We just published v4.1.0 of the eslint plugin `no-unsanitized`, which prohibits the usafe of XSS sinks (e.g., `innerHTML=` or `setHTMLUnsafe()`) without the use of a preconfigured sanitizer library.
The rule helps finding and preventing XSS in various Mozilla projects, including Firefox.
Technical Details at https://frederikbraun.de/finding-and-fixing-dom-based-xss-with-static-analysis.html and source at https://github.com/mozilla/eslint-plugin-no-unsanitized

[RSS] In the Windows kernel, what is a LUID, and what makes it loo-ey?

https://devblogs.microsoft.com/oldnewthing/20240830-00/?p=110198

[RSS] The vulnerabilities we uncovered by fuzzing µC/OS protocol stacks

https://blog.talosintelligence.com/fuzzing-uc-os-protocol-stacks/

NVD are you okay?

@dcoderlt been there...

@dcoderlt Forgot to use the Monitor object?

We broke 10k stars on #GitHub! Remaining in the 1st and 2nd positions on #Google for, “Reverse Engineering Tutorial”. Special thanks to @0xinfection @hasherezade @fox0x01 @three_cube @binitamshah and all of you! #ReverseEngineering https://github.com/mytechnotalent/Reverse-Engineering

@jann Related XKCD: https://what-if.xkcd.com/13/

Also see Debate on Fermi's Paradox: https://en.wikipedia.org/wiki/Self-replicating_spacecraft

@mainframed767 As always in security, prioritization based on risk assessment should be key, along with alternative solutions. This recent post is very relevant: https://alexgaynor.net/2024/aug/30/impact-of-memory-safety-on-sandboxing/

this is my emotional support carwash. whenever I get sad I ssh into this Montenegrin carwash I found on shodan 12 years ago and spin the rollers a bit. makes me feel real again

Capt. Grace Hopper on Future Possibilities: Data, Hardware, Software, and People (1982)

Part I.: https://www.youtube.com/watch?v=si9iqF5uTFk

Part II.: https://www.youtube.com/watch?v=AW7ZHpKuqZg

If I'm not mistaken getting these records declassified took several years of fighting NSA bureaucracy, so having this released is a pretty great achievement!

CVE-2024-5274: A Minor Flaw in V8 Parser Leading to Catastrophes

https://www.darknavy.org/blog/cve_2024_5274_a_minor_flaw_in_v8_parser_leading_to_catastrophes/?s=09

I know that one should never, ever go to SciHub to find academic papers but is there a site one should never, ever go to for ISO/IEC standards documents?

@joxean pleas use hashtags...

@leeb The IBM 1401 computer had optional support for math with pounds/shillings/pence in hardware, back when there were 12 pence in a shilling and 20 shillings in a pound. Of course there were two incompatible standards, so the computer had a knob on the front panel to select the standard.

Today is the 10 year anniversary of the first time I ever pwned anything!

My first exploit was a simple stack smash, overwrite return ptr, jump to admin function. This was an in internal recruiting CTF by @gaasedelen for the RPISEC

Before that day I had never even considered computer security and was primarily doing robotics.

You never know when a buffer overflow may change the very course of your life!

mskssrv.sys - CVE-2023–29360

https://seg-fault.gitbook.io/researchs/windows-security-research/exploit-development/mskssrv.sys-cve-2023-29360?s=09

"Listing all processes keeping particular file open is not a trivial task but since Vista we have a special syscall parameter for such purpose. Microsoft says "reserved for system use" but I was brave enough to wrap it into PowerShell function. Enjoy!" @0gtweet

https://github.com/gtworek/PSBits/blob/master/Misc2/Get-PidsForOpenFile.ps1

4 exploits, 1 bug: exploiting cve-2024-20017 4 different ways

https://blog.coffinsec.com/0day/2024/08/30/exploiting-CVE-2024-20017-four-different-ways.html?s=09