Reading this XSS cheat sheet, I noticed a special usage I have never seen: What does “=_=” mean? It’s below the sentence “On Mouse Over”. Answer It’s just an attribute on the element. It doesn’t have any meaning by itself, so it may be present simply as a red herring…
Tag: xss
Content Security Policy: Should a CSP contain hashes for external scripts?
What I am unsure about I am wondering if the Content-Security-Policy header should/can contain hashes for external JavaScript files (aka, tags with a src attribute <script src=”foo.js”></script>). What I have tried In Chromium based browsers and Mozilla Firefox, my external scripts are…
How can prevent Stored XSS by iframe?
I use Extjs and JS to build a dialog where can display my html data from DB, that data is wrapped with iframe like this: I tried to add sandbox to iframe, but it doesn’t work, the XSS alert still show. Then I tried to change to <iframe src=’#’… sandbox>, but XSS alert still show.…
Are there different types of HTML closing tags
Recently I came across this type of tag in an HTML: <x/ id=”someId” onpointermove=alert`hello`> This data was fetched from the server as a JSON and then written into the HTML view. The HTML view displays the data with no issues. However, on running the request that just fetches the data in a…
Key Management: Hardcoded Encryption Key for chart.js
I facing issue related to “Key Management: Hardcoded Encryption Key” for chart.js api. We are using Fortify Scanning for security purpose. How to avoid the ‘Hardcoded Encryption Key’. After scanning we found the line of code that is hardcoded in chart.js. Is there any way to resolve th…
Can someone explain me how jjencode works and if is good to use it on my code
Can someone explain me how http://utf-8.jp/public/jjencode.html works and if is good to use it on my code? The first time I tried it I thought that I needed to have some kind of algorithm in my code to use it, but it works on every site. What is happening? I already read the source code but I don’t unde…
How do you use window.postMessage across domains?
It seems like the point of window.postMessage is to allow safe communication between windows/frames hosted on different domains, but it doesn’t actually seem to allow that in Chrome. Here’s the scenario: Embed an <iframe> (with a src on domain B*) in a page on domain A The <iframe> end…
What makes an input vulnerable to XSS?
I’ve been reading about XSS and I made a simple form with a text and submit input, but when I execute <script>alert();</script> on it, nothing happens, the server gets that string and that’s all. What do I have to do for make it vulnerable?? (then I’ll learn what I shouldn’…