🌗 無需權杖或隱藏表單欄位的 CSRF 防護
➤ 告別繁瑣權杖：利用瀏覽器原生標頭構建現代化 Web 安全防線
✤ https://blog.miguelgrinberg.com/post/csrf-protection-without-tokens-or-hidden-form-fields
本文由 Microdot 框架開發者 Miguel Grinberg 撰寫，探討一種跳脫傳統、被稱為「現代化」的 CSRF（跨站請求偽造）防禦機制。過去開發者通常依賴防護權杖（Anti-CSRF Tokens）或隱藏欄位來驗證請求來源，但作者發現利用瀏覽器內建的「提取元數據」（Fetch Metadata）標頭——特別是 `Sec-Fetch-Site`，能更優雅且高效地達成相同目標。作者在文中詳細分享了他在 Microdot 框架中實作此功能的技術細節，包括如何處理子網域的安全性、針對舊型瀏覽器的退卻機制（Fallback），以及如何整合現有的 CORS 設定來簡化驗證邏輯。這項技術不僅簡化了伺服器端的實作，也獲得了 OWAS
#網路安全 #Web 開發 #CSRF 防禦 #瀏覽器安全標頭

🔥 CVE-2025-13282 (HIGH): Chunghwa Telecom TenderDocTransfer allows unauth'd file deletion via CSRF & path traversal flaws. Block app/API ports, educate users, and back up data! No patch yet. Details: https://radar.offseq.com/threat/cve-2025-13282-cwe-352-cross-site-request-forgery--6b3e8d3f #OffSeq #CSRF #infosec #vuln

⚠️ CVE-2025-13283 (HIGH): Chunghwa Telecom TenderDocTransfer has a CSRF & path traversal vuln—lets unauth attackers copy/paste files via APIs. Phishing = risk of data leaks & DoS. Restrict & monitor now! https://radar.offseq.com/threat/cve-2025-13283-cwe-352-cross-site-request-forgery--0bcb621a #OffSeq #Vuln #CSRF #InfoSec

El lado del mal - HackedGPT: Cómo explotar "Weaknesses" en ChatGPT para hacer Phishing o Exfiltrar Datos https://www.elladodelmal.com/2025/11/hackedgpt-como-explotar-weaknesses-en.html #ChatGPT #GPT #Phishing #PromptInjection #Bing #CSRF #IA #AI #Ciberseguridad #Hacking

Top Advanced XSS Payloads That Still Work in 2025
This article explores advanced Cross-Site Scripting (XSS) payloads that remain effective in 2025 despite modern security defenses. XSS continues to be a persistent vulnerability due to the complexity of modern web frameworks (React, Vue, Angular) that generate dynamic content with intricate JavaScript behavior patterns. The advanced payloads discussed focus on bypass techniques that overcome common defenses like Content Security Policy (CSP) filters and sanitization libraries. These sophisticated attack vectors leverage encoding obfuscation, DOM event manipulation, and framework-specific vulnerabilities to evade traditional filter-based defenses. The exploitation techniques include payload variations that target complex JavaScript execution contexts, utilizing obscure DOM events, and exploiting implementation flaws in client-side security controls. Modern XSS payloads often combine multiple evasion techniques including character encoding manipulation, filter bypass through context switching, and leveraging browser-specific parsing behaviors. The tools and methodologies mentioned focus on advanced testing frameworks that can identify XSS vulnerabilities in complex web applications. The significance of these payloads lies in their continued effectiveness against inadequate input validation and sanitization implementations. The impact ranges from session hijacking and credential theft to complete client-side system compromise. Bug bounty hunters and penetration testers need to understand these advanced techniques as they represent real-world threats that traditional security measures often fail to detect. The article emphasizes that despite framework improvements, XSS remains a critical vulnerability requiring continuous research and adaptation of both attack and defense strategies. #infosec #BugBounty #Cybersecurity #XSS #WebSecurity #Payload #Exploit #CSRF
https://medium.com/@xmxa-tech/top-advanced-xss-payloads-that-still-work-in-2025-58f11191df8f?source=rss------bug_bounty-5