I have recently heard that XSS + CSRF = stored XSS. I didn’t think too much about it at the time, but now it’s bugging me, because it doesn’t make too much sense.
I would say that it can stand true, if the XSS was “self-stored XSS” for wh…
When deriving a private key from a password, will the resulting secret key be any weaker if the user email is included in the function input? Meaning, user email concatenated with the user password.
I’m using scrypt for key derivation, wi…
When registering a new credential as part of WebAuthn, why does the client need to be sent a challenge?
Presumably this is to prevent a replay attack, but wouldn’t a replay attack be prevented by TLS already?
This Saturday 9th of November, there will be a keynote from Microsoft engineers Ryan Levick and Sebastian Fernandez at RustFest Barcelona. They will be talking about why Microsoft is exploring Rust adoption, some of the challenges we’ve faced in this p…
In two previous blog posts ( part 1 and part 2), we talked about using Semmle QL in C and C++ codebases to find vulnerabilities such as integer overflow, path traversal, and those leading to memory corruption. In this post, we will explore applying Sem…
Over the course of my internship at the Microsoft Security Response Center (MSRC), I worked on the safe systems programming languages (SSPL) team to promote safer languages for systems programming where runtime overhead is important, as outlined in thi…
I recently watched a video about OSINT and learnt it can be quite a powerful agent. I’ve been on the internet for years, and at this point I’m not sure what I’ve posted and where.
Given this is now a form of recon in cybersecurity, do yo…
I interned with Microsoft as a Software Engineering Intern in the MSRC UK team in Cheltenham this past summer. I worked in the Safe Systems Programming Language (SSPL) group, which explores safe programming languages as a proactive measure against memo…
I am building a JavaScript application that will run in a web browser but also as a pseudo-native mobile application via Apache Cordova. It communicates via API to a separate backend service.
The app requires that the user be prompted for…
Azure IoT Edge is an open source, cross platform software project from the Azure IoT team at Microsoft that seeks to solve the problem of managing distribution of compute to the edge of your on-premise network from the cloud. This post explains some of…
