Author Archives Tomasz Andrzej Nidecki

THE AUTHOR

Tomasz Andrzej Nidecki
Principal Cybersecurity Writer

Tomasz Andrzej Nidecki (also known as tonid) is a Primary Cybersecurity Writer at Invicti, focusing on Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.

Remote Code Execution in bootstrap-sass Ruby Package

Web Security Zone | April 11, 2019 by Tomasz Andrzej Nidecki

If you are using Ruby to develop applications, run the latest update of Acunetix to make sure that you are safe. A very popular Rails gem bootstrap-sass was recently compromised. A malicious version of the package (3.2.0.3) was available in the official RubyGems repository for several…

Mutation XSS in Google Search

Web Security Zone | April 10, 2019 by Tomasz Andrzej Nidecki

Are you sure that your website is safe from Cross-site Scripting if Google Search was not for five months? On September 26, 2018, one of the developers working on the open-source Closure library (originally created by Google and used in Google Search) created a commit…

All about Man-in-the-Middle Attacks

Web Security Zone | March 13, 2019 by Tomasz Andrzej Nidecki

In a man-in-the-middle attack (MITM), a black hat hacker takes a position between two victims who are communicating with one another. In this spot, the attacker relays all communication, can listen to it, and even modify it. Imagine that Alice and Barbara talk to one…

GIF Buffer Content Exposed by Facebook Messenger

Web Security Zone | March 12, 2019 by Tomasz Andrzej Nidecki

The saying one man’s trash is another man’s treasure applies to IT security as well. There are several types of attacks, such as buffer overflow, that rely on accessing leftover memory content. For example, this is exactly what the infamous Heartbleed bug in OpenSSL was…

Remote Code Execution Possible in Drupal

Web Security Zone | March 4, 2019 by Tomasz Andrzej Nidecki

On February 19, Drupal released a security advisory PSA-2019-02-19 (further amended by PSA-2019-02-22). The advisory contains information about a critical security flaw in Drupal 8.5 and 8.6 core. This flaw, classified as CVE-2019-6340, can be used for remote code execution (code injection). An exploit for…

DOM XSS: An Explanation of DOM-based Cross-site Scripting

Articles | March 3, 2019 by Tomasz Andrzej Nidecki

DOM XSS stands for Document Object Model-based Cross-site Scripting. A DOM-based XSS attack is possible if the web application writes data to the Document Object Model without proper sanitization. The attacker can manipulate this data to include XSS content on the web page, for example,…

Critical CSRF Vulnerability on Facebook

Web Security Zone | February 25, 2019 by Tomasz Andrzej Nidecki

A security researcher Youssef Sammouda (Samm0uda) recently discovered a critical CSRF (Cross-site Request Forgery) security vulnerability on Facebook. This security issue could have been used to take over any Facebook user account. Samm0uda reported the bug on January 26 and Facebook fixed it just 5…

Take action and discover your vulnerabilities