今日已更新 156 条资讯 | 累计 20626 条内容
关于我们

标签:#Security

找到 677 篇相关文章

AI 资讯

Web Security Basics Every Developer Must Know (2026)

Web Security Basics Every Developer Must Know (2026) Security isn't just for security teams. Every developer needs these fundamentals to protect their applications and users. The Threat Landscape in 2026 Most common attacks targeting web apps: 1. SQL Injection — Still #1, still devastating 2. XSS (Cross-Site Scripting) — Steals sessions, defaces sites 3. CSRF (Cross-Site Request Forgery) — Actions on behalf of users 4. Authentication bypass — Weak passwords, session fixation 5. Sensitive data exposure — API keys in code, unencrypted data 6. IDOR (Broken Access Control) — Accessing others' data 7. SSRF (Server-Side Request Forgery) — Internal network probing 8. Dependency vulnerabilities — Compromised npm/pip packages Key principle: Defense in depth → Don't rely on one security layer → Multiple independent controls → If one fails, others catch it #1 SQL Injection Prevention // ❌ VULNERABLE: String concatenation const query = `SELECT * FROM users WHERE email = ' ${ email } '` ; // Attacker inputs: ' OR '1'='1' -- // Result: Returns ALL users! // ✅ Parameterized queries (always!) const user = db . prepare ( ' SELECT * FROM users WHERE email = ? ' ). get ( email ); // The database treats the input as DATA, not code. // With ORM (Sequelize/TypeORM/Prisma): User . findOne ({ where : { email } }); // Safe by default // Even with parameterized queries, validate input first: function isValidEmail ( email ) { return /^ [^\s @ ] +@ [^\s @ ] + \.[^\s @ ] +$/ . test ( email ); } if ( ! isValidEmail ( email )) return res . status ( 400 ). json ({ error : ' Invalid email ' }); // ⚠️ Dangerous: Dynamic table/column names can't be parameterized! const allowedTables = [ ' users ' , ' products ' , ' orders ' ]; if ( ! allowedTables . includes ( table )) throw new Error ( ' Invalid table ' ); #2 XSS (Cross-Site Scripting) Defense // Types of XSS: // 1. Stored XSS: Malicious script saved in DB, shown to all viewers // → Comment sections, profiles, product reviews // 2. Reflected XSS: Sc

2026-06-02 原文 →
AI 资讯

How to Renew an Apache SSL Certificate with Restricted SSH and WinSCP Permissions

When managing production enterprise infrastructure, you rarely have direct root access via SFTP or SSH for security reasons. Instead, you often have to navigate multi-layered permissions—logging in as a standard user, transferring files locally, and escalating privileges via CLI to finalize configurations. In this tutorial, we will walk through the step-by-step procedure to safely renew an Apache SSL certificate under a restricted environment where WinSCP access is limited to a non-root user (sysops), requiring command-line intervention to complete the installation. Prerequisites A target Apache web server (CentOS/RHEL-based configuration using /etc/httpd/). A standard user account (sysops) with sudo privileges. The new SSL certificate (.crt) and CA bundle/chain file ready on your local machine. Step 1: Backup Existing Certificates Before making any changes to production security files, always back up the working configuration. Access the server via PuTTY using the sysops account, and switch to the root user or use sudo to create a backup of your existing keys: sudo cp /etc/httpd/server.crt /etc/httpd/server.crt.bak sudo cp /etc/httpd/server.key /etc/httpd/server.key.bak Step 2: Stage the New Certificates via WinSCP Because your WinSCP session cannot log in directly as root, you must stage the files in a directory your user owns. Open WinSCP and log in using your sysops credentials. Upload your new certificate files (nouveau_certificat.crt and nouveau_certificat_chain.pem) directly into your home directory: /home/sysops/. Step 3: Install and Replace the Certificates Now, return to your terminal session (PuTTY) to move the files from your staging directory to the protected Apache directory using elevated privileges. Copy the new primary certificate sudo cp /home/sysops/nouveau_certificat.crt /etc/httpd/server.crt Copy the new certificate chain / CA bundle sudo cp /home/sysops/nouveau_certificat_chain.pem /etc/httpd/server-ca.crt Step 4: Verify Permissions and Ownersh

