Do object-src and base-uri bypasses still work on Content-Security-Policies?

I’m assessing the security level of a webapp and one of the test cases is the CSP header. I always use the Google CSP evaluator to assess the header. Let’s consider the following CSP header:
Content-Security-Policy:
img-src ‘self’ https://… Continue reading Do object-src and base-uri bypasses still work on Content-Security-Policies?

Understanding CSP: report shows blocked <script> that shouldn’t have been blocked

I’m having trouble making sense of some reported CSP violations that don’t seem to actually be violations according to the CSP standard. I have not managed to reproduce the violations in my own browser, and based on my own testing I belie… Continue reading Understanding CSP: report shows blocked <script> that shouldn’t have been blocked

Is nonce useless when user input is reflected within an inline script?

I stumbled upon a web app which is accepting user input and putting it into a variable within script tag.
The script tag does have a nonce attribute.

As am working on bypassing the XSS filter, I had this thought that this practice of refl… Continue reading Is nonce useless when user input is reflected within an inline script?

Accelerating web security for a global retailer

Tala’s Cloudflare-certified integration module makes deploying enterprise-grade web security easy.
The post Accelerating web security for a global retailer appeared first on Security Boulevard.
Continue reading Accelerating web security for a global retailer

Chrome showing NET::ERR_CERT_REVOKED but working IE

Chrome (Version 84.0.4147.105 (Official Build) (64-bit)) is not able to access an HTTPS website and giving NET::ERR_CERT_REVOKED error while trying to load the website .On the other hand, IE does allow to access the site.. Just wanted to u… Continue reading Chrome showing NET::ERR_CERT_REVOKED but working IE