Below things can be tagged in this Cross-Site Scripting (XSS) Local File Inclusion (LFI) Remote File Inclusion (RFI) Remote Code Execution (RCE) PHP Code Injection HTTP Protocol Violation Shellshock Session Fixation Scanner Detection Metadata/Error Leakages Project Honey Pot Blacklist SSL related question Link to learn more https://owasp.org/ Some questions or definitions https://techletterbox.com/2020/02/08/web-security/
Questions tagged [websecurity]
380 questions
2
votes
1 answer
Security error loading subtitles on HTML video
so I'm encountering some unexpected behavior with subtitles on an HTML5 video.
I am storing my video + subtitles files on Google Cloud Storage and I have a web interface to watch the movies.
My server generates signed URLs for the movie and subtitle…
max pleaner
- 26,189
- 9
- 66
- 118
2
votes
1 answer
Should Content-Security-Policy header be applied to all resources?
Is it necessary to apply the Content-Security-Policy Header to all resources on your domain (images/CSS/JavaScript) or just web pages?
For example, I noticed that https://content-security-policy.com/images/csp-book-cover-sm.png has a CSP header.
j3rbrown
- 123
- 1
- 11
2
votes
2 answers
Prevent key leak in HTTP GET requests
There's lots of general info about preventing API key leaks, but I'm having trouble finding proper procedure specifically for making an HTTP GET request with an API key as a parameter. Any user can easily inspect the request and grab an app's…
jamzsabb
- 1,125
- 2
- 18
- 40
2
votes
3 answers
How to detect or prevent built-in browser functions from being replaced?
I noticed today that I can replace a sensitive built-in JS function like this:
async function _hackedEncrypt(algorithm, key, data) {
console.log('hacked you!');
}
const subtle = global.crypto.subtle; // Assign to get around "read-only"…
Erik Hermansen
- 2,200
- 3
- 21
- 41
2
votes
2 answers
Installing a Go tool from github and facing installation errors
I want to install this tool from github : https://github.com/ethicalhackingplayground/ssrf-tool
I am using the cmd : go install github.com/ethicalhackingplayground/ssrf-tool@latest
Output :
go: finding module for package…
Pulkit Prajapat
- 190
- 2
- 11
2
votes
1 answer
Is storing access token in cookie to allow for SSR dangerous?
I'm working on a project where I've got a central API server and then multiple microservices for it including a website. The website uses OpenID to handle authentication. To allow for server-side rendering on the website yet have it remain…
Dreamplay
- 51
- 9
2
votes
2 answers
How can I start chrome in insecure mode in mac?
I know how to Start chrome in insecure mode via command line with these options: --disable-web-security --disable-gpu. How can I do it in MAC OS?
So i am going inside the location where chrome is installed and running this command
chrome.exe…
sd_30
- 576
- 1
- 6
- 21
2
votes
2 answers
OAuth authorization code flow security question (authorization code intercepted by a hacker)
Something I can't wrap my head around.
As I understand the authorization code flow is supposed to be more secured than the implicit flow, because the tokens are not directly sent to the client from the authorization server, but rather retrieved by…
Matan
- 33
- 1
- 4
2
votes
0 answers
Is it secure to store a CSRF token value in the DOM?
I am validating a CSRF token with every call to an API request (the request just send an email to me).
I have two methods of making the AJAX API call, one in JS and one in C# (JS is the primary, C# is just a backup if the user has JS disabled). My…
Steele Stonick
- 61
- 5
2
votes
1 answer
Is it possible to run C# code from the browser that does work on the user's computer
I know the answer is almost certainly no, but I was wondering if you could run code from a server on a user's computer (with their permission).
I have an ASP.NET application running on a remote IIS. What I want the application to do is to be able to…
Gunnarhawk
- 437
- 3
- 12
2
votes
3 answers
XSS vulnerability for JSON API
I have a REST API that accepts and returns JSON data.
A sample request response is a follows
Request
{
"repos": [
"some-repo",
"test-repo"
]
}
Response
{
"error": "Error Message",
"repos": [
…
java_geek
- 17,585
- 30
- 91
- 113
2
votes
1 answer
What is the difference between using Cross-Origin-Opener-Policy and rel="noopener noreferrer"?
The Cross-Origin-Opener-Policy header seems to be quite similar to what the rel="noopener noreferrer" attribute does when opening document in a new tab (target="_blank").
When should I use which one? It seems the COOP header is applicable when I…
Joe Markov
- 221
- 1
- 10
2
votes
2 answers
Secure spring boot app without user log on
I am creating a spring boot API and react front end in a project I am working on. There is no user logon on the front end, however, I would like to ensure my API endpoints are secure and only accessed by my react front end and I am struggling to…
GaB
- 157
- 1
- 3
- 12
2
votes
1 answer
Sanitize properties by decorating it for avoiding XSS attack
Currently i am accepting models in my web apis. I am thinking to decorate my properties which are vulnerable to xss attacks. That should remove all the scripts tags etc.
Is there any library which can help me in this...
public class…
Code one
- 83
- 9
2
votes
1 answer
Is Anti-Forgery token needed in Server to Server communication?
I have a REST API based on ASP.NET Core 3.1. This API will is called by other servers, currently there is no client application which calls this API.
In such a scenario do I need Anti-Forgery tokens? Also if its needed how inject anti-forgery tokens…
Pratik Bhattacharya
- 3,596
- 2
- 32
- 60