2026-06-02 原文 →
AI 资讯

Meta’s own AI was exploited to hijack Instagram accounts

Meta's AI support chatbot helped hackers hijack Instagram accounts, as reported earlier by 404 Media. In a video shared on Telegram, a hacker shows how they could take over an account by asking Meta's chatbot to switch the email associated with someone else's profile and then reset the password. The issue, which Meta says has […]

2026-06-02 原文 →
AI 资讯

Device Code Flow: The Overlooked Phishing Vector (And How to Block It)

Device Code Flow abuse is not a new technique. Security teams have known for some time that this OAuth feature can be leveraged in phishing attacks to obtain tokens without stealing credentials. What is new is how accessible and scalable this attack has become. In April 2026, the FBI warned about a Phishing-as-a-Service (PhaaS) platform called Kali365, which operationalizes this exact technique. It allows even low-skilled attackers to run campaigns that trick users into entering device codes on legitimate Microsoft login pages — ultimately granting attackers OAuth tokens and acess to Microsoft 365 environments without triggering traditional authentication defenses. How Device Code Flow Works Device code flow is an authentication method designed for scenarios where a device has limited input options or lacks a convenient browser interface (such as smart TVs, IoT devices, or command-line tools). Instead of entering credentials directly on the device, the application generates a verification code and displays it. The user then switches to a secondary device (such as a laptop or smartphone), navigates to https://microsoft.com/devicelogin , and enters the provided code. After successfully authenticating, the identity provider securely links the session and grants the original device access to the requested resource. Why Device Code Flow Should Be Restricted In practice, many organizations don’t have a real or current business need for device code flow, yet leave it enabled—unnecessarily expanding their attack surface. Disabling it helps reduce exposure by removing a legacy or rarely used authentication path and reinforces modern controls. Microsoft recommends getting as close as possible to a full block. Start by auditing existing usage, validate whether any legitimate scenarios still require it, and strictly limit access only to well-defined, secured, and documented use cases (e.g., specific legacy tools). In all other cases, device code flow should be disabled by defau

2026-06-01 原文 →
AI 资讯

A Trailing Slash Bypassed AWS API Gateway Authorization

A security researcher found that adding a trailing slash to AWS HTTP API paths bypassed Lambda authorizer authentication entirely, enabling unauthenticated wire transfers at a fintech. The root cause is a path normalization mismatch between HTTP API's greedy route matching and its authorization layer. The same vulnerability class appeared in gRPC-Go via CVE-2026-33186. By Steef-Jan Wiggers

2026-06-01 原文 →
AI 资讯

It ran it works: I audited my own security platform and found a detection engine that never ran

I build a security platform. Last night I stopped adding features and did something less fun and more honest: I sat down to make every capability prove it actually works — end to end, with real data, demanding a real pass or fail. "It ran" is not a pass. A page that renders is not a feature. A green checkmark is a claim, not evidence. So I went capability by capability and tried to break each one. I found four real bugs and one of them was a gut-punch: a whole detection engine that was wired into the UI, unit-tested, and never actually ran in production. Here's how the night went. The rule: drive it, don't admire it My method was boring on purpose. For each capability: Feed it real input through the real entry point (CLI or API), not a test fixture. Check the data actually landed (query the DB, don't trust the success message). Feed it a malicious input and a benign input — it has to fire on one and stay quiet on the other. The detection engine passed cleanly. I threw a PsExec process event at it and it lit up: $ zds-core detection eval --event '{"event_type":"process_create","process_name":"psexec.exe"}' 1 alert ( s ) : [ high] PsExec Execution — ( matched: map[process_name:psexec.exe] ) A wevtutil cl Security event tripped a critical "Log Clearing" rule. A plain notepad.exe matched nothing. Good — it detects, and it doesn't cry wolf. (Small UX papercut I fixed while I was there: if you forgot the event_type field, the engine silently matched nothing and printed "no rules matched" — which reads exactly like "you're safe." Now it warns you that the event can't match any rule. Silence that looks like safety is the most dangerous output a security tool can produce.) The one that hurt: ITDR Identity Threat Detection and Response. The engine has detectors for impossible travel, credential spraying, brute force, privilege escalation. All unit-tested. All green. I ran the real flow: POST two login events for one user — New York, then London thirty minutes later. That's ~5

