All Questions

Tagged with
309 questions with no upvoted or accepted answers
Filter by
Sorted by
Tagged with
6votes
0answers
1kviews

Is it possible to get Google Adsense working without adding 'unsafe-inline' in content security policy (CSP)?

I tried adding nonce to SCRIPT_SRC, but CSP complains about adsbygoogle.js: refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src '...
user avatar
  • 95
5votes
2answers
278views

Chrome Cross frame Drag and Drop: why does it work cross browsers?

In my scenario an HTML5 page (parent) contains an iframe (child) from a different domain. Ideally I would like to be able to drag an element from the parent into the child. This works in FireFox but ...
user avatar
  • 368
5votes
3answers
3kviews

Simultaneously sandbox and add JS/HTML to iFrame

I am trying to create an iframe that has JS fire inside of it but does not have access to the parent document. The goal is to have a simple implementation and not include any special libraries. I ...
user avatar
  • 238
5votes
1answer
2kviews

Secure browser-side cache in Local Storage

To make the question clear: is the proposal below considered 'secure'? (i.e. doesn't introduce any significant security risks). I haven't seen any clear reason why the following proposal would be ...
user avatar
  • 3,226
5votes
1answer
327views

IE9 security error when reading from canvas (non cross-domain)

I'm playing a video in a video tag. The video file is in the same directory as the index.php. I am then putting the video pixels on a canvas, doing some logic on them, reading them and putting on ...
user avatar
  • 591
4votes
1answer
850views

How to detect HTTP request by analysing JavaScript & HTML?

I'm wondering if we can do some analysis on JavaScript code to detect whether a web page contains these JS would send HTTP request to other domain. For example, some one put their static web page ...
user avatar
  • 1,585
4votes
0answers
466views

How to embed trusted iframes after html sanitizing?

If i use google-caja html sanitizer with its default whitelist then it will not allow me to embed iframe. I know it is a security risk that's why it is not allowing me to do this. But their are so ...
user avatar
  • 4,568
3votes
0answers
5kviews

How to detect when the BROWSER blocks an iFrame

On an https website, I'm trying to load randomly submitted URLs into an iframe, allowing the user to see that website embedded in my own user interface. As long as the remote url is https (like my ...
user avatar
  • 7,986
3votes
0answers
906views

JAVASCRIPT drag-and-drop from browser to desktop using TOUCH events?

I'm working on this website, which is supposed to allow the user to drag and drop a div containing an html canvas offscreen. The div is made draggable with jquery's .draggable() function, like this: ...
user avatar
  • 1,269
3votes
1answer
97views

How to scan static copy of website for evidence of being hacked

I need to review a Drupal site in order to determine if it has been potentially been compromised as a result of SA-CORE-2014-005 (Drupageddon) vulnerability. I have a set of procedures I plan to ...
user avatar
  • 2,607
3votes
0answers
313views

How to allow all SVG elements and its attributes using Antisamy?

I want to allow all the svg elements and its attributes using Antisamy. How do I do that? I tried including all the elements and its attributes in the Antisamy policy file, and setting the regular ...
user avatar
  • 653
3votes
1answer
599views

What triggers the IE Enhanced Security warning

Is there a published set of IE enhanced security blocking rules? Background: When I try out certain jQuery scripts, I sometimes trigger the IE enhanced security warning - then its a matter of trial ...
user avatar
  • 558
2votes
0answers
42views

Is my extremely simple website safe agains XSS?

I made a website that gets your request path and returns it in a <link> tag like this: <link rel="canonical" href="PATH_HERE"> You can go to any path you want and ...
user avatar
2votes
0answers
52views

Is it safe to add a localhost URL to allowlist of CSP for local development?

I am working in a React app created with create-react-app. We have a Content Security Policy set up in the meta tag in public/index.php. I'm required to add a connect-src directive for a 3rd party ...
user avatar
  • 111
2votes
0answers
30views

Finding out how onClick attribute is generated as a client?

I have a pretty interesting question. I wanted to automate reserving timeslots for my university's gym as you need to book 3 days in advance if you want a chance at a workout. I am using a framework ...
user avatar
2votes
1answer
358views

Cross-origin security error when moving an application to a subdomain (2018)

Background information: We have a platform which runs on https://system.example.com. This platform consists of 10 separate web applications (all written in PHP and JS). Each application has ...
user avatar
  • 4,618
2votes
2answers
2kviews

Cursor does not blink on autofocus

Browser: Chrome > 57 Issue: Cursor does NOT blink on the focus'd text box ( Left/Right click nothing will make the cursor start blinking ) Steps: Happens when you proceed from "Your connection is ...
user avatar
2votes
0answers
819views

Is HTTP response splitting/CRLF injection in PHP still possible?

I'd like to try and redirect my own website by passing something like: %0d%0aContent-Type:%20text/html%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0a%0d%0a%3Ccenter%3E%3Ch1%3EHacked%3C/...
user avatar
  • 95
2votes
1answer
1kviews

How do I import my key using the WebCrypto interface?

