Skip to content
Advertisement

Tag: xss

What does =_= mean in JavaScript or HTML?

Reading this XSS cheat sheet, I noticed a special usage I have never seen: What does “=_=” mean? It’s below the sentence “On Mouse Over​”. Answer It’s just an attribute on the element. It doesn’t have any meaning by itself, so it may be present simply as a red herring. Prettified, the code is: In HTML, = in an attribute

Content Security Policy: Should a CSP contain hashes for external scripts?

What I am unsure about I am wondering if the Content-Security-Policy header should/can contain hashes for external JavaScript files (aka, tags with a src attribute <script src=”foo.js”></script>). What I have tried In Chromium based browsers and Mozilla Firefox, my external scripts are blocked, even when including all of those scripts’ hashes in the Content-Security-Policy header: I have also tried My

How can prevent Stored XSS by iframe?

I use Extjs and JS to build a dialog where can display my html data from DB, that data is wrapped with iframe like this: I tried to add sandbox to iframe, but it doesn’t work, the XSS alert still show. Then I tried to change to <iframe src=’#’… sandbox>, but XSS alert still show. I removed src or just

Are there different types of HTML closing tags

Recently I came across this type of tag in an HTML: <x/ id=”someId” onpointermove=alert`hello`> This data was fetched from the server as a JSON and then written into the HTML view. The HTML view displays the data with no issues. However, on running the request that just fetches the data in a new tab, the Javascript code is running. How

Key Management: Hardcoded Encryption Key for chart.js

I facing issue related to “Key Management: Hardcoded Encryption Key” for chart.js api. We are using Fortify Scanning for security purpose. How to avoid the ‘Hardcoded Encryption Key’. After scanning we found the line of code that is hardcoded in chart.js. Is there any way to resolve this issue. Answer After analysed the chart.js code file, we have found there

How do you use window.postMessage across domains?

It seems like the point of window.postMessage is to allow safe communication between windows/frames hosted on different domains, but it doesn’t actually seem to allow that in Chrome. Here’s the scenario: Embed an <iframe> (with a src on domain B*) in a page on domain A The <iframe> ends up being mostly a <script> tag, at the end of which’s

What makes an input vulnerable to XSS?

I’ve been reading about XSS and I made a simple form with a text and submit input, but when I execute <script>alert();</script> on it, nothing happens, the server gets that string and that’s all. What do I have to do for make it vulnerable?? (then I’ll learn what I shouldn’t do hehe) Cheers. Answer Indeed just let the server output

Advertisement