Collaborate Disseminate
hello How can I sign in to a certain site without the site not recognizing my ID and rejecting my registration? I have tried various types of VPNs. In general, when we enter a site other than IP Mac address, font resolution, what do they s… Continue reading Whats websites can see from our computer? [duplicate]
What’s the reason why an attacker should choose to perform a clickjacking attack?
If they create a malicious website, they could just perform the action automatically, they don’t need to "trick" the user to click on the hidden if… Continue reading Why should an attacker perform a clickjacking attack when they can simulate the click with JavaScript?
I want to implement passkey support as a full replacement for passwords but I have some server-side state that still needs to be encrypted to a specific user in a way that can not be decrypted or reproduced on the server side without a use… Continue reading Storing a server secret in a user passkey rawId
I want to implement passkey support as a full replacement for passwords but I have some server-side state that still needs to be encrypted to a specific user in a way that can not be decrypted or reproduced on the server side without a use… Continue reading Storing a server secret in a user passkey user id
I am doing a pentest which includes an API and all I have access to is Swagger UI docs. The Swagger docs don’t show me real-world data in the examples, nor do they offer a "try request" option. Some of these requests are huge POS… Continue reading Is there an automated way to generate a valid API request from Swagger docs?
I have seen applications use both the Authentication HTTP header, as well as a cookie, or sometimes even both, to store & transmit BEARER tokens (JWT) when they send requests. For example, I am currently looking at an application where… Continue reading What are the security implications of receiving a secret (e.g. OAuth BEARER) token via cookie vs. Authorization header?
For the fourth time in the last five months, Apache OFBiz users have been advised to upgrade their installations to fix a critical flaw (CVE-2024-45195) that could lead to unauthenticated remote code execution. About CVE-2024-45195 Apache OFBiz is an o… Continue reading Apache OFBiz team patches critical RCE vulnerability (CVE-2024-45195)
I have a web application that sends this cookie after login:
Set-Cookie: ASP.NET_SessionId=55adfqwdf6qdqrgsdfg; path=/; HttpOnly; SameSite=Lax
If I theoretically steal the session ID and use it in another browser, I am immediately logged … Continue reading Is this a session hijacking vulnerability?
I have a web application that sends this cookie after login:
Set-Cookie: ASP.NET_SessionId=55adfqwdf6qdqrgsdfg; path=/; HttpOnly; SameSite=Lax
If I theoretically steal the session ID and use it in another browser, I am immediately logged … Continue reading Is this a session hijacking vulnerability?
I was reading about 0.0.0.0 local server API access from Browser vulnerability – see 0.0.0.0 Day: Exploiting Localhost APIs From the Browser. Its relatively new and I haven’t updated my browser either. When I try to access http://0.0.0.0:&… Continue reading Reproducing 0.0.0.0 Day