Collaborate Disseminate
My question regards tabnabbing and how to block it. I will first describe my understanding of the subject, but I’m no expert, so this introduction is meant for you to correct me if applicable.
Here is my attempt at exhaustively listing the… Continue reading Tabnabbing, adblocking and web browser security
Our implementation for authentication works like this
User provides username/password to /login API
API returns access token and refresh token in payload
We store the access token and refresh token in session storage
After a period of tim… Continue reading "Duplicate" of Chrome Tabs causes stale tokens
I was looking through my session logs and I see that Snapchat shows up. I don’t use Snapchat. Never have. It’s not a website I’ve ever even visited. The host for the session is the computer I’m on now, which I know as never been used by an… Continue reading Why would an application I’ve never used show up on my NAT sessions?
I was thinking about building a simple end-to-end encrypted chat with group chat capabilities. Please keep in mind that 1) it’s just an experiment to help me learn more about cryptography and 2) I’m not a security expert that knows all the… Continue reading Group admin in end-to-end encrypted group chat
In a layered enterprise security architecture with a Web Application Firewall (WAF) deployed in the DMZ, should there be shared responsibility between the WAF and application layer/ microservices for mitigations the WAF supports, specifica… Continue reading WAF vs. Application Layer for Bot Mitigation
I’ve setup Content Security Policy (CSP) on a web app. For the time being it’s set to report only so that I can assess it first in production and then turn it on if things get clear. But so far they’re not. I’m getting some odd reports of … Continue reading Content security policy (CSP) reports that seem unrelated to the web app
My website is using session cookies (w/ SameSite=Lax, secure, httpOnly attributes) and a CSRF Token stored in localStorage. Recently I developed a teams app, which essentially loads the website through an iframe (there is no other option t… Continue reading httpOnly Session Cookies in an iframe context in the future w/o SameSite=None
After login to my Adobe Acrobat account via a browser, I am able load a PDF document from my PC and then enter data into the PDF document form fields.
How do we determine whether the data entered into the PDF form (hosted by Adobe cloud ) … Continue reading How can we determine where Adobe Acrobat cloud store PDF form data? [closed]
"Update my email" page has 2 fields: the new email and the current password.
I cannot find the correct way to protect against user enumeration if there’s an error on the email field:
if I silence the error users wont know if the… Continue reading "Update my email", best way to prevent enumeration?
Is there a way to hook a function inside a WebAssembly running on a web page? Usually Frida works for standalone application, but I have no idea how to do it on WebAssembly.
Continue reading Hooking WASM Functions On Web Page [migrated]