Collaborate Disseminate
So if I got this right from my intense research, the following procedure would be preferrable:
Use the PBKDF2 key derivation function to derive a secret key from the users password on the client side.
Use the derived key, which was generat… Continue reading Algorithms when using client side hashing plus server side hashing
I recently read a blog post that mentioned there is a way to highjack a user’s account by stealing their session cookies, and then persisting the logged in state by extending the expiration of the cookie indefinitely. This would also mean … Continue reading How can session-persistence of a web application account lead to re-infection of the browser and OS [closed]
I am trying to implement measures against csrf in my client spa.
I have the following question, since it is difficult for me to use the Signed Double-Submit Cookie.
It is possible to implement a csrf preventive measure, where the client ge… Continue reading javascript app preventing csrf
I am currently working on an open source project to securely store notes, payment card numbers, etc. I would like to implement a zero knowledge encryption method so that no one but the user can decrypt this data.
Unfortunately, I am stuck … Continue reading Securely storing derived key in web app and handling user identity
Assumption a customer is sitting in a public area connected to a public wifi. A threat actor can access the customer’s browser and read all Javascript variables.
Step 1. example.com server sends the following information to trustworthy.ext… Continue reading Is encrypting a query parameter within a URI a security best practice?
I’m trying to perform a brute-force attack using Hydra on http://testphp.vulnweb.com/login.php. The login credentials are "test" and "test" for both the login ID and password. Despite using the correct credentials it’s … Continue reading Hydra 0 valid passwords found despite correct credentials
Someone is selling scraped data of millions of users of Trello, a popular a web-based list-making application and project management platform, on a dark web hacker forum. The database dump “contains emails, usernames, full names and other account… Continue reading Data of 15 million Trello users scraped and offered for sale
I am currently implementing a change-of-email request flow for a web service without MFA. My initial approach is to consult the current OWASP Guide for such a flow. In reading the document, I’ve realized this is quite different from the f… Continue reading What is the correct way to implement a change-of-email request flow?
I was using an application called hellotalk today when a stranger told me my real name and i am putting a nickname in the app ,my password contained my name .Idk much about the domain but that was confusing
This document has a sequence diagram (annotated and shown below) explaining how Stripe handle’s a Checkout Session.
My question : When a customer is returned to the successUrl = www.example.com/some/specific/path, how can www.example.com (… Continue reading how should a web application verify a redirect comes from a trustworthy source?