I observed the following seemingly out of place Javascript snippet on a website’s checkout page, and I was concerned that it might be skimming credit card numbers: I have been trying to deobfuscate it myself by hand, but my javascript is perhaps not that strong. If I understand correctly, the array won’t end up rotated (the function taking (C,o) is
Tag: security
Server side injection on ASP.NET backend (IIS) by arbitrary file upload
I’m not an expert in cyber security and exploits. I need help figuring out if my app is vulnerable and in what way. Let’s assume I’m an idiot (and I’m not to this extent), and I leave the possibility for client users to upload (exploiting my front end) any file they want on my server in a subfolder (let’s call
Is there a way to declare in a web page that all javascript http requests must be only to same host?
I have a small site that shows ads from different ad networks. Sometimes these ad networks serve ads that contain js code that makes HTTP requests to external servers and I found that sometimes those …
FileReader upload safety
Say I have without any forms, and obtain an image selected by this input via File’s Blob javascript API: input.addEventListener(‘change’, function(){ var reader = …
Electron, contextIsolation and contextBridge
I recently had to revamp an old Electron app. I found out that it had contextIsolation set to false, so I went ahead and set it to true (and btw set nodeIntegration to false). As expected, it broke …
PayPal JavaScript SDK – understand security problems on the client-side
I´ve recently implemented the PayPal JavaScript SDK in my Angular 11 project (implementation reference). It seems to work flawlessly, however, I started to think that it might be possible to modify …
This document requires ‘TrustedScriptURL’ assignment
After adding require-trusted-types-for ‘script’; in my Content-Security-Policy header, which introduced from Chrome 83 Beta to help lock down DOM XSS injection sinks, when I open my website, it …
Form body in a POST ending up as URL params?
Our stack: Vue.js frontend using vuetify component lib custom python middleware rest api using flask + tornado matomo running externally and connected to the frontend using vues plugin system.(…
How to make Google Analytics respond to “Do Not Track”
I am planning to put google analytics tracking code on my website, but I don’t know how to make it respond to those who send the “Do not track” signal. How can I make GA tracking code track those who …
vuex empty state on logout
Quick story of my problem: Absolutely no data is stored in my vuex state when the page loads If the user is logged in(or has info stored in window.localStorage and therefore gets auto logged in) my …