BC FOR LATER READ
Saved by @CodyyyGardner

#Learn365 Day-6: Cross-Site Leaks

Goldmine to Learn: https://t.co/TsqGRWxPq7

Cross-Site Leaks/XS-Leaks is a less explored security issue that usually comes from Side-Channel Attacks. I found this an interesting vector but unusual.

(1/n)

#BugBountyTips #infosec #AppSec

 (2/n)
This basically utilizes the web's core principle of composability in order to determine & extract useful information.

XS-Leaks take advantage of small pieces of information that are exposed during interactions between websites.
(3/n)
Cross-Site Oracle.

This can be considered as a querying mechanism. The information used for this attack is of binary form and called Oracles. It usually has an answer of "Yes" or "No". You can say True or False.
(4/n)
For Example: Does User Harsh Exists in the Application. Yes, means that the user is there in the application.
- An attacker requires to smartly form queries in order to successfully execute this attack and gain hold of sensitive information.
(5/n)
Some of the Attacks using Cross-Site leaks are:

1. XS-Search: An attacker try to abuse the query mechanism such as search functionality to leak and get hold of the user's information.

Remediation
- Same Site Lax Cookies
(6/n)
Usual Exploitation Workflow:

1. Define a timeline when there is a Hit vs Miss
2. Start attacking the Querying Endpoint.
3. For Example: ?search=h (Throws a Hit)
search for the next word appended to `h` i.e. ?search=ha otherwise change the word i.e. ?search=b
(7/n)
2. Error Events

Based on the Error Message returned by the application, it may be possible to enumerate sensitive information. This is similar to user enumeration techniques.

Reference: https://t.co/2iIVT0xei2
(8/n)
3. Frame Counting
The window.length provides the number of frames in the window. This attribute can provide valuable information about a page to an attacker.

References: https://t.co/XjOZL3yiZF
(9/n)
3. Navigation Attacks
Reference: https://t.co/lS3LT80Foa

4. Cache Probing
- Workes based on detecting whether the web page was cached or not.
Ref: https://t.co/ejAdOHaIFG

5. ID Attribute
Ref: https://t.co/11lwLzE2DD
(10/n)

6. Post Message Broadcasts
a. Sharing Sensitive message with untrusted origins
b. Leaking information based on varying content or on the presence of a broadcast

7. Abusing Browser Features
- CORB (Cross-Origin Read Blocking)
- CORP (Cross-Origin Resource Policy)
(n/n)

8. Timing Attacks
- Clock Based
- Network Timing
- Execution Timing
- Hybrid Timing
- Connection Pool

# Referneces
1. https://t.co/byryqh3bql
2. https://t.co/khunvHYDga
3. https://t.co/ssQ39okO55

I'll revisit this attack in near future & will try to find.

More from For later read

Patriot Politics Research II \u2626\U0001f1fa\U0001f1f8\U0001f985
Patriot Politics Resea...
@AWeek2Remember
#AWeekToRemember Thread:

I stumbled across this when I was re-reading old Drops, like we were advised to by 17, and I'll explain why I think this week starting today, is the WEEK TO REMEMBER.

We're all chomping at our bit for arrests.
Most of us have been waiting for awhile now, and ever since President Trump's personal acct was permanently suspended from Twitter, we can almost taste the arrests coming.

Ok, "A Week To Remember" - keep in mind, this would be President Trump's last week in office in his 1st term, thus also why #AWeekToRemember.

• Drop 1357:
- WHAT must happen pre 11.11?
- 11.11 provided as strategic marker.
- Strength = Military
- Justice = Tribunals

I'll explain.


Q: How do you write January Eleventh out as a date in America?

A: 01/11/21

Q: How do we usually shorten it when conversing & given the year is understood?

A: 01/11

Q: Can you see what I see?

A: Now, turn forward slash (/) upright.

Q: Now do you see?

A: 1111 = 11.11
FOR LATER READ
Rob Henderson
Rob Henderson
@robkhenderson
The common understanding of propaganda is that it is intended to brainwash the masses. Supposedly, people get exposed to the same message repeatedly and over time come to believe in whatever nonsense authoritarians want them to believe /1

And yet authoritarians often broadcast silly, unpersuasive propaganda.

Political scientist Haifeng Huang writes that the purpose of propaganda is not to brainwash people, but to instill fear in them /2


When people are bombarded with propaganda everywhere they look, they are reminded of the strength of the regime.

