AmazingMech2418 wrote:

Sheep_maker wrote:

AmazingMech2418 wrote:

Also, it is sandboxed, so even a fetch request wouldn't be too bad.

Perhaps it could be used to DDOS a target if a project abusing this got popular by just constantly spamming requests from every user with the project open. Alternatively, it could be used to spam requests from a different IP (if CORS were enabled on the target).

I think cryptocurrency miners can also be run inside a web worker if they're just math and a bunch of requests

Yeah, but, again, CORS would have to be enabled on the target and most largely targeted websites have CORS disabled as is the default normally.

I think the browser still has the make the request first in order to know based on the response headers whether CORS is enabled

Sheep_maker wrote:

AmazingMech2418 wrote:

Sheep_maker wrote:

AmazingMech2418 wrote:

Also, it is sandboxed, so even a fetch request wouldn't be too bad.

Perhaps it could be used to DDOS a target if a project abusing this got popular by just constantly spamming requests from every user with the project open. Alternatively, it could be used to spam requests from a different IP (if CORS were enabled on the target).

I think cryptocurrency miners can also be run inside a web worker if they're just math and a bunch of requests

Yeah, but, again, CORS would have to be enabled on the target and most largely targeted websites have CORS disabled as is the default normally.

I think the browser still has the make the request first in order to know based on the response headers whether CORS is enabled

Browsers make HEAD requests and then the actual GET/POST requests in order to first see if it can make the request and then actually make the request. However, while a DDoS attack can be done with HEAD requests, HEAD requests are the smallest and fastest of all request types and would likely take thousands or even millions of requests a second in order to have a successful attack. Meanwhile, GET requests and POST requests contain the exchange of larger amounts of data and are the main requests for DDoS attacks. So, a DDoS attack would not be a likely issue with this vulnerability for CORS-disabled websites since only the HEAD request would go through, not the GET or POST. This is just a sandboxed XSS vulnerability, so it is definitely not a critical issue.

Hi
I'm new here. I found about this site actually today, seems like a great tool for my first steps as a developer.
I have general questions about CVEs.

I understand that when security researchers find vulnerability they disclose it with the company. But who report it to the CVE database? how do it work?

Do the developer report to MITRE? if so, is there any incentive? I'm asking to better understand how this all bounty world works.
I see this page on MITRE

someone probably submitted a report to MITRE and then this page was created.

I did found few people who submitted a CVE and wrote about it on Medium like this report of CVE-2020–25952
So in this case they probably do it to gain more authority as a security researcher.

I just want to understand what's the main incentive behind finding vulnerabilities and report it to MITRE.

How can I get my own CVE?

thesonofbit wrote:

Hi
I'm new here. I found about this site actually today, seems like a great tool for my first steps as a developer.
I have general questions about CVEs.

I understand that when security researchers find vulnerability they disclose it with the company. But who report it to the CVE database? how do it work?

Do the developer report to MITRE? if so, is there any incentive? I'm asking to better understand how this all bounty world works.
I see this page on MITRE

someone probably submitted a report to MITRE and then this page was created.

I did found few people who submitted a CVE and wrote about it on Medium like this report of CVE-2020–25952
So in this case they probably do it to gain more authority as a security researcher.

I just want to understand what's the main incentive behind finding vulnerabilities and report it to MITRE.

usually, the target is the one to pay a bounty eg. google runs a bug bounty program, so if you find (and report) a vulnerability in google workspace, google will pay you.

i'm not sure but i believe that MITRE's goal is to catalogue vulnerabilities. i don't think they provide any incentive other than being credited for vulnerabilities.

apple502j probably knows more about this subject than me.

Jeffalo wrote:

thesonofbit wrote:

Hi
I'm new here. I found about this site actually today, seems like a great tool for my first steps as a developer.
I have general questions about CVEs.

I understand that when security researchers find vulnerability they disclose it with the company. But who report it to the CVE database? how do it work?

Do the developer report to MITRE? if so, is there any incentive? I'm asking to better understand how this all bounty world works.
I see this page on MITRE

someone probably submitted a report to MITRE and then this page was created.

I did found few people who submitted a CVE and wrote about it on Medium like this report of CVE-2020–25952
So in this case they probably do it to gain more authority as a security researcher.

I just want to understand what's the main incentive behind finding vulnerabilities and report it to MITRE.

usually, the target is the one to pay a bounty eg. google runs a bug bounty program, so if you find (and report) a vulnerability in google workspace, google will pay you.

i'm not sure but i believe that MITRE's goal is to catalogue vulnerabilities. i don't think they provide any incentive other than being credited for vulnerabilities.

apple502j probably knows more about this subject than me.

Can you put a bug in Ocular and let me find it so I get my own CVE?

hello_smile wrote:

Jeffalo wrote:

thesonofbit wrote:

Hi
I'm new here. I found about this site actually today, seems like a great tool for my first steps as a developer.
I have general questions about CVEs.

I understand that when security researchers find vulnerability they disclose it with the company. But who report it to the CVE database? how do it work?

Do the developer report to MITRE? if so, is there any incentive? I'm asking to better understand how this all bounty world works.
I see this page on MITRE

someone probably submitted a report to MITRE and then this page was created.

I did found few people who submitted a CVE and wrote about it on Medium like this report of CVE-2020–25952
So in this case they probably do it to gain more authority as a security researcher.

I just want to understand what's the main incentive behind finding vulnerabilities and report it to MITRE.

usually, the target is the one to pay a bounty eg. google runs a bug bounty program, so if you find (and report) a vulnerability in google workspace, google will pay you.

i'm not sure but i believe that MITRE's goal is to catalogue vulnerabilities. i don't think they provide any incentive other than being credited for vulnerabilities.

apple502j probably knows more about this subject than me.

Can you put a bug in Ocular and let me find it so I get my own CVE?

No. Suppose someone else finds it, and uses it maliciously.

dhuls wrote:

hello_smile wrote:

Jeffalo wrote:

thesonofbit wrote:

Hi
I'm new here. I found about this site actually today, seems like a great tool for my first steps as a developer.
I have general questions about CVEs.

I understand that when security researchers find vulnerability they disclose it with the company. But who report it to the CVE database? how do it work?

Do the developer report to MITRE? if so, is there any incentive? I'm asking to better understand how this all bounty world works.
I see this page on MITRE

someone probably submitted a report to MITRE and then this page was created.

I did found few people who submitted a CVE and wrote about it on Medium like this report of CVE-2020–25952
So in this case they probably do it to gain more authority as a security researcher.

I just want to understand what's the main incentive behind finding vulnerabilities and report it to MITRE.

usually, the target is the one to pay a bounty eg. google runs a bug bounty program, so if you find (and report) a vulnerability in google workspace, google will pay you.

i'm not sure but i believe that MITRE's goal is to catalogue vulnerabilities. i don't think they provide any incentive other than being credited for vulnerabilities.

apple502j probably knows more about this subject than me.

Can you put a bug in Ocular and let me find it so I get my own CVE?

No. Suppose someone else finds it, and uses it maliciously.

Not even a double-reacting bug? :cry: