Collaborate Disseminate
I am building an application that a user can receive an access to by an internal worker. This works using a magic link, where the user will receive a one time link to authenticate in the app. Now I want the application to be secured with 2… Continue reading Is Using an Authenticator App on the Same Device as the Passwordless Application a True 2FA?
With standard XSSI, an attacker can include a remote script which contains user-bound secrets across origins, and then read them out.
I have an endpoint which returns sensitive Javascript code, but the request to fetch it is POST-based (th… Continue reading Is POST-based XSSI possible?
Is it necessary to implement both Content-Security-Policy and X-Content-Type-Options for ensuring the security of a website?
Quoting the OWASP Cheat Sheet on CSRF Prevention:
Using the Synchronizer Token Pattern:
CSRF tokens should be:
Unique per user session.
Secret
Unpredictable (large random value generated by a secure method).
As far as I can tell App Ch… Continue reading Does Firebase App Check provide CSRF protection?
I’ve been studying how to hack web applications for 1 month, but I can’t find my first vulnerability.
I even managed to get a Burp Suite pro version, with this fancy vulnerability scanner, but all it does is false positives and strange pay… Continue reading Struggling with finding bugs in web applications [closed]
TL;DR Is it possible to create an end-to-end encrypted web application where newly created users are able to access data encrypted before their creation?
My plan is to develop a (let’s call it a Customer-Managing-App). This app should als… Continue reading How to implement secure E2EE for a managing App
It’s considered a best practice in security for login form to provide a vague error message
your username or password is wrong
rather than the more precise:
username does not exists
wrong password
the understandable justification is th… Continue reading Login/Registration: why is not telling the users they got their username wrong during login, if registration already hint username existence?
If a domain, for example foo.com is pointed to a IP address (A record) outside of my control, for example the Twitter IP address. And the domain is visited using a browser:
What will be displayed in the browser?
Does it make sense for com… Continue reading What happens if a DNS record points to non-controlled IP address?
When I view the PDF file in a browser such as FireFox without downloading the file into my PC, does FireFox temporarily store the PDF file in my PC?
I heard that FireFox has been sandbox heavily and there is no need to worry about maliciou… Continue reading How safe it is to view PDF file in browser without downloading the file into PC?
I Have a confusion here.
From what I know, in TLS1.2, the Client sends Client Hello and then the Server Sends a Server Hello, Certificate(with its public key) and Certificate chain, and then a Server Hello Done.
Then, the Client sends a Cl… Continue reading TLS session keys [duplicate]