Tumgik
Visit Blog
Explore Tumblr blogs with no restrictions, modern design and the best experience.
Fun Fact
28.6 is the average number of monthly visits per US mobile user.
#(hence the nonstandard item number)
morayofsunshine · 2 months
Text
SCP-3R461
Object Class: Keter
Special Containment Procedures: SCP-3R461 is under recon throughout cyberspace by a Foundation-trained algorithm. One C-class is instructed to manually search for SCP-3R461 each year, on April 1st. All appearances of SCP-3R461, and its instances, mentions, or references therein and throughout, are to be terminated from any servers on which they appear. Any civilians or untrained personnel who have viewed instances of SCP-3R461 are to be delivered a standard amnestic.
Description: SCP-3R461 is a YouTube channel first created on April 1st, 2015, under the name "DanAndPhilCRAFTS." This channel, when it appears, currently hosts four videos (as of April 1st, 2024). When the channel, or any of its videos (SCP-3R461-A, -B, -C, and -D, relative to original upload date) are terminated according to Foundation protocol, they appear again the next year on April 1st. Individuals who view an instance of SCP-3R461 without proper antimemetic training will experience the following progression of symptoms:
Uncontrollable excitability when exposed to the activity depicted in the corresponding instance.
Repetition of a memetic phrase that corresponds to the instance viewed. This phrase, when heard or read by other individuals, will cause these individuals in turn to begin this progression of symptoms.
Identification as a "craftie" and obsession with finding and viewing any instance of SCP-3R461 again.
Departure from current life and peers. Individuals who have departed in this way have often been later found wandering through nearby wooded areas in proximity to reports of arson or animal sacrifice.
Individuals have been observed to make a full recovery after having been delivered the amnestics noted above.
SCP-3R461 first appeared simultaneously with instance SCP-3R461-A.
Addendum: 04/01/2016: SCP-3R461 has appeared on its source server again, with its second instance SCP-3R461-B.
Addendum: 04/01/2017: SCP-3R461 has made another appearance, with its third instance SCP-3R461-C. Contents of this instance imply that it will be the final new instance of SCP-3R461.
Addendum: 04/01/2018: SCP-3R461 has made an appearance, but has only included three instances, with no new ones having been uploaded. It has been conjectured that SCP-3R461 will continue to make appearances after its termination on April 1st of each year, with or without a new instance. This page will now only be updated with a break in this pattern or a newly uploaded instance.
Addendum: 04/01/2024: SCP-3R461 has made an appearance with a fourth instance, SCP-3R461-D. This instance begins with a notice from the United Kingdom Government Communications Headquarters (GCHQ) warning of events unknown to the Foundation or the GCHQ of this dimension, which indicates that SCP-3R461 and its instances are likely extradimensional entities. Individuals viewing this instance now repeat five memetic phrases, as well as a memetic title, sourced from all four instances. They have also been observed to seek out demonic entities shortly before reaching Symptom 4.
[LEVEL-3 ACCESS AND PROOF OF ANTI-MEMETIC TRAINING REQUIRED]
Document #3R461-A: Archival footage of SCP-3R461-A.
Document #3R461-B: Archival footage of SCP-3R461-B.
Document #3R461-C: Archival footage of SCP-3R461-C.
Document #3R461-D: Archival footage of SCP-3R461-D.
#unreality#dan & phil#dan & phil crafts#i had a lot of fun writing this!#decided not to make it an actual scp bc it's based so directly on media that already exists#(hence the nonstandard item number)#but i did want to write an in-universe article for tumblr :D#fictional scp post based off of the real nonanomalous danandphilcrafts channel#it's keter bc that's us baybee#dnp#dan and phil
49 notes · View notes
terabitweb · 5 years
Text
Original Post from Rapid7 Author: Robert Lerner
Earlier this month, Verizon released its 2019 Data Breach Investigation Report. It revealed, unsurprisingly, that a good chunk of breaches were the result of attacks at the application layer and that there was a major shift (almost to the 50% crossover point) in payment card breach volume sources to compromising web servers.
