web-application – Page 12 – WindowsTechs.com

How to properly migrate authentication cookies to using a new encryption scheme on a website while being backwards compatible?

Posted on September 22, 2023 by user1068636

When a user logs in with their email/password combo and gets authenticated to our website, the backend sends the web browser an encrypted cookie based off of their memberId with us. While this encrypted cookie has not expired, the web bro… Continue reading How to properly migrate authentication cookies to using a new encryption scheme on a website while being backwards compatible?→

Why is one particular page not being cached, and the others are? all have same caching headers [migrated]

Posted on September 17, 2023 by XRBtoTheMOON

I’ve been reading a bunch on how caching of web pages is handled, I feel like I have a good grasp on everything, but I’ve encountered something I don’t understand.
I’m testing a site and it sends the same caching headers on every HTTPS res… Continue reading Why is one particular page not being cached, and the others are? all have same caching headers [migrated]→

Writing small application logic directly on a TCP packet

Posted on September 16, 2023 by AndyCrypto

Is it possible to write small application logic (for example 4 KB) on a TCP packet? like for example a simple logic that just sends back "Hello" to the IP address (user) who wrote a specific command like "Summon Hello" … Continue reading Writing small application logic directly on a TCP packet→

Is Web session required for app security?

Posted on September 14, 2023 by postoronnim

I understand that the idea of a session was conceived originally to improve user experience with Web applications. I also understand that session implementation can introduce attack vectors if not done securely i.e., if session ID can be s… Continue reading Is Web session required for app security?→

Which response headers for HTML snippets?

Posted on September 4, 2023 by Sjoerd

I have a web application that retrieves HTML snippets from the server and places them on the page, using JavaScript. The server responds with a small part of a HTML document. What Content-Type header should I use? Marking it as text/html m… Continue reading Which response headers for HTML snippets?→

What is risks model for a keys container implementation for web page in browser

Posted on August 25, 2023 by Kote Isaev

I consider myself a newbie into security.
Standard questions for Kagi search was not helpful this time, so I come here in hope for answers.
I thinking about implementing a web app,like end-to-end-encrypted messaging application.
Expected f… Continue reading What is risks model for a keys container implementation for web page in browser→

Implications of SHA256 implementation producing false / unexpected hashes

Posted on August 25, 2023 by Jankapunkt

I found that one of our programs uses an sha256 implementation, that produces different hashes for same inputs, compared to standard libraries (in this case compared to node:crypto and Web Crypto API.
The hashes are different for character… Continue reading Implications of SHA256 implementation producing false / unexpected hashes→

CVSS3 score for XSS leading to account takeover

Posted on August 18, 2023 by mateleco

Let’s say there is a XSS vulnerability in a web application. The XSS allows an attacker to hijack the user’s session. Within the session, the attacker can view/modify the user’s credit card and billing information, and even make a purchase… Continue reading CVSS3 score for XSS leading to account takeover→

How does mime-sniffing enable a drive by download attack?

Posted on August 11, 2023 by J. Doe

A frequent recommendation for hardening Web App response headers is "X-Content-Type-Options: nosniff" with the reasoning that preventing mime-sniffing reduces exposure to drive-by download attacks.
Can anyone explain the reasonin… Continue reading How does mime-sniffing enable a drive by download attack?→

Do CSRF Tokens need to be tied to user IDs?

Posted on August 11, 2023 by Kholin

I am implementing a web system using Golang and have incorporated gorilla/csrf for CSRF protection. However, I’ve encountered an issue. When I have tab1 open in my browser, logged in as user1, and navigated to a form page, both the form an… Continue reading Do CSRF Tokens need to be tied to user IDs?→