Collaborate Disseminate
I’m building a webapp where I want to encrypt user data. I’ve done A LOT of research about this.
The main issue is that I want only users to be able to access their data. After reading countless articles and forums, I’ve come to the conclu… Continue reading Where to store user private keys in a webapp? [duplicate]
I’m quite new to XXE attacks so please bear with me, when I look at the different payloads to get a OOB XXE they all look like the following (external DTD) :
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval &… Continue reading I’m not sure why the different XXE injection payloads follow a specific pattern
For me building interfaces through HTML / JS frameworks is by far easier then any other framework I have tried in the past. It’s also not that strange, as by far the most UIs are based on the web nowadays, so the tools are superb (to me).
… Continue reading How to protect a local app that acts as a webserver from exploits?
To clarify the question, here’s our case:
We generate encrypted tokens by applying AES-CBC (256 bit) and Base64 to payload:
encrypted_token = Base64.encode(AES_CBC_256.encrypt(key, iv, payload)).
These encrypted tokens are publicly availab… Continue reading Can token decryption endpoint response codes variability lead to security vulnerabilities?
A great many websites leave "web workers" running in the background even after you’ve left their website and closed the browser tab.
I’m told that the only way to kill them all is to clear my cookies. But what would be inconvenie… Continue reading How to stop all web-workers? They’re draining my battery [migrated]
I have now done the tedious work and enabled 2FA for all accounts in my gopass (if the site offered an option).
Some only offer insecure SMS or a proprietary app, or even nothing at all.
What is noticeable, however, is that discussion for… Continue reading Why don’t operators and CMS developers of discussion forums offer 2FA?
I’m working on idea for a project the goal is to allow a user to share their encrypted content with friends while ensuring the server and none friends maintains zero knowledge of the actual content.
Here’s an example structure of a user:
U… Continue reading User-Controlled Encryption in web app. How to Implement Encrypted Content Sharing Among Friends?
I’m working on idea for a project the goal is to allow a user to share their encrypted content with friends while ensuring the server and none friends maintains zero knowledge of the actual content.
Here’s an example structure of a user:
U… Continue reading User-Controlled Encryption in web app. How to Implement Encrypted Content Sharing Among Friends?
While analyzing a web application, I identified a path of the type https://example/remove/123, which allows a user with lower privileges to remove a report created by a user with higher privileges. In theory, the user with lower privileges… Continue reading IDOR or something else?
i have tried this command
hydra localhost http-form-get "/DVWA-master/vulnerabilities/brute/?username=^USER^&password=^PASS^&Login=submit:F=incorrect:H=Cookie\:security=low; PHPSESSID=rch1oft4bbq68a3k656kla2geg" -l admin … Continue reading hydra returns all passwords tested as found [duplicate]