Rapid7’s own [Master] Chief Data Scientist Bob Rudis and our Rapid7 Labs research team pored over the report to identify some key points to help the Rapid7 community navigate through this sea of information. In his blog post summarizing the top findings in the 2019 Verizon DBIR report, Bob provided some guidance to help you better safeguard your organization, and the following section really hit home for me:
“It’s time to get serious about adopting critical security headers like Content Security Policy and designing web applications modularly to enable clean and easy use of subresource integrity attributes on resources you load. While you can start with just focusing on the core pages that deal with logins and payment card transactions, you should consider adopting these two technologies holistically across all web-facing components. If you source your e-commerce applications from a third party, ensure you mandate the use of these technologies in your procurement processes.”
During my spare time, I’ve built both an auditing tool and a tool to retrieve the Top 500 list from Moz to better understand how the world’s largest companies use headers. Through this, I’ve discovered the best place to address vulnerabilities is within your software itself. Click here to evaluate your site.
Browsers may have varying or even no support for the various security headers, so they should be part of defense in depth and not viewed as a holistic solution.
As this project plays very nicely into how you can heed Bob’s advice, I’ve created a series of real-world scenarios in which attackers can manipulate unsecured HTTP headers and how to prevent your organization from falling victim to tactics used to exploit them. But before I get into the fun stuff, let’s start with a refresher on what HTTP headers are.
What are HTTP headers?
Before you even see a page load or download file, your browser (or any client, such as cURL, wget, etc.) and a server have a conversation. During this conversation, the browser may ask for a specific resource, request a specific language, and tell the server what type of browser you are using.
The server responds with information, such as how many bytes are ready to be sent, the type of server being used, and the cookies to set.
Here’s an example request:
GET /index.html HTTP/1.1 Host: www.rapid7.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://www.google.com/?q=best+dast+ever Connection: keep-alive Upgrade-Insecure-Requests: 1
Here’s an example response:
200 OK Connection: Keep-Alive Content-Encoding: gzip Content-Type: text/html; charset=utf-8 Date: Mon, 31 Feb 2020 00:00:00 GMT Last-Modified: Mon, 18 Jan 2019 02:36:04 GMT Server: Apache Transfer-Encoding: chunked X-Frame-Options: DENY (Response body here)
As you can see, there’s a lot of conversations going on behind the scenes—and this happens several times for each page you requested. Not all of these headers are strictly for rendering your page: Some tell the site not to track you (such as DNT headers), while others tell the browser not to allow frames on the site (such as X-Frame-Options). Sometimes these headers leak into the user realm (bet you’ve seen a few 404: File Not Found pages). The better you know your site, the more restrictive you can be when configuring your headers, and the more secure your site can be.
I will cover the most common security headers you will find on servers across the internet. For each of these headers, I’ll provide a standards document if one is available (such as a Working Draft or RFC), assuming the scope isn’t too broad (the entire HTTP specification, for example). I will also include additional resources and links to the CWEs, where applicable. This document uses the term “media types” to refer to what was previously called “MIME Types,” as IANA has changed the terminology.
Custom headers and the “X-” prefix
Standards organizations—what would we do without them? RFC 2047 §5.1 states that any nonstandard HTTP header be denoted and prefixed with “X-” (hence many of the headers in this blog). RFC 6648 deprecates this. Chances are that the legacy “X-” headers will outlive this blog post, so for nearly all purposes and intents, these should be used in lieu of their non-prefixed alternatives.
Imagine, if you will…
In this hypothetical scenario, imagine you are checking your employer’s intranet forum and you see a topic that catches your eye: “An estimated 60% of the workforce will be laid off this week!”
Panic ensues until the inevitable HR memo comes out stating that this forum post is false and no one is getting laid off. An investigation into how this could have happened uncovers that your organization has fallen victim to a social engineering scheme. But how did this schemer get in?
Here are some examples of vulnerabilities that may have been exploited:
You can set your account’s password without providing your current password
There is a cross-site scripting (XSS) vulnerability in the forums
The forum admin only skimmed this wonderful blog entry.
These would allow the attacker to wreak havoc by using the following tactics:
Make a really crafty forum topic title that everyone will click and talk about
Leverages the XSS vulnerability within a forum topic
Executes var cookie = document.cookie;
Makes an XMLHttpRequest to their server with this cookie value
Stand up a server to receive these cookies
Make a cURL request back to the server, using the cookie to authenticate
Set the password to a new value
Log the user out
In this situation, anybody who clicks the forum topic will instantly have their account password reset and be logged off. With this tactic, attackers will be collecting accounts like Pokémon.
