Collaborate Disseminate
In an effort to avoid having to deal with CSRF attacks, I’m trying to implement an auth flow that completely avoids using cookies. In most cases this makes one vulnerable to XSS attacks. However, according to this auth0 blog post, it can b… Continue reading Security implications of access and refresh tokens (JWT) with refresh token rotation and automatic reuse detection
The common thing to do in defense against XSS, stored or not, is to HTML-encode the payload. Encoding upon the upload/POST of the data is efficient for processing power and neutralizes it early to be stored in the database but the payload … Continue reading Is there a consensus on whether HTML encoding should happen upon upload or retrieval/display for defense against stored XSS?
I’m looking to try to bypass this XSS filter and I haven’t been able to, I don’t know exactly how the filter works but whenever I use a script element, the entire element is deleted, and whenever I try to use any tags inside of an element … Continue reading How to bypass this unknown XSS filter [closed]
I’m currently working on a personal project including a RESTful API and also trying to understand how to make it as secure as possible. I have read a bit about JWT, the possible vulnerabilities as well as some suggestions on how to mitiga… Continue reading Mitigating CSRF and XSS with JWT authentication: can someone tell me where my logic is wrong
i am trying to secure my apache web server myself before go live so i added these security headers to my apache site.conf file after lot of reading and googling. i know we can not secure a server 100% but 99% i know there are lot of securi… Continue reading securing apache webserver using security headers
I need to allow a user to pass unsafe text into an iframe URL:
<iframe src="https://example.com?foo=INPUT"></iframe>
Inside the iFrame render code, I have this:
<!doctype html>
<html lang="en">
… Continue reading Is this safe from XSS?
Question about a solution in portswigger academy (since portswigger explains nothing and I can’t find any info elsewhere on this):
Break out of the img attribute by searching for:
Here is the img attribute being broken out of:
How do the double quote and angle bracket break out of the attribute exactly? I can’t figure out how the double quotes play a role in that. Thanks
Continue reading How do double quotes and angle bracket work in this scenario?
Im fixing some security issues that AppScan found on my Angular Application, one of them is the insecure use of "setAttributeNS()"
I use this method in my application to inject some namespaces in the correct htmlElemnt
I have rea… Continue reading setAttributeNS XSS Vulnerability
This vulnerability is from a third party reviewer for PCI scans. I am stuck for months and can’t figure this out. I already used sanitation to my page and it still fail the PCI scanning. I am starting to think that this is not a code relat… Continue reading DCP-Portal Vulnerability
Single page applications (SPAs) have become the most popular way to create websites that feel faster for the end-user without hitting the server every time a user interacts with an application. Shifting away from the traditional cookie-based approach, … Continue reading Increasing security for single page applications (SPAs)