Collaborate Disseminate
AJAX Security Cheat Sheet § Always return JSON with an Object on the outside says:
Always have the outside primitive be an object for JSON strings:
Exploitable:
[{"object": "inside an array"}]
Not exploitable:
{"o… Continue reading Why does OWASP recommend to never return JSON arrays not wrapped in objects?
It is typically recommended to enable 2FA wherever possible. Moreover, it is typically recommended to enable not just any 2FA method, but Yubikeys in particular.
Yubikeys are considered to be the strongest available 2FA method. They are ni… Continue reading How do Yubikeys improve security if I am typically also forced to enable other, weaker 2FA methods?
https://foundation.mozilla.org/en/privacynotincluded/articles/its-official-cars-are-the-worst-product-category-we-have-ever-reviewed-for-privacy/ <- apparently certain car companies state in their privacy policies that they collect info… Continue reading How do cars collect ‘genetic information’? [closed]
Is it unsafe to use environmental variables for secret data?
^^ according to that question and answers:
Environment variables are a poor (though perhaps passable, as per Forest’s comment) way to store secrets;
The preferred way is to use … Continue reading How to securely pass secrets if I’m deploying my app n the old school way, rather than using Docker, Heroku, cloud etc?
My understanding is that:
SVGs offer far greater functionality if they are directly embedded in a site’s HTML code via the <svg> tag than if they are linked to via the <img> tag
For example, if the <svg> tag is used, it… Continue reading Is it practically possible to use SVGs to their full potential while still enjoying all protections offered by Content Security Policy (CSP)?
From official ASP.NET Core docs, namely Routing in ASP.NET Core § URL generation concepts:
Use GetUri* extension methods with caution in an app configuration that doesn’t validate the Host header of incoming requests. If the Host header o… Continue reading To what attacks is using the value of the HOST header to craft self-referential URLs vulnerable?
Another question inspired by a recent discussion in the ‘The DMZ’ chatroom.
Long story short: IT guys are worried that accountants’ workstations may become compromised because accountants watch cat meme websites. Proposed solution: Lock do… Continue reading Realistically, how likely it is to have a computer compromised from browsing random websites?
Another question inspired by a recent discussion in the ‘The DMZ’ chatroom.
Long story short: IT guys are worried that accountants’ workstations may become compromised because accountants watch cat meme websites. Proposed solution: Lock do… Continue reading Realistically, how likely it is to have a computer compromised from browsing random websites?
If someone uses the administrator Windows account for everyday work while having the default UAC settings they will be prompted by UAC whenever an application other than certain predefined system apps requires elevated permissions. From th… Continue reading How is using the standard Windows account more secure than using the administrator Windows account with highest UAC settings?
Websites that host downloadable executables often provide measures to confirm the integrity of the data that is available to download. Such measures include:
Hosting the website under HTTPS;
Providing the SHA-256 sum of the downloaded bin… Continue reading How does validating the PGP signature of a downloaded executable against the publisher’s public key show that the binary has not been tampered with?