So, which headers can help us out here?
HTTP is a stateless protocol, which means it cannot associate state between two requests. Sessions are a technique of providing a unique identifier to your site’s users, allowing them to persist login state across several page loads. These may be persisted across URLs (bad) or across cookies (good). Because of that, we need to ensure we protect information from being stolen. There are three security-focused attributes within a cookie header, but today we are going to focus on HTTPOnly:
Cookie attributes
Example
Set-Cookie: id=Rapid7; Expires=Wed, 06 Mar 2019 02:42:26 GMT; Secure; HttpOnly; SameSite=strict
HTTPOnly attribute
The HTTPOnly flag informs the browser that the cookie may only be transmitted via HTTP—that is, it is not available to java script in the form of alert(document.cookie);. This greatly reduces the utility in an XSS attack.
Secure attribute
As discussed, there is little excuse for not using HTTPS throughout your application. The “Secure” flag instructs the browser to only send this cookie value to requests made via HTTPS. If your connection is subject to an HTTP Downgrade and MiTM attack, this cookie will not be transmitted which will prevent account theft.
SameSite attribute
Can I Use?
The SameSite attribute is used to control how cookies are applied to requests when they originate from a third-party domain. If a user is logged into example.com, they can click around the site and maintain logged-in state. If they then visit rapid7.com, and Rapid7 links back to Example.com to leverage an XSRF vulnerability, then this will be executed against the user’s account on example.com.
If the SameSite attribute is set to Strict, the previous example would fail. The browser would detect this and not transmit the cookies—therefore, the attack would apply to a guest account.
By setting the HTTPOnly flag on our cookies, we instruct the browser that it may not send the cookie to the browser via Javascript’s document.cookie. This single-handedly would have mitigated the kill chain I’ve presented earlier where an account could be compromised. Another header that would have been useful is:
X-XSS-Protection
Example
X-XSS-Protection: 1; mode=block
Moz Top 500
This header is present on 35% of sites. Many browsers have built in XSS protection that site operators can control. A blank setting disables the protection mechanism, and an attribute of “1” instructs the browser to attempt to sanitize the content. Finally, setting the header to “1; mode=block” tells the browser to stop rendering the page. The latter option is recommended.
This header enables the in-built XSS filtering or blocking that browsers use, and therefore may have also blocked this attack by restricting access to the page where the XSS vulnerability existed.
Other scenarios
The decision to go with the account theft model was to illustrate a real-world situation that could be dire to an organization without backups or that is visible to the public. Cookies can simply be stored, with no programmatic action being performed. It is possible for a stolen cookie to be used to perform any number of actions on your site, from buying items to deleting customers.
Other ways to limit this attack include:
Regenerate cookie values and expire the previous value whenever the following happens:
A user authenticates, or after logoff
A user changes roles, such as logging into an admin panel
After several page loads, this limits the validity period
Limit the session duration
Set either a “0” on the session cookie, or an explicit expiry time. (Also enforce this server-side, since spoofing this on the client is really easy.)
Leverage an additional identifier along with the cookie, such as the user’s IP address, user agent, or other information.
Write secure code
So, what are you waiting for? Go and evaluate your site to verify that your web server is correctly responding with headers designed for security, and stay tuned for my next blog on “Hidden Helpers: Security-Focused HTTP Headers.”
Looking to identify security vulnerabilities in your web applications? Try InsightAppSec today for free.
Get Started
#gallery-0-5 { margin: auto; } #gallery-0-5 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 33%; } #gallery-0-5 img { border: 2px solid #cfcfcf; } #gallery-0-5 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */
Go to Source Author: Robert Lerner Hidden Helpers: Security-Focused HTTP Headers Original Post from Rapid7 Author: Robert Lerner Earlier this month, Verizon released its 2019 Data Breach Investigation Report.
#Rapid7
0 notes
Text
Keto Ultra Reviews: Where to Buy? (Keto Ultra Diet) Weight Loss Pills
The Keto Ultra Diet plan is a typical dietary weight-loss supplement that has intended to repeat the achievement and expel the constraints of the nonstandard usage of fasting. In this era, individuals are occupied with their life-style exceptionally. They don’t have space schedule-wise to cope with themselves since people use to consume garbage sustenance generally. As they would like never to squander their opportunity in cooking. While mainly because a repercussion of this they start experiencing weakness.
Tumblr media
People who are fat a good deal, are worn out on hearing the awkward remarks about their form and body. It’s humiliating Really. Individuals tired of each one of this stuff what they got notification from someone. They are sustained up of attempting techniques for reducing your weight completely. Some enchantment is needed by them to consume their fat immediately when they can. It really is an amusing issue to decrease fat from the body yet it is important now. Also, it is essential to keep up the body in an appropriate way.
Presentation
The most discussed the fat copying item now at last here…! effective fat consuming ketone i. e Keto Ultra Diet. This item is the amalgam of different normal fixings, in any case, one of the key fixings is Beta-hydroxybutyrate (BHB). Here, BHB has been altered to create a moment fat consuming arrangement in the characteristic ways. Beta-hydroxybutyrate is the handy fixing that kicks the metabolic condition of ketosis vigorously. In the event that you take it, BHB can begin preparing in your body bringing about delivering vitality and enormously accelerate weight reduction by putting your body into ketosis.
As we recognize that, individuals generally employ a diet program for getting healthier plus they skip one- period feast and today and again they eat one time per day. Keto Ultra Diet plan They avoid eating audio nourishment and start maintaining a strategic length from protein stuff and also declined to consume at the night. And again skip 2 times of dinner per day now. No essential oil, no margarine they endure a good deal while consuming less. 
Furthermore, this time around adolescents generally employs such a substantial number of methods to lose their fat some of the period they make use of wrong ways. Hence, it isn’t the right technique to lose your bodyweight with this you are producing yourself powerless step-by-step. Individuals change their timetable thoroughly. They start practice to join the workout middle and there they have to pay out a gigantic sum in the rec middle. What’s more, individuals sick and tired of the remarks of people in this manner Additionally, No more need to squander your cash make one stride and make use of  Keto Ultra Diet simply.
It's the opportune period to make use of Keto Ultra Diet plan to lose your fat and make your self-certain. As the name proposes, this item will go about as a supper replacer. It comes with an altered creation of all basic smaller level and macronutrients that keep the body audio and fit. It really is lower in carbs and unwanted fat, high in proteins (got from soy and drain) possesses 24 minerals and vitamins. It accordingly gives the body all that it requires without the fat of included body fat, cholesterol, and carbs. The high protein content keeps you whole for causes and even more the body to create slender muscle.
How do it function?
The outcomes won't be the same as person to person. The Keto Ultra Diet plan simply created by common unadulterated organic fixings that assistance you to improve your blood flow within your body. The likelihood of the Keto Ultra Diet plan is to really get your body through an operation known as Ketosis where you quit eating sugars as energy and rather swing to the eating of what specifically are known as ketones. This will happen when you bring your starch levels to around 50 grams for every full day or lower.
When you eat the body create vitality from your own body and which are still left within your body it becomes a fat set aside in your body. Hence, Keto Ultra Diet plan encourages you to diminish age new fats cells which will make your body. You are due to it to create them out of the body.
Different benefits of this item are:
This item expands the digestion rate from your own body.
Zero reactions of keta tone eat much fewer carbs it shall recuperate your supper.
Keto Ultra Diet Pills Reviews assists support vitality level within your body.
It influences you to stay dynamic and fit whole day.
Consumes your body fat quicker than in any other time.
It produces BHB, it's been adjusted to create the short moment fat consuming set up from the characteristic method.
Thanks for reading this article. If you want to learn more then visit this link drozhealthblog.com/keto-ultra-diet/  krto ultra diet weight loss
#keto ultra diet ingredients#keto ultra diet side effects#keto ultra diet shark tank#keto ultra diet pills#does keto ultra diet work#keto ultra diet cost#keto ultra diet
0 notes
Last Seen Blogs
sinnadamasquedeciir
Death 😈
that-stupid-lamb
Another Twilight Renaissance Blog
jollygladinatorpeanut-blog
Untitled
mads8745
Unbetitelt
danottys92
DaNoTTy'S