In Python 3.8+, support for system auditing hooks was added. System auditing uses two main functions:

sys.addaudithook: accepts a callable to execute when auditing events are raised anywhere in the current Python interpreter.

As part of my research into P2P software, I decided to give OpenBazaar (1.0) a quick look over to see if I could catch any security issues. (This was not an audit, just a short examination).

One of the first places I checked for security flaws was OpenBazaar's back-end API server (which comes with the desktop client), which uses HTTP. I examined the API server for CSRF issues, because in my experience other native software that uses web technologies suffer from them.

Recently I have been researching security of consumer Internet and WiFi routers.

I knew that key reuse was an issue in device firmware, but the issue is more widespread in routers than I would have guessed. Default & current (at time of writing) versions of firmware for most if not all Netgear, Linksys, and perhaps other router brands reuse TLS keys for their web management interface.

TLS for remote router management is already 'broken' since certificates are not usually valid, and few users understand how to manually verify certificate fingerprints. Even if users verify fingerprints, they will have a false sense of security since reused TLS keys provide zero protection, while still appearing to be secure.

Gandi.net, a popular domain registrar and hosting provider used by somewhat high profile organizations, such as the EFF and Free Software Foundation, had an XSS vulnerability on its main domain name (www.gandi.net).

This also happens to be where domain DNS settings are managed, along with other account settings and server hosting.

An often overlooked feature of SVGs is their ability to have embedded scripts, like HTML pages.

When displayed in an <img> tag, SVGs are not permitted to execute scripts, however, when they are viewed directly, they are.

This is a bit of a different post from what I usually write about, but hopefully those who are interested in programming, Linux, or Minecraft will enjoy it.

Despite being a building game, Minecraft is often praised for its circuitry features and mods that allow people to learn and apply computer science principles while having fun in the game.

Why?

Telnet wasn't all bad. Simple socket servers are handy for debugging or remote access purposes, but sadly telnet is insecure, having no encryption. SSH is a viable alternative, but it is a little bloated and is different on various platforms.

TimeBleed: Simple Attack, Serious Issue

Introduction

IPFS is a distributed file system network that uses hashes to lookup, verify, and track content.

Introduction

Freenet is an open-source, distributed, and decentralized file storage network.

Introduction

qBittorrent and uTorrent are both popular torrent clients with fairly similar features. For example, both have an included web interface.

This post will focus on qBittorrent, since it is open source & has fixed the issues mentioned below.

Developers often publicly release code that is barely tested, or meant for personal reasons, such as quick scripts or weekend experiments.

Often times they assume that no one will have any interest, only to later discover dozens, perhaps hundreds of stars and users.

This is part 3 in my series of exploits in I2P/related software, I recommend reading the 1st and 2nd posts first.

As I continued testing I2P software, I have discovered the most severe vulnerability yet, once again within I2P-Bote, a distributed email system for I2P.

Introduction

I2P-Bote is an experimental anonymous decentralized “email” system that is distributed as a plugin for I2P.

Introduction

I2P, is an anonymous network somewhat similar to Tor, but without clear-net access.

The Problem

One of the most common security oversights in web development is using target='_blank' on links, or window.open() in JavaScript for 3rd party links.

What Is X-Forwarded-For?

X-Forwarded-For and similar headers are not official, but they are the de-facto standard client HTTP request header for non-transparent proxies. It is usually sent in HTTP requests.

Not Just a Learning Tool

MIT App Inventor is primarily an educational block-based programming tool used to introduce young people to programming and app design, using a web interface and companion app for live testing.