user1709076 – WindowsTechs.com

Rust WASM’s web_sys add_event_listener_with_callback "callback" is actually an eval() function under the hood. Isn’t this dangerous?

Posted on November 18, 2022 by user1709076

Rust WASM’s web_sys add_event_listener_with_callback "callback" is actually an eval() function under the hood. Isn’t this dangerous? if so, how?
Here is a link to js_sys function, which describes the use of eval (to bind to any … Continue reading Rust WASM’s web_sys add_event_listener_with_callback "callback" is actually an eval() function under the hood. Isn’t this dangerous?→

window.history.pushState as a solution to document.referer

Posted on December 3, 2021 by user1709076

the problem:
Having URL parameters in a web page URL address to add functionality to a website (authenticate/authorize showing stuff in the UI, being used in further http requests on load, etc.) can pose a security risk because when an end… Continue reading window.history.pushState as a solution to document.referer→

Tactics to ensure payload has not been modified

Posted on June 7, 2021 by user1709076

When sending a request (POST, PUT, etc). I have a security requirement to ensure that the data in the payload has not been tampered with.
In other words I need to know with certainty that the data entered was entered by the user and has no… Continue reading Tactics to ensure payload has not been modified→

ThinkPHP show my website as the req.host – did the request really come from my web server?

Posted on April 29, 2021 by user1709076

I have ThinkPHP wordpress garbage coming at my server https://medium.com/@knownsec404team/analysis-of-thinkphp5-remote-code-execution-vulnerability-5de8a0afb2d4
, for example:
/public/index.php?s=index/%5Cthink%5Capp/invokefunction&fun… Continue reading ThinkPHP show my website as the req.host – did the request really come from my web server?→

Best methods to mitigate DDOS with changing IP sources

Posted on March 2, 2021 by user1709076

Source ip addresses can be spoofed. And because of IPv6 it is not enough to keep a look-up table of ip addresses that are excluded from visiting a website, because with ipv6 there are now enough ip addresses for a single sender to spoof to… Continue reading Best methods to mitigate DDOS with changing IP sources→

CSP allowing Base64 encoded images without unsafe-eval

Posted on December 11, 2020 by user1709076

If I allow base64 encoded images to load on my website, but I do not have unsafe-eval enabled, nor have I allowed ‘inline-script’ would my site still be at risk by allowing base64 encoded image data to be painted onto images that might hav… Continue reading CSP allowing Base64 encoded images without unsafe-eval→

security difference between sudo make install versus sudo su make install

Posted on October 15, 2020 by user1709076

Is there a security difference between doing
sudo make install

versus two step
sudo su

and then typing
make install

The reason I’m asking is because a security requirement to install some software says you must type exactly ‘make instal… Continue reading security difference between sudo make install versus sudo su make install→

Safety difference between running on localhost versus the private internal ip address?

Posted on October 13, 2020 by user1709076

I am wondering if there is any additional security increase by choosing to run your webserver on an internal private ip address and port like xyz.ab.cd.efg:8080 versus localhost:8080 or 127.0.0.1:8080
If so, what does this mitigate against… Continue reading Safety difference between running on localhost versus the private internal ip address?→

HAProxy FIPS Compliance

Posted on October 10, 2020 by user1709076

I have successfully built OpenSSL-FIPS according to specifications and am wondering if I configure the OpenSSL path in HAProxy (or any other reverse proxy for that matter) to use the OpenSSL-FIPS install, wouldn’t the reverse proxy also be… Continue reading HAProxy FIPS Compliance→

mongodb –auth option

Posted on February 10, 2017 by user1709076

Suppose I run mongodb as a service with the –auth option (requiring a username and password to CRUD data) in an AWS EC2 shell (which does not ask for a password when you sudo)

Now, suppose someone has hacked into the termin… Continue reading mongodb –auth option→