Collaborate Disseminate
I have an XSS vulnerability identified by <script>alert(1);</script> in the url.
So when I put it in the url it gets executed (ex: www.example.com/admin/<script>alert(1);</script> ).
I also tried after loggin in, an… Continue reading how to send cookies or token in local storage to a remote server using reflected XSS
Context
I have a system where some of user’s data is encrypted via AES. Each user has their own key K. When the user creates an account, the K is generated and encrypted with a key derived from password via PBKDF2 (let’s call this key P). … Continue reading Password-based encryption: keeping the user logged in without entering password again
I’m currently working on a UWP app that involves validating redemption codes against a Cloudflare KV storage backend. That’s all the backend server is for.
I want the app to check the redemption code against Cloudflare KV using an API toke… Continue reading Secure API token handling in Windows app: the token is needed to authenticate the requests to a backend server
I am trying to determine if there is a benefit to using the GMail app over the built in iOS one when it comes to security. I know that both store data locally on the phone, but the question is whether that data is encrypted? I cannot find … Continue reading Apple Mail versus GMail app content security
I’m going to develop a PWA cold crypto wallet.
I need to store the user’s private key on the client side and not send it to the server.
Where should I store that?
Is it secure to persist private key in browser localStorage?
Continue reading Is it secure to store user private key in local web storage?
Where to store JWT refresh tokens? My idea was to encrypt the refresh token with crypto-js AES and salt, keeping it in an environment variable (.env). Then, the refresh token would be stored in either local storage or cookies. I am still d… Continue reading Where to store JWT refresh tokens
During my penetration testing on the target, I noticed that passwords were being saved in the IndexedDB file even when i did not saved in the browser.
To verify this, I logged out, closed the browser, and upon reopening the IndexedDB file,… Continue reading Insecure Local Storage [closed]
Currently I am working on an application that requires secret keys to encrypt and sign information generated by the client and transmited over the wire, these keys are granted per user.
Currently when the user logs in, the keys are downloa… Continue reading In a web application, what would you consider the best way to store secret keys obtained via an SDK?
Question is pretty much in the title. We have a customer that is very concerned with privacy, and we’re making a solution that will rely on data being stored in LocalStorage, so we just need to verify wether browser vendors (they are speci… Continue reading Do browser vendors have access to LocalStorage/cookies?
I have a notes app that’s offline-first and syncs with remote database when online.
Currently, when a user creates a note, I’m encrypting it with AES. I ask the user to enter their decryption password on every page refresh and when they e… Continue reading Storing sensitive data in Local Storage with encryption?