Collaborate Disseminate
I read a lot of reports where ‘hackers’ potentially exploited a ‘Hidden HTTP Parameter’. There are also tons of tools which are developed for this exact purpose.
Example : https://blog.yeswehack.com/yeswerhackers/parameter-discovery-quick-… Continue reading What exactly are Hidden HTTP Parameters?
I’m playing with a webapp CTF for fun/learning. The backend is using Golang’s net/rpc library to provide frontend access to what I think are database operations. The problem is I don’t know what the exported services, and as such don’t kn… Continue reading Enumerate Golang net/rpc Port?
I’m playing with a web app CTF for fun/learning. The backend is using Golang’s net/rpc library to provide frontend access to what I think are database operations. The problem is I don’t know what the exported services are, and as such, do… Continue reading Enumerate Golang net/rpc Port?
Goal I’d like to tighten my Content Security Policy.
Situation
I have a single page react application (= All code and styles are bundled together into a bundle.js file). The file is simply placed on a file storage server (Concrete: S3 buck… Continue reading CSP for Single Page App: Use client-side nonce for securing iframe content
While playing with a CTF web application, I discovered what port is being used for its RPC server, and I can see the open port on the machine. The webapp has a hidden debug menu that explicitly states that it’s an RPC port, but it does not… Continue reading Identifying Unknown RPC Protocol [closed]
Scenario: I don’t want to serve the Facebook/Meta Pixel to my users but let’s say I load dozens of scripts and CDN content from third parties. Can one of those third parties insert the Meta / Facebook Pixel into my page and would it work… Continue reading Can Meta / Facebook Pixel be loaded by a script loaded from a third party CDN for my web site?
I have public webserver serving static html pages and when analyzing error logs I found type of attempted GET that I don’t understand.
They are formed like this and fail because request is too long:
/data=04|01|firstname.lastname@example.c… Continue reading Trying to understand HTTP request containing base64 encoded part and email address
I am trying to scrape publicly available sites by urls. But the problem is I can not understand the urls needed to be accessed.
URLs are like https://ldtax.gov.bd/ldtax-holdings/individual-rashid-print-offline/MVBDSzI4UTYzdUsydFJLZGJwT0x2Z… Continue reading How the hash/code in url is generated [closed]
I’m building a service composed of a backend API and an embed-able, iframe-based, front-end client. Only authorized customers should be able to access the backend API via the iframe embed. My plan is to give paying customer’s an API key.
B… Continue reading How do I protect API keys used to authorize an iframe-based client?
I understand that nothing is perfectly secured.
If we have a web app where most of the functionality is done inside the browser using WASM, can someone get the binary of that WASM and use most of its functionality?
What do we need to pay a… Continue reading How secure is it to implement most of the applications functionality using WASM on the client side/ in the browser?