On the gains and losses of an additional client side stretching of the user password

Picture a state of the art implementation of a website registration and login system.
I’m interested in analyzing what a defender gains and loses by feeding the user password to a key-stretching KDF function (e.g. argon2).
Let’s start from… Continue reading On the gains and losses of an additional client side stretching of the user password

On the gains and losses of an additional client side stretching of the user password

Picture a state of the art implementation of a website registration and login system.
I’m interested in analyzing what a defender gains and loses by feeding the user password to a key-stretching KDF function (e.g. argon2).
Let’s start from… Continue reading On the gains and losses of an additional client side stretching of the user password

What are the methods to prevent and detect front-end behavior alterations in mobile apps?

I don’t know the technical possibilities of this attack, but the scenario as I will explain below sounds probable. So here it is.
I have a mobile app that does computation on the users phone and send the result to a database that can only … Continue reading What are the methods to prevent and detect front-end behavior alterations in mobile apps?

How to turn a relative path script (js) import to an absolue one with a url for XSS ? (more details below)

I have a parameter whose value is injected in the HTML as the following
<script src="/dir1/dir2/dir3/dir4/INJECT_HERE"> </script>

I was able to traverse back to just / but when I enter my xss hunter payload (let say … Continue reading How to turn a relative path script (js) import to an absolue one with a url for XSS ? (more details below)

How to prevent shopping cart alterations in another tab when paymentintent is already created?

Has anyone figured out a solution to this? I seem to have gotten to the same conclusion with no solution.
If I were to go the my app’s checkout page, the payintent is created in the backend (explained the process below). So no after the pa… Continue reading How to prevent shopping cart alterations in another tab when paymentintent is already created?

How to secure an enpoint to prevent programatic calls from the client?

We have a game that is built on the client side. People who get past a certain level are eligible to enter a raffle. This is done by sending a request to an endpoint from the client once they get past level N. But this is prone to someone … Continue reading How to secure an enpoint to prevent programatic calls from the client?

How are session keys transferred between a client and a server?

Session keys are generated during TLS handshake and are transferred from clients to server through asymmetric encryption FOR ONCE.
However, I have heard that session keys are single-use, which mean a new set of session keys are going to be… Continue reading How are session keys transferred between a client and a server?