Collaborate Disseminate
I’m storing a sensitive string to local storage, but it is encrypted / decrypted with this: https://github.com/pubkey/eth-crypto?tab=readme-ov-file#encryptwithpublickey.
This means that even though an attacker can access the sensitive stri… Continue reading Using ETH private key to encrypt/decrypt a value in localStorage
I’m storing a sensitive string to local storage, but it is encrypted / decrypted with this: https://github.com/pubkey/eth-crypto?tab=readme-ov-file#encryptwithpublickey.
This means that even though an attacker can access the sensitive stri… Continue reading Using ETH private key to encrypt/decrypt a value in localStorage
Hello InformationSecurity community!
I have the following situation, and seeking for advice for our security architecture.
I am working for a client, who creates a resume builder app, where users can enter their details (e.g. email, phone … Continue reading Encryption of localStorage/indexedDb with server-side PBKDF2 derived secret secure?
I spotted that there is no_of_login_attempts in browser Local Storage. I can easily edit it to 0 and then successfully login. So, what’s the point of keeping that info in client side(browser)?
Continue reading Its good idea to store number of login attempts in browser cache?
I have an XSS vulnerability identified by <script>alert(1);</script> in the url.
So when I put it in the url it gets executed (ex: www.example.com/admin/<script>alert(1);</script> ).
I also tried after loggin in, an… Continue reading how to send cookies or token in local storage to a remote server using reflected XSS
Context
I have a system where some of user’s data is encrypted via AES. Each user has their own key K. When the user creates an account, the K is generated and encrypted with a key derived from password via PBKDF2 (let’s call this key P). … Continue reading Password-based encryption: keeping the user logged in without entering password again
I’m currently working on a UWP app that involves validating redemption codes against a Cloudflare KV storage backend. That’s all the backend server is for.
I want the app to check the redemption code against Cloudflare KV using an API toke… Continue reading Secure API token handling in Windows app: the token is needed to authenticate the requests to a backend server
I am trying to determine if there is a benefit to using the GMail app over the built in iOS one when it comes to security. I know that both store data locally on the phone, but the question is whether that data is encrypted? I cannot find … Continue reading Apple Mail versus GMail app content security
I’m going to develop a PWA cold crypto wallet.
I need to store the user’s private key on the client side and not send it to the server.
Where should I store that?
Is it secure to persist private key in browser localStorage?
Continue reading Is it secure to store user private key in local web storage?
Where to store JWT refresh tokens? My idea was to encrypt the refresh token with crypto-js AES and salt, keeping it in an environment variable (.env). Then, the refresh token would be stored in either local storage or cookies. I am still d… Continue reading Where to store JWT refresh tokens