Collaborate Disseminate
I’m trying to evaluate if a malicious npm dependency running in Electron’s app renderer process (which has sensitive information) could send data from the webpage out to an attacker’s server (or trick the user in some way to input that dat… Continue reading Can malicious code running in isolated Electron’s renderer process send data to attacker’s server?
Background
I’m building an Electron app. In Electron, there’s a main process and renderer processes.
Electron provides a built-in IPC API, that allows to communicate between the main process and a renderer, but the renderers cannot communi… Continue reading Securing websockets for IPC in a desktop app
I have a frontend heavy app with a rest api in node.js. The app and the backend are on different hosts. Moreover, the app can be accessed both with http and https. The reason why is mixed content: users of the app load their … Continue reading Protecting against CSRF, JWT, cross domain
So a web app grabs data from a server with ajax. I’m interested to know whether there is some cryptography wizardy that would make sure the data came from that server. For example, someone can edit their hosts file and use a … Continue reading Make sure the data came from the server
I’m a little confused about XSS vulnerabilities when serving img.src and background url. From what I understand, the only way to execute javascript in this case, is to use javascript protocol. Let’s consider this example:
if (location.has… Continue reading XSS vectors in img src and background-image url