Collaborate Disseminate
I am currently working on an open source project to securely store notes, payment card numbers, etc. I would like to implement a zero knowledge encryption method so that no one but the user can decrypt this data.
Unfortunately, I am stuck … Continue reading Securely storing derived key in web app and handling user identity
Assumption a customer is sitting in a public area connected to a public wifi.
Step 1. example.com server sends the following information to trustworthy.external.domain over https:
redirectPath="https://www.example.com/public/endpoint… Continue reading Is encrypting a query parameter within a URI a security best practice?
I’m trying to perform a brute-force attack using Hydra on http://testphp.vulnweb.com/login.php. The login credentials are "test" and "test" for both the login ID and password. Despite using the correct credentials it’s … Continue reading Hydra 0 valid passwords found despite correct credentials
Someone is selling scraped data of millions of users of Trello, a popular a web-based list-making application and project management platform, on a dark web hacker forum. The database dump “contains emails, usernames, full names and other account… Continue reading Data of 15 million Trello users scraped and offered for sale
I am currently implementing a change-of-email request flow for a web service without MFA. My initial approach is to consult the current OWASP Guide for such a flow. In reading the document, I’ve realized this is quite different from the f… Continue reading What is the correct way to implement a change-of-email request flow?
I was using an application called hellotalk today when a stranger told me my real name and i am putting a nickname in the app ,my password contained my name .Idk much about the domain but that was confusing
This document has a sequence diagram (annotated and shown below) explaining how Stripe handle’s a Checkout Session.
My question : When a customer is returned to the successUrl = www.example.com/some/specific/path, how can www.example.com (… Continue reading how should a web application verify a redirect comes from a trustworthy source?
I’m building a webapp where I want to encrypt user data. I’ve done A LOT of research about this.
The main issue is that I want only users to be able to access their data. After reading countless articles and forums, I’ve come to the conclu… Continue reading Where to store user private keys in a webapp? [duplicate]
I’m quite new to XXE attacks so please bear with me, when I look at the different payloads to get a OOB XXE they all look like the following (external DTD) :
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval &… Continue reading I’m not sure why the different XXE injection payloads follow a specific pattern
For me building interfaces through HTML / JS frameworks is by far easier then any other framework I have tried in the past. It’s also not that strange, as by far the most UIs are based on the web nowadays, so the tools are superb (to me).
… Continue reading How to protect a local app that acts as a webserver from exploits?