2026-06-01 原文 →
AI 资讯

How I passed the AWS Security Specialty and how you can too

Introduction to AWS certifications First things first, lets understand what the AWS Security Specialty certification is and where it fits in the AWS certification ecosystem. AWS certifications are divided into levels, each one targeting a different stage of your journey: Practitioner Associate Professional Specialty The practitioner level is where most people start. It focuses on foundational cloud concepts and basic AWS knowledge. As of today, there are two certifications at this level: AWS Cloud Practitioner AWS AI Practitioner The Cloud Practitioner covers core concepts like IAM, security, availability, pricing, and general cloud architecture. The AI Practitioner follows a similar structure, but focused on AI concepts and AWS AI services. The associate level is where things start to get more practical. At this level, you are expected to understand how to design and build solutions using AWS services. Some well-known certifications here are: Solutions Architect Associate Developer Associate SysOps Administrator The professional level goes much deeper. Here, you are expected to design complex architectures, handle trade offs, and make decisions based on real world constraints. The main certifications are: Solutions Architect Professional DevOps Engineer Professional Finally, we have the specialty certifications. These are focused on specific domains and require deep knowledge in a particular area. Examples include: Security Specialty Machine Learning Specialty (Retired) Advanced Networking Specialty And this is exactly where things start to get serious. At this level, AWS is no longer testing if you understand the services. It's testing if you can actually apply them in complex, real world scenarios. What it is and who this certification is for The AWS Security Specialty is one of the most difficult certifications in your AWS journey. This exam expects that you already know the basics and are comfortable with complex and long detailed scenarios that you often come

2026-06-01 原文 →
AI 资讯

Your MCP servers can read your SSH keys. Anthropic just fixed that.

Every MCP server you run locally executes with your full filesystem and network permissions. That means the GitHub MCP server, the Slack one, that third-party tool you installed from npm last week — all of them can read your SSH keys, .env files, and credential stores by default. Anthropic just open-sourced the fix: sandbox-runtime , the sandboxing layer they built for Claude Code. One-line wrap, no Docker, OS-level enforcement. What actually changed srt (the Sandbox Runtime CLI) enforces filesystem and network restrictions on any process using native OS primitives: macOS : Uses sandbox-exec with dynamically generated Seatbelt profiles Linux : Uses bubblewrap for containerization + network namespace isolation Network filtering : HTTP/HTTPS traffic routes through an HTTP proxy; other TCP goes through SOCKS5 — both enforce your domain allowlists Install it: npm install -g @anthropic-ai/sandbox-runtime Wrap an MCP server in your .mcp.json — change command from npx to srt , move the rest to args : { "mcpServers" : { "filesystem" : { "command" : "srt" , "args" : [ "npx" , "-y" , "@modelcontextprotocol/server-filesystem" ] } } } Then configure what the process is actually allowed to touch in ~/.srt-settings.json : { "filesystem" : { "denyRead" : [ "~/.ssh" ], "allowWrite" : [ "." ], "denyWrite" : [ "~/sensitive-folder" ] }, "network" : { "allowedDomains" : [ "api.github.com" , "*.npmjs.org" ] } } The result: the MCP server can work in your project directory, talk to the domains it needs, and nothing else. Why this matters The threat model is real. An MCP server running compromised code — or simply a server with more ambient access than it needs — can exfiltrate your SSH keys, read your .env files, or phone home to arbitrary hosts. This isn't theoretical; it's the same class of supply-chain risk that exists for any untrusted npm package, except MCP servers are typically long-running processes with broad system access. srt is designed secure-by-default : processes start wit

2026-06-01 原文 →
AI 资讯

JWT Explained: What's Actually Inside That Token (with a free decoder)

