Report URI

TL;DR — Tens of millions of credentials obtained from info stealer logs populated by malware were posted to Telegram channels last month and used to shake down companies for bug bounties under the misrepresentation the data originated from their service. How many attempted scams do you get each day? I woke up to yet another "redeem your points" SMS this morning, I'll probably receive a phone call from "my bank" today (edit: I was close, it was "Amazon Prime" 🤷‍♂️) and don't even get me started...

If you've landed on this page because you saw a strange message on a completely different website then followed a link to here, drop a note to the site owner and let them know what happened. If, on the other hand, you're on this page because you're interested in reading about the illicit use of cryptomining on compromised websites and how through fortuitous circumstances, I now own coinhive.com and am doing something useful with it, read on. You know how people don't like ads? Yeah, me either (...

You know what I really like? A nice, slick, clean set of violation reports from the content security policy (CSP) I run on Have I Been Pwned [https://haveibeenpwned.com/] (HIBP). You know what I really don't like? Logging on to Report URI [https://report-uri.com/] and being greeted with something like this: This blog post is about how add-ons and extensions in browsers cause CSP violations like the ones above and how they should be dealt with. Some brief background first as I'll be sharing this...

I've long been a proponent of Content Security Policies (CSPs). I've used them to fix mixed content warnings on this blog after Disqus made a little mistake [https://www.troyhunt.com/disqus-mixed-content-problem-and-fixing-it-with-a-csp/], you'll see one adorning Have I Been Pwned [https://haveibeenpwned.com/] (HIBP) and I even wrote a dedicated Pluralsight course on browser security headers [https://pluralsight.pxf.io/c/1196446/424552/7490?u=https%3A%2F%2Fwww.pluralsight.com%2Fcourses%2Fbrowser...

I run a workshop titled Hack Yourself First [https://www.troyhunt.com/workshops/] in which people usually responsible for building web apps get to try their hand at breaking them. As it turns out, breaking websites is a heap of fun (with the obvious caveats) and people really get into the exercises. The first one that starts to push people into territory that's usually unfamiliar to builders is the module on XSS. In that module, we cover reflected XSS which relies on the premise of untrusted dat...

What if I told you... that you can get visitors to your site to automatically check for a bunch of security issues. And then, when any are found, those visitors will let you know about it automatically. And the best bit is that you can set this up in a few minutes and add it to your site with zero risk. Or if you like, set it up so that it can automatically block certain types of attacks. It's not an expensive appliance, it's not a wacky browser extension and it's not some weird proprietary cod...