Collaborate Disseminate
If a webapp sends Cache-Control: private it shouldn’t be cached for example with nginx proxy_cache. What could happen if it was cached anyhow? Could another visitor see the personalized login of another user? Might another visitor then bei… Continue reading Can server-side caching misconfiguration lead to stolen logins?
I found most CDNs allow the user to claim any domains to be the backend, I wonder why they do this instead of verifying if the user owns the backend domain. If I have myowndomain.com and set the backend to be facebook.com, wouldn’t it be a… Continue reading Why do CDNs allow arbitrary backend to be set, is it not a big security concern?
For a few years now, Microsoft has offered Azure Cache for Redis, a fully managed caching solution built on top of the open-source Redis project. Today, it is expanding this service by adding Redis Enterprise, Redis Lab’s commercial offering, to its platform. It’s doing so in partnership with Redis Labs and while Microsoft will offer […] Continue reading Microsoft partners with Redis Labs to improve its Azure Cache for Redis
Whose fault was it – Twitter or Firefox? (It’s fixed now, to be clear.) Continue reading Twitter warns users – Firefox might hold on to private messages
I am recently exploring and playing with James Kettle’s Practical Web Cache Poisoning attack. The last part of his post mentioned that Cross-Cloud Poisoning is possible, however, I can’t find a way to make it work.
I think the basic idea… Continue reading Remotely poisoning Cloudflare’s cache servers by James Kettle’s Web Cache Poisoning Attack?
I own a Shopify store that does flash sales. It uses cloudflare to manage the server caching of my products.json file. However, it seems like people are able to monitor my products.json and bypass the cache. I want the cache there because … Continue reading How to prevent people bypassing my server cache? [migrated]
Are there any services provided by CDN or others which hunt for fake bank pages cached in CDNs and scrub these pages – based on closely matching names, CSS styles, colors, etc.?
A bank claims that its customer login pages cannot be cached – apparently because there’s some unique number associated with each instance of a page rendered on the client browser. Supposedly, a customer trying to log in to t… Continue reading protecting login pages of a bank using CDN and TLS [closed]
For an API, I know that passing tokens in the url has the following security implications:
They get saved in browser history
They’re probably saved in your server’s logs and memory
Users might post the link, not realizing… Continue reading Websockets: Is it safe to allow tokens in url parameters?
I’m having a hard time finding relevant documentation from Microsoft (or any third party, for that matter) about any registry key that may change the cost factor of cached credentials.
One can control how many logons are sto… Continue reading Can the cost factor be changed of Windows’ credential cache?