What are the risks with leaving the offending anchor portion of an URL in a failed client-side XSS attack?

As a simple example, let’s assume that I have implemented a key-value lookup within a pre-populated, static JavaScript dictionary. Let’s say that the dict is:

a = { ‘one’: ‘uno’, ‘two’: ‘dos’ };

The dict is accessed with

Continue reading What are the risks with leaving the offending anchor portion of an URL in a failed client-side XSS attack?

Is pure client-side security better or worse (from a security point of view) than pure server-side security in client-server software?

I’d like to know in general which of the two types of security is the best in all aspects that may refer to security (we can use this the general aspects for security: integrity, availability, authenticity and integrity).

Ma… Continue reading Is pure client-side security better or worse (from a security point of view) than pure server-side security in client-server software?

How can I allow only authorized users to access a website using any certificate and how to implement in PHP?

I will create a certificate. This certificate will be installed on the customer’s system. When accessing the website xxx.xom, PHP checks whether the certificate is valid. If so, the user gets access to the website. If the cer… Continue reading How can I allow only authorized users to access a website using any certificate and how to implement in PHP?

Using client certificate from a file and a key pair from a hardware token

The question is about TLS client authentication using a browser. I have been using a smart card to authenticate to certain web sites. However, the card is a bit old and for whatever reason importing certificates does not work… Continue reading Using client certificate from a file and a key pair from a hardware token

Clickjacking when essential JavaScript code accesses attribute of ‘top’?

Given a website which doesn’t use any protection specifically against Clickjacking (no X-Frame-Options or CSP), but which does access an attribute of top in essential JavaScript code, eg:

// http://localhost/jack.html
<sc… Continue reading Clickjacking when essential JavaScript code accesses attribute of ‘top’?