html – Page 6 – WindowsTechs.com

Need for URL encoding in XSS / CORS lab

Posted on June 30, 2022 by Voyyce

I am doing one of Portswigger’s labs on web security, specifically CORS (cross origin resource sharing). I am having trouble understanding why there is a need for URL encoding certain parts of the XSS payload.
As a brief summary, the lab i… Continue reading Need for URL encoding in XSS / CORS lab→

Parameter vulnerable for HTML injection but cannot exploit because of URL encoding

Posted on June 19, 2022 by Ugroon

I found a HTML injection vulnerability but there is an issue.
The following request returns the following:
curl "https://redacted.com/xss/para?meter="><h1>Test\</h1>"<meta name="url:url" content=&… Continue reading Parameter vulnerable for HTML injection but cannot exploit because of URL encoding→

WSS protocol vs HTTPS protocol as an iframe embedded source in a web page

Posted on June 19, 2022 by rami300

until recently, I’ve been embedding a chatbot service from a different/external site with an iframe tag.
it’s a paid service, not a free one.
today I saw that they changed a few urls, swithing from "https://" to "wss://&quot… Continue reading WSS protocol vs HTTPS protocol as an iframe embedded source in a web page→

I mistakenly clicked an .htm attachment from an spam email, help?

Posted on May 21, 2022 by Matthew

I messed up… I opened the htm file using chrome and entered my password… Upon realising that it wasn’t a legit attachment, I immediately changed my Microsoft account password. However, I don’t understand the code inside the .htm script… Continue reading I mistakenly clicked an .htm attachment from an spam email, help?→

Should API keys, even for free services, be visible in a page’s source?

Posted on May 20, 2022 by Sam11111111

I sometimes see API keys in page sources, such as the following:
<span class="nf">init</span><span class="p">(</span><span class="nv">location</span><span class="p&… Continue reading Should API keys, even for free services, be visible in a page’s source?→

What are the security concerns of embedding Base64-encoded images into an HTML document?

Posted on May 17, 2022 by salazar324

We are developing an MVC web-application in Django and having concerns about image uploading.
First of all, here are our business requirements:

Our users can upload images (like profile pictures, etc).

Only authenticated users can upload… Continue reading What are the security concerns of embedding Base64-encoded images into an HTML document?→

HTML attachments in phishing e-mails

Posted on May 16, 2022 by Roman Dedenok

In this article we review phishing HTML attachments, explaining common tricks the attackers use, and give statistics on HTML attachments detected by Kaspersky solutions. Continue reading HTML attachments in phishing e-mails→

XSS – Anyway to bypass double quotes in href of anchor?

Posted on May 1, 2022 by PradyumanDixit

I have an anchor that has href attribute populated by my input. I am trying to input javascript, but it always renders it useless since it always appears between double quotes.
So far, I have tried many inputs including:
javascript:alert(1… Continue reading XSS – Anyway to bypass double quotes in href of anchor?→

Can javascript from parent page read url of popup window?

Posted on April 26, 2022 by John

Lets say I’ll open a third party page from the parent page using window.open(popup method)
Now what I want to know is there any way where the parent page(using javascript or any third party library) which opened the popup can get info back… Continue reading Can javascript from parent page read url of popup window?→

CORS attack using authentication token

Posted on April 21, 2022 by Cyber World

I found a website which is vulnerable to cors.(https://portswigger.net/web-security/cors)
GET /api/requestApiKey HTTP/1.1.
Host: vulnerable-website.com.
Origin: https://evil.com.
AUTHENTICATION: eyssdsdsdsasa…..
And the server responds … Continue reading CORS attack using authentication token→