Collaborate Disseminate
I’m working on a project where we aim to have a separate database for each tenant. In our setup, there is a central database (and API) containing a "users" table that stores usernames and passwords for all users. Additionally, th… Continue reading How to keep membership in sync in a multi tenant architecture with per tenant database?
I read on this topic that, after performing a payment, websites can store and read:
Your PAN
Your zip code / cardholder name / any information you input on a website that has fillable informations within the website itself (like Tinder)
… Continue reading What informations can a website store about my credit card? [closed]
Today this came to my attention.
When generating random secrets for e.g. JWT (in node.js the most common way is using the crypto.randomBytes() method), I have noticed a lot of people save these tokens in a base64-encoded manner (i.e. crypt… Continue reading Randomly generated secrets: encoding the random bytes in base64 vs keeping them
Current projects webs application utilises a cookie based approach to store users auth token. Implemented with secure and http-only attributes set. All traffic over https. The application loads third party javascript from a range of extern… Continue reading Storing auth token in html
Trying to allow a CLI to "login" via web browser and obtain an access token for the user’s account, similar to how gcloud and github’s CLI do it. I realize it’ll be using the OAuth Authorization Code flow.
But what about the clie… Continue reading OAuth Authorization Code for CLI
We want users of our service to be able to write programs/scripts that act on their (i.e. the user’s) behalf.
I’ve seen various services (github, digital ocean, gitlab) use Personal Access Tokens (PATs) for that purpose.
Is this not someth… Continue reading Personal Access Tokens vs OAuth
I am a website developer (mainly using MVC.NET). Recently, we have been contacted by a hacker. He claimed that he knows our admin URL. The problem is we do not publish or put the admin URL anywhere on our webpage. The only place where the … Continue reading How does msnbot keep finding my unpublished admin url?
We have a game that is built on the client side. People who get past a certain level are eligible to enter a raffle. This is done by sending a request to an endpoint from the client once they get past level N. But this is prone to someone … Continue reading How to secure an enpoint to prevent programatic calls from the client?
I received a suspicious looking SMS today with a link.
I checked out the page source code and came across this script between the <head> tags:
<script async="" src="/cdn-cgi/challenge-platform/h/b/scripts/invisible…. Continue reading Decoding suspicious Javascript
I am using THC Hydra (v9.0) on GNU/Linux to pentest my private API.
The GET route in question requires a key as GET parameter which returns an auth token if the correct key was submitted else "false".
If no key or a wrong key is … Continue reading THC Hydra sends GET request without parameter before actual request with parameter which causes authentication problems