I observed the following seemingly out of place Javascript snippet on a website’s checkout page, and I was concerned that it might be skimming credit card numbers: I have been trying to deobfuscate it myself by hand, but my javascript is perhaps not that strong. If I understand correctly, the array won&…
Tag: security
Server side injection on ASP.NET backend (IIS) by arbitrary file upload
I’m not an expert in cyber security and exploits. I need help figuring out if my app is vulnerable and in what way. Let’s assume I’m an idiot (and I’m not to this extent), and I leave the possibility for client users to upload (exploiting my front end) any file they want on my server i…
How can prevent Stored XSS by iframe?
I use Extjs and JS to build a dialog where can display my html data from DB, that data is wrapped with iframe like this: I tried to add sandbox to iframe, but it doesn’t work, the XSS alert still show. Then I tried to change to <iframe src=’#’… sandbox>, but XSS alert still show.…
Is there a safe way to run eval in a webpage and avoid it to access the content of the rest of the page?
I wonder if it is possible to run code provided by users in a webpage in a safe way. I would like to add code that users can dynamically change to change some of the page behaviour, but I don´t want them to use exploits. For example, I would like to let the users write a method returning a boolean
Is there a way to declare in a web page that all javascript http requests must be only to same host?
I have a small site that shows ads from different ad networks. Sometimes these ad networks serve ads that contain js code that makes HTTP requests to external servers and I found that sometimes those requests violate the privacy of my users. Is there a way to block js request to other servers? (even if I lose…
FileReader upload safety
Say I have <input type=”file”> without any forms, and obtain an image selected by this input via File’s Blob javascript API: And that’s all. Say, there is no php script in my server at all. User just uploads picture via the code below, and, for example, see how the picture is displaying in t…
Google reCaptcha V2 (Invisible) only fires once
today i tried to implement Google ReCAPTCHA V2 in ivisible mode. In the documentation, they showed, how to use it. I tried this solution, but the “onSubmit” function only gots called once. After that, the Button simply does nothing… Its there a way to fix that Issue without reloading the pag…
Electron, contextIsolation and contextBridge
I recently had to revamp an old Electron app. I found out that it had contextIsolation set to false, so I went ahead and set it to true (and btw set nodeIntegration to false). As expected, it broke the ipc communications So I used, as advised in many places, a preload script that enables some communications c…
PayPal JavaScript SDK – understand security problems on the client-side
I´ve recently implemented the PayPal JavaScript SDK in my Angular 11 project (implementation reference). It seems to work flawlessly, however, I started to think that it might be possible to modify the pricing amount on the client-side. Additionally, there seems to be no further validation on PayPal´s side if…
This document requires ‘TrustedScriptURL’ assignment
After adding require-trusted-types-for ‘script’; in my Content-Security-Policy header, which introduced from Chrome 83 Beta to help lock down DOM XSS injection sinks, when I open my website, it becomes a blank page. I got many these three kinds of errors in my console. (Chrome version 83.0.4103.61…