Collaborate Disseminate
I have recently been reading about reverse tabnabbing, where a child window can change the url of the parent window if it has access to window.opener (which it has by default unless you explicitly disallow it)
In this case the phishing att… Continue reading Reverse tabnabbing: why not redirect the user in the new tab itself instead of the parent tab?
Basically all in the title.
Imagine a simple CSP like
Content-Security-Policy: script-src ‘self’
What is the behaviour of directives that would normally fall back to default-src which are not specified such as img-src or frame-src? Will t… Continue reading What is the behaviour of CSP if default-src not specified?
I found a website that has a very strict but malformed Content Security Policy of the form:
Content-Security-Policy: script-src none
which should actually be
Content-Security-Policy: script-src ‘none’
Firefox shows warnings
Content Secu… Continue reading Is it possible to bypass malformed Content Security Policy missing quotes?
DOM XSS and client prototype pollution-based XSS have one thing in common, we are modifying the pre-existing JavaScript code to popup an alert(1). Will CSP mitigate XSS in this case? Theoretically, JavaScript is already there and we aren’t… Continue reading Does CSP mitigate against client prototype pollution XSS and DOM XSS?
I am performing a security assessment on a web application and I found it doesn’t have the Content-Security-Policy, but instead it has Content-Secure-Policy. It is literally the first time I’m seeing such a case and I would like to know:
A… Continue reading Content-Secure-Policy headers
I’m wondering if I’m risking anything if I use
style-src-attr ‘unsafe-hashes’ <hash>
in my CSP header.
I need to allow an external script to run, and it uses the style attribute on some elements.
I have no control over the external … Continue reading What do I risk if I use CSP header style-src-attr ‘unsafe-hashes’ <hash>
Hello i am developing an app that collects some private data from my clients. My clients wont like it if i am able to read the data. So the data is encrypted in cleint side with a key say "xyz",which is auto generated when client… Continue reading Save encrypted data in server . With no way for server to read actual data
if the url (generated by me on ngrok and listening to it) supplied in the blocked-uri parameter of another csp report submitted to a sentry server, is getting get requests from cache.google.com and other cache servers like atmc and ncren n… Continue reading Is this usual occurrence or SSRF?
if the url (generated by me on ngrok and listening to it) supplied in the blocked-uri parameter of another csp report submitted to a sentry server, is getting get requests from cache.google.com and other cache servers like atmc and ncren n… Continue reading Is this usual occurrence or SSRF?
Of the security headers listed here: https://owasp.org/www-project-secure-headers/ which ones should be sent with static files (css, js, images etc) and what does setting them each achieve in that context. Assuming a situation where they a… Continue reading Which security headers should be sent with static files such as css/js/images