Collaborate Disseminate
As stated here, https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS at “Credentialed requests and wildcards”. Quote:
When responding to a credentialed request, the server must specify an
origin in the value of the Ac… Continue reading Web-Application with CORS Origin: * using authorization header
I’m looking at an IP range as a part of a project and discovered several FTP server. They all run vsftpd (3.0.2) on port 21.
I do not have login credentials and anonymous logins are disabled. Can I somehow identify whether t… Continue reading Differ between encrypted and unecrypted FTP (21) without login
I’m trying to verify the CORS settings of a website using cURL. The following command should let me check whether the CORS settings can be considered as secure or if requests may be made across origins.
I’m performing a pref… Continue reading Check for insecure CORS settings with cURL
I’m trying to find a tool to validate the security of a password and I’ve come across cracklib or libcrack2 (on Debian), which seems to be used a lot for the task and appears to do exactly what I wanted.
However, it does not… Continue reading Check the "security" of a password [on hold]
I’m currently testing a web application, which appears to have an open redirect vulnerability, since they receive a parameter redirect_url via GET. The application redirects the user to this URL later on.
However, they do som… Continue reading Blackbox URL matching mechanism bypass for an open redirect
I’m currently testing a web application developed with Angular. I’ve noticed the following in the browser console:
Angular is running in the development mode. Call enableProdMode() to enable the production mode.
I’m not ver… Continue reading Angular web application in development mode
I’m researching possible security risks when handling ZIP files, or archives in general, in web applications.
The scenario is the following. The user is able to upload any ZIP (or in general an archive) file, the web applica… Continue reading Security risks with handling ZIP archives in web applications
I’m testing a web application, where I came across a button. This button is supposed to start the client’s camera application and then allow the user to upload a photo.
As I am testing from a virtual machine, there is no cam… Continue reading Fake a client camera for a web application in the desktop browser
When it comes to a secure TLS configuration (e.g. for HTTPS), the topic is prominently about the supported cipher suites.
I want to fully understand which part of the cipher suite has which role in a SSL/TLS connection.
So from what I un… Continue reading Role of the chosen ciphersuite in an SSL/TLS connection
I’m trying to wrap my head around, why it is advised to validate the content-type, sent by a client to a REST API.
OWASP states in their REST Security Cheat Sheet:
When POSTing or PUTting new data, the client will specif… Continue reading Content-type validation in REST APIs