacci series(0,1,1,2,3,5,8,13,21,34...)
&this series is responsible for everything dat is beautiful on this planet. Just try to calculate the ratio of any 2 successive numbers ÷ each of them by the number before it in above infinite series.

E.g. 3/2=1.5, 5/3=1.666, 8/5=1.6, 34/21=1.61904 and so on. Did you notice something? The ratio is coming almost same every time. This ratio is called 'Phi 'which is numerically represented as 1:1.618. This Golden Spiral is made in exact proportion of 1:1.618.


The thing I want to emphasize here is that we always find only those things appealing and attractive that have Phi. It's in our subconscious. Isn't it some revelation? We are the part of this Divine proportion of the God or the Mother Nature. Check these:
ALL