Collaborate Disseminate
I have made a website to control a couple of things at home. I haven’t bought any domain, since this is just going to be for myself.
Right now, I use my public IP address and a port to access my website, however, this can only be done at h… Continue reading Node.js website security for personal use [closed]
I have an Http web service running on IIS. The Http service will be exposed to the public internet, but only authenticated client requests will be processed by the web service. The service allows clients to write complex queries using quer… Continue reading Why is it a security concern to modify http.sys registry entries to allow web service to accept a longer query string?
Everywhere I look, I only find explanations as to who can set who’s cookies and who can access the cookies of whom.
Why do we need these restrictions?
More precisely:
Why is it OK for a subdomain to set a cookie for a parent domain?
Why i… Continue reading What are the security issues with setting cookies for subdomains?
I know about the usual port sniffers and mass scanners that just pop up on any web server, but this one looks interesting to me.
I figured out so far that those requests aren’t really an issue for my Development Flask Webserver, but I am … Continue reading What is the intent behind these unknown HTTP Requests into my AWS Web Server?
I am trying to find POC for this CVE, but I couldn’t. Where can I find a poc for this cve? and why most of CVEs don’t list its poc, its very important to include a poc to understand the vulnerability.
Please if there is a good resource fo… Continue reading POC for CVE-2017-7657
Binance public API supports access to specific operations with RSA key pair. Firstly customer generates an RSA key pair. The customer uses the secret key to hash(SHA256) the query string parameters and puts the hash value in the query stri… Continue reading Using two different random numbers instead of RSA Keys
Is any network safe to use so long as you are using https on the actual trusted site? For example, connecting to your banking info over plane or coffee shop wifi (assuming no one can see your screen, etc)
I’m using BurpSuite to bruteforce the login credentials for an ASUS router via the router interface page. I’ve found that the login credentials input are only base64 encoded and displayed in the request body. I’m using the Intruder to brut… Continue reading burpsuite see href script in response body
A result of a recent pentest suggested that the HTTP Cache-Control Header max-age=0 should be set when no-store is set.
As I understand cache control, no-store is the strictest we can set; the page should not even land in cache, let alone … Continue reading Why set max-age=0 if no-store is already set?
We are running user-submitted JavaScript, server-side to be executed within a headless browser that doesn’t have a DOM or any child of the window or document or location objects – because these are already removed. Is there a way for plain… Continue reading What other methods would an attacker use for making an HTTP request that isn’t Fetch() or an XHR or using the DOM?