Most of the time scripts come from other places than web site itself. These scripts are allowed to operate on the page and usually there’s some mechanism in place to control their behavior. You can think of it as a sand box – each web site runs pretty much independently. This also means that one site opened in a tab of browser isn’t allowed to access data from another site in a tab next to it. So, in theory Cross-Site Script (or XSS) is basically a violation of this principle. And it’s much worse in practice.
Security misconfiguration is a blanket term for a broad specter of vulnerabilities. We won’t look at specific examples today. I want to draw some scenarios that you might find interesting, so you can avoid them.
Alright then, we’re half way through OWASP 10 and I would like to take a break. Let’s talk about different kinds of pentest. What if I tell you that you can penteset … a person? Wait, what? Let’s take a look.
XML is a very good way to store and to organize data, and XXE vulnerability takes advantage of XML parsers not data itself. It works like every other injection, but has its own features. Overall in my opinion, it’s little more complex than any other injection around.
It is an exaggeration to say that my road to CISSP began when I decided to study Cyber Security at my local University. People at the age of 17 are generally very bad at planning their lives, especially when it comes to some new professions.
In fact, the decision to obtain CISSP was taken in 2017, when it became obvious that professional certificates of major vendors have finally ceased to fulfill their main function – to confirm the knowledge and experience of specialists. I have no idea whom to blame – online collections of dumps, the general level of questions in the tests, unscrupulous test centers and a lot of other factors.