F-Secure Radar Login Page Unvalidated Redirect Vulnerability

CVE-2018-6324 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-6324 Summary The application will upon successfully logging in redirect the user to a user-controlled destination. A victim user may not recognise that a redirection takes place as they expect to be sent to a new page. Vendor Description F-Secure Radar is a turnkey vulnerability scanning and management platform. It allows you to identify […]

F-Secure Radar Persistent Cross-Site Scripting Vulnerability

CVE-2018-6189 https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-6189 Summary The application can suggest metadata tags for assets, and in doing so it can execute JavaScript entered previously by a malicious user. Vendor Description F-Secure Radar is a turnkey vulnerability scanning and management platform. It allows you to identify and manage both internal and external threats, report risks, and be compliant with […]

OWASP Top 10 2013 – A3 – Cross-Site Scripting

> Is your address really street”/><script>doStuff();</script>? Cross-Site Scripting attacks are tremendously prevalent, which I find surprising because it is an easy problem to detect and to remediate. There are even a lot of decent mitigation alternatives out there as well. What is Cross-Site Scripting (or XSS, if you prefer)? Cross-Site Scripting occurs whenever someone else […]

OWASP Top 10 2013 – A4 – Insecure Direct Object References

> Hello, I’m user number fiftysev…. Fiftyeight. Insecure Direct Object References are types of authorization issues, where a user can access information (objects) which they are not supposed to. For example, imagine a bank application where you can view your personal info via: example.com/users/profile.php?id=57 Now, what does “57” refer to? Probably some kind of reference […]