On January 16, 2024, Atlassian disclosed a critical vulnerability affecting Confluence Data Center and Confluence Server, tracked as CVE-2023-22527. The vulnerability is an unauthenticated OGNL injection bug, allowing unauthenticated attackers to execute Java expressions, invoke methods, navigate object relationships, and access properties—essentially enabling arbitrary code execution on the vulnerable server. In the days following the […]

The post Attackers Quick to Weaponize CVE-2023-22527 for Malware Delivery appeared first on Blog.

In a recent blog, we covered the blurry lines of legality surrounding web scraping and how the advent of artificial intelligence (AI) and large language models (LLMs) further complicates the matter. Shortly after publishing the blog, a significant legal development began unfolding: The New York Times (NYT) filed a lawsuit against OpenAI and Microsoft over […]

The post The New York Times vs. OpenAI: A Turning Point for Web Scraping? appeared first on Blog.

With its widespread use among businesses and individual users, ChatGPT is a prime target for attackers looking to access sensitive information. In this blog post, I’ll walk you through my discovery of two cross-site scripting (XSS) vulnerabilities in ChatGPT and a few other vulnerabilities. When chained together, these could lead to account takeover. Digging into […]

The post XSS Marks the Spot: Digging Up Vulnerabilities in ChatGPT appeared first on Blog.

Browser vendors continuously tweak and refine browser functionalities to improve security. Implementing same-site cookies is a prime example of vendors’ efforts to mitigate Cross-Site Request Forgery (CSRF) attacks. However, not all security measures are foolproof. In their quest to combat Cross-Site Scripting (XSS), browser vendors introduced features that, while well-intentioned, sometimes fall short of their […]

The post Hacking Microsoft and Wix with Keyboard Shortcuts appeared first on Blog.