Collaborate Disseminate
Where to store JWT refresh tokens? My idea was to encrypt the refresh token with crypto-js AES and salt, keeping it in an environment variable (.env). Then, the refresh token would be stored in either local storage or cookies. I am still d… Continue reading Where to store JWT refresh tokens
I am inspecting a client’s application written with Vue.js and I found there a following construction.
// Somewhere else in the code
var data = JSON.parse(jsonString);
// In the vue component
<img :src="require(`@/assets/img/${da… Continue reading Is <img :src="require`${JSON.parse(string)}`"> in electron vue is safe from XSS?
It is possible to clobber document attributes, e.g.:
<img name="cookie">
…
typeof(document.cookie)
//=> ‘object’
Is there any way to prevent this from happening, access the original value, or detect it has happened (b… Continue reading Is there a way to prevent/detect DOM Clobbering in the browser?
My Skills are:
Java***
HTML ****
CSS **
JS ***
PHP **
jQuery *
Angular JS *
My future plans (What to learn) Ranking
Master JS
Master Angular
Master Java (OCA and OCP certification)
Continue reading Where to start with Webdevelopment and Java in 2023 [closed]
Let’s say a website contains the following <script> tag and does not have a CSP blocking any execution here.
<script type="text/javascript">
document.write(location.href)
</script>
At first glance, this code … Continue reading XSS in document.write(location.href)
When I was making my PicoBlaze Simulator in JavaScript, I added 6 examples of how to use it. Those examples are on my GitHub profile, they are the .psm (PicoBlaze Assembly) files. I decided not to hard-code the links to those .psm files in… Continue reading Why don’t Internet browsers allow me to fetch a JSON file from raw.githubusercontent.com, but they allow me to fetch .psm files from there?
I’m talking specifically about the HTML Sanitizer API: https://developer.mozilla.org/en-US/docs/Web/API/HTML_Sanitizer_API
The API allows you to configure the sanitizer with a list of allowed elements and attributes. Script tags are remove… Continue reading Are there any html Sanitizer() API configs that allow javascript execution?
Our business is in the payment processing space and one of our core products is a Payment Gateway API. In terms of security we issue an API Key, Signature and RSA Encryption for sensitive information in the payload all over SSL. Customers … Continue reading What is the best way to validate third-party domains calling an API?
During my bug hunts, I have encountered many minified js files like this:
var r = n(3062);
function i(t) {
var e = (0,
r.Z)(t)
, n = e.overflow
, i = e.overflo… Continue reading How to analyse minified js code for XSS and other issues [closed]
TLS, byte by byte performs an unusual and interesting function: it fetches itself over HTTPS, and provides a complete annotation of what’s going on in the process, one byte at …read more Continue reading Watch a Web Page Fetch Itself Over TLS, Complete With Commentary