Collaborate Disseminate
I am creating an exericse for my users, where I am trying to tell them that using mt_rand() is not a good option from security point of view. What I did is that I showed them a normal user who gets a password reset email, the token is gene… Continue reading Usage of Mt_Rand in PHP
I am using the following code in my code to send a password reset token to a user.
$token = md5($user_id . time());
Why this is considered as a bad approach being cited as it has a weak entropy. The above code would generated a scary look… Continue reading Determining Entropy in PHP
I am currently trying to build an authentication flow where the front end lives on one domain, say X.com and the backend lives on Y.com. I have implemented a refresh/access token system where when a user logs in with username and password … Continue reading Where to store Refresh Token in custom Authentication
In today’s fast-paced business world, protecting digital identities and optimizing daily workflows are crucial. The iShield Key Pro series from Swissbit addresses these challenges by offering top-notch security combined with effortless usability…. Continue reading Product showcase: Protect digital identities with Swissbit’s iShield Key Pro
When I was originally developing my website, I made sure to include cross-site request forgery tokens in most endpoints and forms, etc., because I knew it was a highly recommended thing to do.
But of course, as time went on and my site gre… Continue reading Does the absence of CSRF tokens need to be fixed as soon as possible?
If the SessionID is leaked/hacked by someone else and they use that SessionID to get access to the account, can we double-check whether the SessionID is used on the right device? I’m thinking of checking the device fingerprint and whether … Continue reading Besides checking whether the session ID is valid, what other things should we check in order to prevent session ID leakage? [duplicate]
I am trying to understand how refresh tokens and access tokens works, and I ready several threads and documentations. It seems that I am not the only one confused around this topic.
Based on this thread: How does a refresh token help?, wha… Continue reading Security doubts around the refresh token and how it works
When an attacker obtains such a token (via a broken webapp or jailbroken mobile phone), what would be the consequences?
Would it be possible for an attacker to obtain messages with sensitive info (when the associated app’s server sends a m… Continue reading Firebase Cloud Messaging (FCM) what is the impact of a exposed or leaked fcm_token?
I have an XSS vulnerability identified by <script>alert(1);</script> in the url.
So when I put it in the url it gets executed (ex: www.example.com/admin/<script>alert(1);</script> ).
I also tried after loggin in, an… Continue reading how to send cookies or token in local storage to a remote server using reflected XSS
In Sentry’s documentation they explain that you can use a public token to use their API;
<script
src="https://js.sentry-cdn.com/examplePublicKey.min.js"
crossorigin="anonymous"
></script>
How is example… Continue reading How are Sentry’s public key protected when the token is in front end code?