Collaborate Disseminate
It’s sometimes possible to use an alternate encoding to get around security checks (CAPEC-267). While the JSON spec may be strict on what is valid, popular parsers don’t necessarily conform perfectly [1].
My question is thu… Continue reading Are JSON key names vulnerable to alternate encoding (CAPEC-267) attacks?
Scrypt produces a binary hash of a password. Instead of storing it as bytes directly, we are considering to store the Base64 encoding of this string.
Would that make the password hash more vulnerable in case of a leak? The p… Continue reading Does storing Base64 encoding of scrypt password hash make it more vulnerable?
Sending Input as: redirect?URL=domainx.com”><“javascript:alert(0)
Getting Response as: domainx.com%22%3E%3C%22javascript:alert(0)
From the response received, it is clear that web app has input encoding in place. I am … Continue reading How to bypass double quote character encoding to trick browser to execute an XSS alert?
When a third party script executed within the same site for tracking purposes creates a persistent or tracking cookie most often as supercookie on *.example.com
google analytics is an example but it will never create a double encoded cookie values, but i have often seen other providers do have bugs such as double encoded cookie values like http%253A%252F%252F
The article doesnt explain much about what risk factors exists:
https://www.owasp.org/index.php/Double_Encoding
RFC6265 is not so strict:
The origin server is free to ignore the Cookie header.
and the syntax 4.1.1 allows for %, e.g. URI based encoding fits in which by the RFC for URIs should only be encoded once.
Another example is JSON double URI encoded
As we classify this type of cookie not used in any server context apart from sending that back to client. Based on client context in which that is used it may create XSS, but also browser based plugins may add cookie which falls in the same classification, MITM may alter cookie, or cookie highjacking from http->301->https via WIFI, etc.
Supposed that HTTPS is in place and all other security headers are sent
Are these real treats and what are the risks and security implications of allowing double encoded cookie values?
Continue reading What are the risk implications of allowing double encoded cookie values?
When a third party script executed within the same site for tracking purposes creates a persistent or tracking cookie most often as supercookie on *.example.com
google analytics is an example but it will never create a double encoded cookie values, but i have often seen other providers do have bugs such as double encoded cookie values like http%253A%252F%252F
The article doesnt explain much about what risk factors exists:
https://www.owasp.org/index.php/Double_Encoding
RFC6265 is not so strict:
The origin server is free to ignore the Cookie header.
and the syntax 4.1.1 allows for %, e.g. URI based encoding fits in which by the RFC for URIs should only be encoded once.
Another example is JSON double URI encoded
As we classify this type of cookie not used in any server context apart from sending that back to client. Based on client context in which that is used it may create XSS, but also browser based plugins may add cookie which falls in the same classification, MITM may alter cookie, or cookie highjacking from http->301->https via WIFI, etc.
Supposed that HTTPS is in place and all other security headers are sent
Are these real treats and what are the risks and security implications of allowing double encoded cookie values?
Continue reading What are the risk implications of allowing double encoded cookie values?
In a web page, they are storing some value in the database, let’s say a title of our content, and whenever someone visits the page they are displaying the same title in tag so I injected this payload,
</TITLE><SCRI… Continue reading How to bypass character encoding in XSS attack?
In a web page, they are storing some value in the database, let’s say a title of our content, and whenever someone visits the page they are displaying the same title in tag so I injected this payload,
</TITLE><SCRI… Continue reading How to bypass character encoding in XSS attack?
I read in a lot of articles including
this
and this one
that we should always use a
function to encode the CR and LF special characters to prevent CRLF Injection,
but AFAIK to perform this attack the malicious user nee… Continue reading prevent CRLF Injection using encoding
CyberChef is a simple, intuitive web app for carrying out all manner of “cyber” operations within a web browser. These operations include simple encoding like XOR or Base64, more complex encryption like AES, DES and Blowfish, creating binary and hexdumps, compression and decompression of data, calculating hashes and checksums, IPv6 and X.509…
Read the full post at darknet.org.uk
On the OWASP site on XSS it says that it is safe to put userdata in GET parameter values when encoded.
However, userdata should not be used anywhere else, so not in the scheme, the domain or parameter names. Unfortunately I … Continue reading why is it insecure to use userdata in url parameter names?