Collaborate Disseminate
I have an XSS vulnerability identified by <script>alert(1);</script> in the url.
So when I put it in the url it gets executed (ex: www.example.com/admin/<script>alert(1);</script> ).
I also tried after loggin in, an… Continue reading how to send cookies or token in local storage to a remote server using reflected XSS
In Sentry’s documentation they explain that you can use a public token to use their API;
<script
src="https://js.sentry-cdn.com/examplePublicKey.min.js"
crossorigin="anonymous"
></script>
How is example… Continue reading How are Sentry’s public key protected when the token is in front end code?
Context
I have a system where some of user’s data is encrypted via AES. Each user has their own key K. When the user creates an account, the K is generated and encrypted with a key derived from password via PBKDF2 (let’s call this key P). … Continue reading Password-based encryption: keeping the user logged in without entering password again
Sergiu Gatlan reports: Cloudflare disclosed today that its internal Atlassian server was breached by a suspected ‘nation state attacker’ who accessed its Confluence wiki, Jira bug database, and Bitbucket source code management system. The t… Continue reading Cloudflare hacked using auth tokens stolen in Okta attack
This post is related to this post on Android users stack exchange relating to conceiving of a variety of household situations and files and a post related to what immutable storage is which was deleted from this site and deleted (immutable… Continue reading Modern security implementation: operation token sent to the bank by secure server
I’ve been reading countless articles about login flows and what’s the best for user auth, but it’s all even more confusing now.
My scenario:
I have a simple app (capacitor spa) that has a simple username/password login. I essentially have … Continue reading Best login flow for username and password authentication
RSA Conference 2023 is taking place at the Moscone Center in San Francisco. Check out our microsite for the conference for all the most important news. The Early Stage Expo is an innovation space dedicated to promoting up-and-comers in the industry. Th… Continue reading Photos: RSA Conference 2023 Early Stage Expo
Received an alert of a medium user at risk report. Our policy alerts on medium risks and requires a password change with MFA verification, but the sign-in logs are a little confusing on what generated the alert:
The snapshot is from the s… Continue reading Microsoft Identitiy Protection – Risky sign-ins
Just to elaborate a bit more:
User A owns a directory of files on my server
User A wants to share a link with a token that grants anyone with the link access to that directory
I have an API user A can hit (GenerateDirectoryToken)
User A s… Continue reading I need to generate a token in order to share an ‘invite’ link, what should the token be?
I’m making an SPA with Laravel REST API and trying to keep it stateless.
Right now I’m trying to achieve proper JWT authentication and ‘remember me’ functionality.
On successful login the client receives a bearer-token in the
payload (sto… Continue reading best way to keep user logged in with cookie and jwt?