How to identify CSRF token vulnerabilities on a login page using burpsuite community edition [closed]
How to gather the csrf token on a login page and analyze the vulnerabilities on csrf token using Burp?
Category Archives: web-application
Determining if user has expired 30 days on free-trial websites? [closed]
How can websites know if I had expired the evaluation period on them?
There are several websites on internet, which offer good services, like realistic voices. I was on a random one and tried out a text-to-speech service. This website had … Continue reading Determining if user has expired 30 days on free-trial websites? [closed]
Envelope Encryption: KEK management in Auto- Login case
We are currently implementing an envelope encryption scheme in order to securely store PII data in our database. That means we will have a user- specific DEK (data encryption key), and a KEK, which will get derived from the user’s password… Continue reading Envelope Encryption: KEK management in Auto- Login case
Where is the .NET __RequestVerificationToken based on?
I am doing some security research on an application and I am wondering where it is based on.
It appears to be changing each request (so not bound to a user session). Is it just a random value, which should exists within the system or even … Continue reading Where is the .NET __RequestVerificationToken based on?
How can I block localhost access from other computers on the same local network?
I have an offline app that serves a localhost server while it is running. Other computers on the same local network can access this server through 192.168.x.xxx
.
I want to block them from accessing this localhost server. I am thinking of … Continue reading How can I block localhost access from other computers on the same local network?
Flush the memory when the application is ended
I’m reading Alice and Bob Learn Application Security and I came across this sentence:
To protect highly sensitive data, it is recommended that you flush
the memory when your program exits, logs out, or is otherwise ended.
Considering a w… Continue reading Flush the memory when the application is ended
graphql POST request returns 404 not found [closed]
I am testing a graphql endpoint that uses POST requests with persisted queries, I tried the following query:
{
"query":"query{signedUser}"
}
The graphql endpoint returns an error that signedUser doesn’t exist on the qu… Continue reading graphql POST request returns 404 not found [closed]
Encryption of localStorage/indexedDb with server-side PBKDF2 derived secret secure?
Hello InformationSecurity community!
I have the following situation, and seeking for advice for our security architecture.
I am working for a client, who creates a resume builder app, where users can enter their details (e.g. email, phone … Continue reading Encryption of localStorage/indexedDb with server-side PBKDF2 derived secret secure?
Race condition in Python
I am trying to teach my students about race conditions on the web, and for that purpose, I am using a simple bank example, in which we transfer an amount from person A to Person B’s account. If we use Burp and send simultaneous requests li… Continue reading Race condition in Python
Building Your First Web Application with Yii Framework
Did you know that over 80% of web applications fail due to poor planning and execution? Now imagine… Continue reading Building Your First Web Application with Yii Framework