Collaborate Disseminate
I might have found a way to highjack an Oauth Flow, but the source server is responding with 403 errors when the Oauth request is sent with a Sec-Fetch-Dest HTTP header.
Is there a way to alter or disable such headers like the referer poli… Continue reading Is it possible to disable or change sec-fetch-* HTTP headers?
Actually I’m using Linux and I would like to see the DRM protected contents offered by nowtv.it because I have a paid account with them.
The browsers supported by nowtv.it are :
Google Chrome version 102 or later (on MAC and Windows)
Moz… Continue reading Linux OS / Windows User Agent does not work for nowtv.it [closed]
I’m studying the basics of XSRF on Portswigger and I’ve completed Lab: CSRF vulnerability with no defenses with FireFox. I attempted to go a step further by completing the same lab from the terminal. However when I send a request to the se… Continue reading Unable to login to Portswigger lab website with curl or javascript [closed]
My client says their API traffic must take the path WAF -> Custom Firewall -> Backend API. Also, mTLS must be terminated after the traffic has gone through the network appliance.
I have created an Envoy proxy that can perform mTLS be… Continue reading Using HTTP header to transmit client certificate for mTLS
I am attempting to inject a carriage-return + newline in a HTTP request header value. My understanding is that this is possible with HTTP/2 and HTTP/3. However, when I send a request with Burp I get this error:
RST_STREAM received with er… Continue reading CRLF in HTTP/2 header value
cURL is returning a 200 status code after correct login. The common response code after user login should be 302. Why am I not receiving this status code? All information is provided below.
#!/usr/bin/env zsh
printf "\nsending raw re… Continue reading cURL not returning status 302 after correct login for Hack the Box Machine ‘Crocodile’
If I send an unknown domain name in the HTTP request header ‘Host’ to a webserver and the webserver responds with a HTTP status code 301/302 (redirect) along with a HTTP response header ‘Location’ reflecting my initial Host header input.
D… Continue reading Is a random unknown HTTP request header ‘Host’ that is reflected in the HTTP response ‘Location" header (3xx) a open redirect or DNS rebinding?
I’m looking into the risks associated with the use of the HTTP ‘Etag’ header and found the following relevant information already.
Information Disclosure (inodes)
This article titled: "Vulnerabilities that aren’t. ETag headers" f… Continue reading Should the use of the HTTP ‘ETag’ header be avoided for security and privacy concerns?
I’ve been reading a bunch on how caching of web pages is handled, I feel like I have a good grasp on everything, but I’ve encountered something I don’t understand.
I’m testing a site and it sends the same caching headers on every HTTPS res… Continue reading Why is one particular page not being cached, and the others are? all have same caching headers [migrated]
I have a web application that retrieves HTML snippets from the server and places them on the page, using JavaScript. The server responds with a small part of a HTML document. What Content-Type header should I use? Marking it as text/html m… Continue reading Which response headers for HTML snippets?