Collaborate Disseminate
Picture a state of the art implementation of a website registration and login system.
I’m interested in analyzing what a defender gains and loses by feeding the user password to a key-stretching KDF function (e.g. argon2).
Let’s start from… Continue reading On the gains and losses of an additional client side stretching of the user password
Picture a state of the art implementation of a website registration and login system.
I’m interested in analyzing what a defender gains and loses by feeding the user password to a key-stretching KDF function (e.g. argon2).
Let’s start from… Continue reading On the gains and losses of an additional client side stretching of the user password
I don’t know the technical possibilities of this attack, but the scenario as I will explain below sounds probable. So here it is.
I have a mobile app that does computation on the users phone and send the result to a database that can only … Continue reading What are the methods to prevent and detect front-end behavior alterations in mobile apps?
Let’s say I want to deploy a simple static website (with no backend server) with some protected pages only visible after entering a password.
I could write a hardcoded salted hashed password and encrypt the protected data with it, but the … Continue reading Is any client-sided password just security by obscurity?
I have a parameter whose value is injected in the HTML as the following
<script src="/dir1/dir2/dir3/dir4/INJECT_HERE"> </script>
I was able to traverse back to just / but when I enter my xss hunter payload (let say … Continue reading How to turn a relative path script (js) import to an absolue one with a url for XSS ? (more details below)
Has anyone figured out a solution to this? I seem to have gotten to the same conclusion with no solution.
If I were to go the my app’s checkout page, the payintent is created in the backend (explained the process below). So no after the pa… Continue reading How to prevent shopping cart alterations in another tab when paymentintent is already created?
We have a game that is built on the client side. People who get past a certain level are eligible to enter a raffle. This is done by sending a request to an endpoint from the client once they get past level N. But this is prone to someone … Continue reading How to secure an enpoint to prevent programatic calls from the client?
I want to use a commercial VPN. It’s more reliable when using their own client, since it can automatically select and switch servers etc. But what about the security?
On my Android phone, the apps are isolated from each other, so having a … Continue reading Can you trust VPN clients on Windows?
Session keys are generated during TLS handshake and are transferred from clients to server through asymmetric encryption FOR ONCE.
However, I have heard that session keys are single-use, which mean a new set of session keys are going to be… Continue reading How are session keys transferred between a client and a server?
I’m trying to create a mobile app which helps to connect with my mobile app. While going through authentication I used JWT. While authenticating it, it returns access token and refresh token to the client but if both of them are sniffed so… Continue reading How to send JWT Access token with requests without being sniffed?