Collaborate Disseminate
My understanding of the standard best practice way to handle passwords is:
Establish a secure encrypted connection between client and server.
Client sends password in plaintext over this encrypted connection.
Server gets plaintext passw… Continue reading Why aren’t passwords also hashed on client side on desktop applications?
Let’s say you serve a website with the header Cross-Origin-Opener-Policy: same-origin. This is a new header that, if I understood it correctly, completely separates a browsing tab/origin to prevent against such low-level attacks like CPU-m… Continue reading Why does Cross-Origin-Opener-Policy prevent opening links to the same-origin/domain when target="_blank" is used?
Being interested in security, hashing in particular, I thought of a strategy that could either help or compromise password security.
The main way to ‘break’ hashes is to brute force them.
So, while sometimes it is hard to tell, most of the… Continue reading Is this idea for secure password storage a good one?
Is there a way to permanently add code to a website vulnerable to client-side XSS? so if you refresh the page, it is still changed?
if you can, how?
Continue reading Can you inject permanent code into a website by client-side XSS? [closed]
I’ve read about this but I don’t fully understand how to choose.
I have two options:
Public client
"A native, browser or mobile-device app. Cognito API requests are made from user systems that are not trusted with a client secret.&qu… Continue reading Public client or Confidential client: should I generate a client secret?
Introduction:
We heavily use external libraries, such as DataTables, in combination with interpolation. In Angular, we’ve identified two primary XSS prevention strategies:
Interpolation ({{ }})
Direct Sanitization with DomSanitizer.saniti… Continue reading Security in Angular: Addressing XSS Concerns with External Libraries and Interpolation
I’m working on a CTF challenge and am stuck on a client-side exploit using Metasploit. The target is not a real user (so social engineering won’t work), and I’m focusing on exploiting a client with the User-Agent: Mozilla/5.0 (X11; Linux x… Continue reading Metasploit Client-Side Exploit on Firefox 26
I have several MongoDB’s where I use x.509 Certificates to Authenticate Clients
Let’s say I create certificate and user for admin:
subject: CN=admin
issuer: CN=MongoDB Issuing CA
-> db.createUser({user: "CN=admin"})
When I p… Continue reading Best practice of x.509 client certificates accross multiple systems
When I log into ProtonMail I can see that the webpage is using HTTPS, which gives me piece of mind that everything is transmitted securely.
I was curious, however, whether ProtonMail used any client side cryptographic protections on my cre… Continue reading Protonmail encryption during login
One of the Paho MQTT client SSL options allows checking whether "a certificate matches the given host name.". If I enable this option then I cannot establish a TLS connection to MQTT using an IP address. In case it is relevant: t… Continue reading How does the MITM attack work when a client does not check the hostname vs the certificate? [duplicate]