Collaborate Disseminate
Say there is a web page with two 3rd party javascript URL scripts embedded in it. One creates a support chat window and the other creates an iFrame within which a user enters payment information into a form.
If the support chat script was … Continue reading Can an embedded 3rd party JS script access or keystroke log an iFrame’s content
With standard XSSI, an attacker can include a remote script which contains user-bound secrets across origins, and then read them out.
I have an endpoint which returns sensitive Javascript code, but the request to fetch it is POST-based (th… Continue reading Is POST-based XSSI possible?
The survey reveals that React’s usage share of 58% is testament to its continued dominance. Continue reading JetBrains State of Developer Ecosystem 2023: React Reigns in JavaScript Realm
I would like to initialise a React application with an OIDC token.
This token will be stored in a private field of the "api client" object. This object will be used to execute API calls and it will automatically add the OIDC toke… Continue reading Is it safe to store the OIDC token in a private field of a javascript object?
I’m trying to quickly audit a js browser extension to see if it doesn’t talk to the outside. Am I right in thinking that I can just grep the code for the following:
XMLHttpRequest
fetch
$.ajax
axios.get
WebSocket
I’m assuming un-obfuscat… Continue reading Methods to look for when checking if a javascript program is making network requests
This tutorial provides a comprehensive guide to JavaScript Map and Set, explaining their differences, use cases, and how to effectively utilize them. Continue reading JavaScript Map and Set Tutorial
I need to run the following inline script to inject some Thymeleaf model variables into a javascript file of mine.
<script th:inline="javascript">
/*<![CDATA[*/
var stripePublicKey = /*[[${stripePublicKey}]]*/ … Continue reading unsafe-hashes an alternatives
I have been exploring customer support in a website as part of bug bounty program.
I then started a chat with their customer support and pasted the following in the box:
<!–<img src="–><img src=x onerror=javascript:alert… Continue reading Is this a type of XSS attack?
I have a bunch of REST APIs which would be consumed by frontend applications created by customers using our product. I have suggested to only use last 2 versions of Chrome for running frontend apps. They would be using Angular.
I was going through Angular’s security guide which says,
Cross-site script inclusion, also known as JSON vulnerability, can
allow an attacker’s website to read data from a JSON API. The attack
works on older browsers by overriding built-in JavaScript object
constructors, and then including an API URL using a tag.This attack is only successful if the returned JSON is executable as
JavaScript. Servers can prevent an attack by prefixing all JSON
responses to make them non-executable, by convention, using the
well-known string “)]}’,\n”.
I checked the related questions on SO/SE. Going by the accepted answers, it seems that this used be a vulnerability a long time ago when browsers allowed overriding Array constructor.
Is it still possible to have JSON vulnerability attack given latest version of Chrome will be used?
Related SE/SO questions:
By Waqas
There are over 17 million developers worldwide who use NPM packages, making it a lucrative target for cybercriminals.
This is a post from HackRead.com Read the original post: FortiGuard Labs Uncovers Series of Malicious NPM Packages Stealing D… Continue reading FortiGuard Labs Uncovers Series of Malicious NPM Packages Stealing Data