httpOnly Session Cookies in an iframe context in the future w/o SameSite=None

My website is using session cookies (w/ SameSite=Lax, secure, httpOnly attributes) and a CSRF Token stored in localStorage. Recently I developed a teams app, which essentially loads the website through an iframe (there is no other option t… Continue reading httpOnly Session Cookies in an iframe context in the future w/o SameSite=None

Is it possible to trick a user into logging in to a site, then stealing a non HttpOnly cookie that will be set after they log in?

If a user has already logged in, and then the site sets a non HttpOnly cookie, then it seems possible to trick the user into doing something that would lead to the cookie being stolen.
If the cookie expires after one minute, it seems like … Continue reading Is it possible to trick a user into logging in to a site, then stealing a non HttpOnly cookie that will be set after they log in?

How Google plans to make stolen session cookies worthless for attackers

Google is working on a new security feature for Chrome called Device Bound Session Credentials (DBSC), meant to prevent attackers from using stolen session cookies to gain access user accounts. Session (i.e., authentication) cookies are stored by brows… Continue reading How Google plans to make stolen session cookies worthless for attackers

how to send cookies or token in local storage to a remote server using reflected XSS

I have an XSS vulnerability identified by <script>alert(1);</script> in the url.
So when I put it in the url it gets executed (ex: www.example.com/admin/<script>alert(1);</script> ).
I also tried after loggin in, an… Continue reading how to send cookies or token in local storage to a remote server using reflected XSS

Session/cookie expire time, match access token or refresh token from AD?

I am tasked with moving away from implicit flow in a SPA. It is a basic solution consisting of a react SPA and a .net API, on the same domain. This web app is a case management solution that deals with medical data, running in a private ne… Continue reading Session/cookie expire time, match access token or refresh token from AD?