The vast amount of resources authoritarians spend to display their message in every corner of the public square is a costly demonstration of their power /3

In fact, the overt silliness of authoritarian propaganda is part of the point. Propaganda is designed to be silly so that people can instantly recognize it when they see it


Propaganda is intended to instill fear in people, not brainwash them.

The message is: You might not believe in pro-regime values or attitudes. But we will make sure you are too frightened to do anything about it.
FOR LATER READ , ALL
Advertisement
\U0001f1fa\U0001f1f8 Jules \U0001f1fa\U0001f1f8
🇺🇸 Jules 🇺🇸...
@mayweliveasONE
2021 Predictions‼️

Made by James Howard Kunstler

👇🏻👀

Kunstler is said to be one of the best thinkers and authors of our modern era. He’s well known as an expert in energy economics, among other topics.

He is NOT a fan of Trump which makes his predictions even more interesting.

1) The election is re-adjudicated, fraud subtracted from the tally, and President Trump is declared the winner.

2) The mail-in vote for the Georgia Senate seat runoff is disqualified as systematic fraud is revealed. Stacy Abrams is indicted for organizing the fraud.

3) A number of political celebrities, DC swamp rats, K-Street hustlers, media figures, and tech company executives are arrested and charged with serious crimes around election fraud.

4) The CIA is purged and reduced to a strictly analytical role for advising the executive.
FOR LATER READ
Emily\u2661
Emily♡
@ItsEmilyKaty
To the person who thinks that they might be autistic. - a thread. /1

I imagine you have gone your entire life wondering why you are different, why you can't seem to understand things the way that others can and why everything just seems so hard. I'm proud of you for getting this far. /2

Part of you might be thinking:
"But if I was autistic, surely it would've been noticed when I was a kid? So maybe I'm making this up."
So many autistic people aren't diagnosed until they are adults, if diagnosed at all. You would not be the first and you won't be the last. /3

"My family and friends don't think that I could be autistic."
People's understandings of autism tend to be based off of the media, which doesn't show every possible presentation of autism, or based off of someone they know, and all autistic people present differently. /4

People's perceptions of autism can also be based off stereotypes, for example, "autistic people can't make eye contact, so you can't be autistic." While this is true for some, it isn't for all, so you can begin to see how one presentation of autism can't possibly fit everyone. /5
FOR LATER READ , ALL
Paul Bernal
Paul Bernal
@PaulbernalUK
A short thread on one aspect of trolling on here, from my recent experience. I’ve got a fair number of followers. I tweet about controversial topics - and yet I don’t get trolled that much. A bit, but not thatmuch. There are times, though, that I *do* get trolled a lot. 1/n

The pattern is pretty clear, and has been played out a few times over the last few days. I get into a conversation about a topic that could be considered race-related. Empire. Immigration. Something like that. And that conversation includes a highish profile BAME person. 2/n

More often than not, a BAME woman. In those cases, it takes very little time for the trolls to come steaming in. Most of them seemingly rational, taking issue with some technical point, but quickly descending into something much worse. 3/n

When I look at the profiles of the trolls, they’re often relatively innocuous. Not saying ‘Hey, I’m a racist troll, a white supremacist’ at all. Not likely to be caught by any kind of anti-troll measures. Instead, they look relatively normal. 4/n

But what happens is very much about racism, and often misogyny. Attacks that are - or appear to be - not that dramatic on their own. Not rape threats or death threats, or ‘go home’ or things like that, but designed to undermine, to disturb, to annoy - but with an undercurrent 5/n
FOR LATER READ

You May Also Like

RadioChinar
RadioChinar
@RadioChinar
Demystifying Ghazwa-e-Hind. A #thread.

