xsrf – WindowsTechs.com

Risks with having a "localhost" service configured on a production SAML/OAuth/OIDC Identity Provider

Posted on March 9, 2024 by xsrf

To help developers with integrating with our SAML/OAuth/OIDC Identity Provider on their local dev environments, I’m thinking about configuring a demo client/app in our production IdP that has localhost configured as valid redirect url (OAu… Continue reading Risks with having a "localhost" service configured on a production SAML/OAuth/OIDC Identity Provider→

Google Password Manager vs Have I Been Pwned [closed]

Posted on January 22, 2024 by xsrf

so I checked my passwords with the Google Password Manager integrated into Chrome.
Google shows me Passwords as "hacked" that https://haveibeenpwned.com/Passwords says are fine, and also Google lists Passwords as okay/weak that h… Continue reading Google Password Manager vs Have I Been Pwned [closed]→

Ignore HSTS preloading in browsers [migrated]

Posted on December 12, 2023 by xsrf

Google Chrome (and other browsers) do a great job preventing the user from viewing non-TLS sites or sites with invalid certificates by using HSTS preloading. So good actually that I can’t find a way to open the site in Google Chrome at all… Continue reading Ignore HSTS preloading in browsers [migrated]→

Did Android remove Fingerprint/Passcode for WebAuthN and lower security to push Passkeys?

Posted on November 25, 2023 by xsrf

So, before this year, when you were using WebAuthN to create security keys on an up to date Android phone (Pixel 6 in my case), you had these options (iirc):
When creating a platform authenticator, you were offered Fingerprint/Passcode. Wh… Continue reading Did Android remove Fingerprint/Passcode for WebAuthN and lower security to push Passkeys?→

AES Encryption as XSS protection for url parameters?

Posted on November 7, 2022 by xsrf

So, I found a website that uses AES encryption to prevent XSS and I’m wondering if this approach is inherently flawed.
It has an endpoint like execute.php?code=encryptedPayload which de-crypts the payload and directly executes it as JavaSc… Continue reading AES Encryption as XSS protection for url parameters?→

Visa Secure / TAN App showing wrong amount charged [closed]

Posted on May 15, 2021 by xsrf

So, the other day I was charging my prepaid VoIP account from sipgate.de via credit card payment. I chose 10 Eur which is the default and entered my card details.
As usual, I was redirected to a different payment processor which itself red… Continue reading Visa Secure / TAN App showing wrong amount charged [closed]→

Open redirect exploit I don’t understand – what is it used for?

Posted on May 1, 2021 by xsrf

History
I’ve worked on a website that had kind of an open redirect by design. It was explicitly used to send users to an external destination. It had a long paragraph stating that the following Link is an external destination we have no co… Continue reading Open redirect exploit I don’t understand – what is it used for?→

Preventing open redirects / xss on a variable return url / iframe

Posted on July 30, 2020 by xsrf

Let’s assume I have a website where I have to either redirect the user to another URL or include another URL in an iframe, that is given by a GET parameter.
I cannot use HMAC when the URL is created. The site is designed to work with relat… Continue reading Preventing open redirects / xss on a variable return url / iframe→