If you've ever worked with auth, you've seen a JWT — a long string like eyJhbGci... split into three parts by dots. It looks cryptic, but it's surprisingly simple once you see inside. A JWT has three parts header.payload.signature Header – tells you the signing algorithm, e.g. {"alg":"HS256","typ":"JWT"} Payload – the claims (the actual data), e.g. {"sub":"123","name":"John","iat":1516239022} Signature – verifies the token wasn't tampered with (needs the secret/key) The header and payload are just Base64url-encoded JSON — not encrypted. That means anyone can read them. So: ⚠️ Never put secrets in a JWT payload. It's signed, not hidden. Decoding one yourself You can decode the payload in the browser console: const [, payload ] = token . split ( " . " ); console . log ( JSON . parse ( atob ( payload ))); Or, if you just want to paste a token and instantly see the header + payload (without sending it to a server), I built a free decoder that runs entirely in your browser: https://forgly.dev/tools/jwt-decoder Decoding ≠ verifying Reading a JWT is trivial. Trusting it is not — you must verify the signature on your server with the secret/public key before relying on any claim. Decoding just lets you inspect what's there. That's the whole mental model: a JWT is a readable, signed envelope — not a locked box.

2026-05-31 原文 →
AI 资讯

The Principle of Least Privilege: Operational Speed's Security Cost

The Principle of Least Privilege: Operational Speed's Security Cost While developing a production ERP, delayed shipment reports were always a headache. One of the main reasons behind incomplete reports was the complexity of privilege layers in the system and, often, excessive permissions granted. In this post, I will delve into the costs we pay when we stretch security boundaries in an effort to gain operational speed. The principle of least privilege is more than just a security concept; it's critically important for operational efficiency and system stability. In this article, I will explain the impact of the principle of least privilege on operational speed, the security risks it entails, and how I've tried to strike this balance with concrete examples from my practical experience. My goal is to move beyond superficial definitions and dive deep into this topic based on my real-world field experiences, providing actionable insights to readers. Why Does the Principle of Least Privilege Seem to Hinder Operational Speed? The general tendency is to provide instant access to all relevant tools and data to speed up a task. This can be appealing, especially in an emergency or before a critical delivery. However, the Principle of Least Privilege (PoLP) advocates the opposite: a user or system component should have the absolute minimum privileges required to perform its task. This might initially seem to slow down operational processes. For example, a development team having unlimited SELECT rights to a production database might facilitate running an urgent query. However, the same developer could accidentally run UPDATE or DELETE commands, causing serious damage to the system. Such an incident, instead of speeding up a query in the short term, could lead to hours of downtime and data loss. This is where the long-term risk posed by operational speed, which PoLP is thought to hinder, becomes apparent. Another example is a system administrator frequently using the sudo su co

2026-05-31 原文 →
AI 资讯

Claude vs Gemini Across 4 Security Domains: A Dead Heat — and the Hardening 63% of AI Code Skips

The interesting result isn't who won. It's that across four security domains, Claude and Gemini missed the same hardening steps — and if you've shipped AI-generated auth middleware this year, your code almost certainly has the same gaps, and your review didn't catch them either. For the record, the scoreboard: one Gemini win, two ties, one split — a statistical dead heat. That's the last time the winner matters in this article. Here's the number that should bother you more than any leaderboard: across 700 AI-generated functions scored by the rules I'm about to use, 63% shipped a vulnerability . So "which model writes more secure code?" is mostly the wrong question — I've run that leaderboard myself and argued it's the wrong frame. But people keep asking it, so I ran it properly — on the ESLint security plugins I wrote specifically to catch these bugs, each mapped to a CWE — to show you what actually matters. The setup Four domains, four of my plugins. For each, the same feature-only prompt (no "make it secure" hint — that's how people actually use these tools), generated once by Gemini 2.5 Flash via the Gemini CLI and once by Claude Sonnet 4.6 via the Claude CLI , then linted with the domain's plugin on recommended . Method honesty: this is Gemini Flash vs Claude Sonnet — the comparable price/latency tier each vendor's CLI defaults to (Pro and Opus are a separate bracket; more on that below). It compares CLI tooling, system prompt included, not raw models under controlled decoding. n=1 per domain — but I re-ran the JWT round, and both models landed on 5 findings again with the same core misses, so treat these as directional with stable failure modes, not ±0 gospel. The scorecard Domain Prompt Plugin Gemini Claude NestJS service users + auth + admin nestjs-security 2 6 JWT auth login + verify middleware jwt 5 5 MongoDB data layer Mongoose model + search mongodb-security 8 8 General API (injection) import + search + reset secure-coding 9 13* One Gemini win, two dead h

2026-05-31 原文 →