A recent video of Shoaid Akhter surfaced in social media creating a lot of controversy where the #Pakistani Cricketer can be seen suggesting invasion of India by using the term Ghazwa-e-Hind.
Radicalization of sportsmen seen off late
(1/10)


Some radical Islamic preachers believes that Ghazwa-e-Hind means a “Holy War against India”. As per this irrational & profane concept, there will be a fierce battle to secure victory over #India.
#Kashmir
(2/10)


#Pakistan-based terror groups, like JeM have been using Ghazwa-e-Hind as a Hadith to recruit, fund and justify its terror strikes as a religious holy war against #India.
#Kashmir
(3/10)


Some machiavellian people claim it is a prophecy that Muslim warriors will wage war against the #India.
Jaish & others falsely propagate that Jihad against India is considered holy in Islam & that those participating in it will be granted an easy entry into paradise.
(4/10)


However prolific scholars says that this is a made-up interpretation of some verse in The Holy Quran to mislead the gullible youth of #Pakistan into picking up arms and fighting its Army's personal battle against #India.
#Kashmir
(5/10)
SOCIETY
John Myles White
John Myles White
@johnmyleswhite
This post is pretty bizarre, but it manages to hit on so many false beliefs that I've seen hurt junior data scientists that it deserves some explicit

(1) The notion that R is well-suited to "building web applications" seems totally out of left field. I don't feel like most R loyalists think this is a good idea, but it's worth calling out that no normal company will be glad you wrote your entire web app in R.

(2) It is true that Python had some issues historically with the 2-to-3 transition, but it's not such a big deal these days. On the flip side, I have found interesting R code that doesn't run in modern R interpreters because of changes in core operations (e.g. assignment syntax).

(3) "Most of the time we only need a latest, working interpreter with the latest packages to run the code" -- this is where things get real and reveal some things that hurt data scientists. If this sentence is true, it's likely because you don't share code with coworkers.

(3) Really is a broader issue in data science: people only think of what they need to do their work if no one else existed and code was never maintained. Junior data scientists almost always operate on projects they start from scratch and don't have to maintain for long.
DATA SCIENCE
Advertisement
Novid Houellebecq (That's Hollaback)
Novid Houellebecq (Tha...
@GarouGothic
Ok, here is a thread for you.
What happens when you have:
Netflix
Apple
Amazon
WarnerMedia +
Disney+
SonyCrackle (Reboot)
Verizon All Access (after they buy CBS/Viacom)
UniversalSkyMedia
By 2021
Answer? Internet Slows To A Craw and Dies.
Why?
Bandwidth.

Netflix's gets 35% of all internet traffic.
Now we all know Apple Coming to Netflix Corner.
We know that WarnerMedia Planning One
We Know about Disney+
Now how will the net handle 8 Streaming Platforms all at once?
Answer - IT CANT.

But Novid, the speed, the 4K the all everything?
NOOOOO BUDDY.
Even if you could do it and even if AWS ran six million clouds, The Net Will still slow to a crawl. 35%, goes to nearly 90% if any of the 8 or all of the 8 eat at netflix's numbers.

Oh, they wouldn't be running at once.
FOOL. You forget how bad things were when game of thrones season premieres came around. HBO SERVERS FALL DOWN GO BOOM!

Now see if a season like 2021 come around and they air shows on a same day. It gets crazy. AT&T and others gonna realize they cant build out forever. Something will give and it might be your entertainment consumption big time.
TECH
Conviction | Patience
Conviction | Patience
@unseenvalue
H was always unseen in S2NL :)

Those who exited at 1500 needed money. They can always come back near 969. Those who exited at 230 also needed money. They can come back near 95.

Those who sold L @ 660 can always come back at 360. Those who sold S last week can be back @ 301
UVLEARNINGS
Anu Satheesh \U0001f1ee\U0001f1f3
Anu Satheesh 🇮🇳...
@AnuSatheesh5
Samayapuram Mariamman Temple
#Trichy
#Tamilnadutemples 🚩

Samayapuram Mariamman Temple is located in Samayapuram of
 Tiruchirappalli district.  Mariyamman here is worshipped as Samayapurathal a form of Parashakti.
Amman vigraham here is made of sand and clay so


no abhishekam done to the main vigraham. Samayapuram Mariamman Temple is one of the famous Shakthi Sthal of Tamilnadu.

Story says that paramashiva created Kali, out of the poison that he drank during samudra mathanam.  As Devi originated from the Kaalakoota/ halahala poison,


thus the name Kaali. Mariamman is believed to be a form of Kaali, and is also known as Mahamayi. It is also believed that Maharaja Dasharatha offered his prayers here.

Mariamman is Parashakti herself who blesses with prosperity and she is believed to cure all diseases.


Paramashiva, Mahavishnu and Brahma Deva are believed to have taken blessings of Mariamman here.

Om Shakti Para Shakti
🙏🕉🙏
ALL