Henrik Falk March 20, 2025
Why do we even have XSSes, SQLI, etc
One of the first vulnerability classes one learns in web security are Cross Site Scripting (XSS) and SQL Injection (SQLI). Together with other similar classes like Shell Injection, Server-side Template Injection (STTI), HTTP Header Injection, etc., they form the "Injection" family. In this article, we revisit fundamentals of information security and answer the question why do these kinds of attacks really happen, from a technology design perspective.
hackarcana.com/article/why-do-we-even-have-xss-sqli-etc
Brushing Up on Hardware Hacking Part 2 - SPI, UART, Pulseview, and Flashrom
In our last post, we reviewed how to use the pi-gen tool to generate an image for a Raspberry Pi that is pre-configured with many tools needed for basic hardware hacking. In this post, we will start using them on our first target. Our first target from the AliExpress grab bag is going to be this electric toothbrush. Our goal is to extract the firmware and maybe push modified firmware to the toothbrush (there is a statement I never thought I'd type…).
voidstarsec.com/blog/brushing-up-part-2
Buying browser extensions for fun and profit
Your browser extensions could be secretly sold to malicious actors without your knowledge. What starts as helpful tools created by passionate developers can transform into dangerous spyware when sold to the highest bidder. As these extensions grow to hundreds of thousands of users, their creators—overwhelmed by maintenance and lacking monetization—often turn to marketplaces to sell them off. The original owners are often shocked when their extension goes bad.
secureannex.com/blog/buying-browser-extensions