My applications Cryptography currently utilizes the forge library for encryption, decryption, deriving keys, and importing keys. I recently began reading about the new cryptographic features that are ...
user avatar
2votes
1answer
548views

Restrict or prevent iframe navigation

I have a top page which contains an iframe with untrusted content. I am hosting the untrusted content on a domain that I control, and can (in theory) make changes to it. Short of analyzing the source ...
user avatar
2votes
0answers
234views

iframe Javascript can write parent properties but not read them

I have an iframe containing a site on a different domain. In the iframe's Javascript, I can change the location of the lop page: window.top.location.href = "http://www.example.com"; However, if I ...
user avatar
  • 30.5k
2votes
0answers
2kviews

Is mozFullPath in Firefox during file upload a security risk?

I am working on a little photo app where the user selects a local file and it is pushed into a canvas with window.URL.createObjectURL(file) - really basic stuff. During testing I briefly dumped the ...
user avatar
  • 521
2votes
0answers
341views

HTMLPurifier not stripping HTML elements

Using HTMLPurifier on my input. The current config is: $config = HTMLPurifier_Config::createDefault(); $config->set('HTML.Allowed', 'br,img[src],b'); //allow iframes from trusted sources $config-&...
user avatar
  • 7,109
2votes
2answers
2kviews

Secure user authentication in offline web apps

This question has cropped up a few times in various guises, but I've not seen an answer that satisfies my requirement or fills me with much confidence. Let me set the scene. We currently have a web ...
user avatar
  • 21
2votes
1answer
2kviews

How to source images in HTML that are encrypted

I am trying to keep my images safe by having an encryption on them. I've used an encryption program called "AxCrypt" to encrypt my images, but it changes the image file extension. For example, image....
user avatar
  • 93
2votes
2answers
2kviews

Creating secure HTML/PHP Forms and Sending E-mails

I am working on some forms and want to get advice on how to properly make a form secure against hackers, spam, etc. Also I want to know how to correctly send this form data in an e-mail (an attachment ...
user avatar
2votes
2answers
95views

html sanitization makes difficulties

I read user profiles from database and show them. Before I show them I use HTML sanitizing through php htmlentities. It shows them correctly. But, while allowing user to edit it, it is shown like ...
user avatar
  • 273
2votes
3answers
1kviews

Have a PHP redirect to login page, not forcing login

I created a small php site for gameserver management, but it is not forcing unlogged in users to login. I have added a redirect if a session is not active, and have destroyed the sessions on logout. ...
user avatar
2votes
1answer
49views

How to pass table record identifier to client side

In a CRUD environment, let say we are displaying list of user's contacts. Web site needs to provide "Edit" and "Delete" functionality to user. Each contact represents a record in database table, and ...
user avatar
  • 1,992
2votes
0answers
360views

Client certificate authentication for a HTML5 web application (C# HttpServer to handle requests)

have a question about using client certificates to authenticate clients to a server, when requesting data from that server. I have a web 'application' (HTML5/JavaScript) which requests data from a ...
user avatar
  • 21
2votes
1answer
2kviews

.htaccess this web page has a redirect loop htaccess

I want to redirect all my http traffics to https in my website. I have following codes in my .htaccess file <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^ ...
user avatar
  • 41
2votes
0answers
71views

Can cache manifest be used as a "firewall" for a page or a web app?

When playing with HTML5 cache manifests, I eventually learned, that listing / under the NETWORK segment effectively rejects all off-domain connections, like CDN links for example. CACHE MANIFEST ...
user avatar
  • 2,285
2votes
1answer
861views

How can I validate the contents of a file with browser based S3 uploads?

I'm working on a project where all user image uploads are stored on S3. To save bandwidth and avoid the upload going through our servers, we're using HTML Form based uploads (see http://docs....
user avatar
  • 6,274
2votes
3answers
3kviews

Detecting JavaScript on an HTML page using Python

I'm currently working on a network security project that checks for XSS vulnerabilities on a website, which hopefully can be used for pen-testers out there (in case you don't believe me and think I'm ...
user avatar
  • 363
1vote
0answers
15views

Only allow page to be opened in iframe and not in main browser

I'm looking for a method that will only allow a page to be opened in an iframe and not in a main browser window. I know I can check the parent using Javascript but that is easily defeated - ideally I'...
user avatar
  • 11
1vote
1answer
43views

Is it possible to limit max entries per minute for a text input in html?

I'm about to finish my website that I wrote myself in HTML and I was wondering how can I make it secure. I have limited the max length of the search bar and disabled special characters so far. Is it ...
user avatar
  • 11
1vote
0answers
322views

Oracle Virtualbox Network SPAN/Mirror Port

Is there any way to setup a 'SPAN' or 'Mirror' port using VirtualBox so as to copy/mirror all network traffic from a particular virtual network to a promiscuous-mode adapter on a Virtual machine? The ...
user avatar
1vote
1answer
68views

Security Attack on data url in html

<a href="#recommend_tab" id="vendors_reco" role="tab" data-toggle="tab" data-url="/my/plan/getvendors/{{id}}/" aria-expanded="true"> ...
user avatar
1vote
0answers
38views

Why does GitHub prepend this string to <form> opening tags?

The string in question is: <!-- '"` --><!-- </textarea></xmp> --></option></form> The two last closing tags are stray (i.e. don't correspond to any opening tags). ...
user avatar
  • 5,496
1vote
0answers
57views

Is using a hidden input field in a template, to pass data to a django view not secure?

I'm sure there's better ways of doing this but I'm just curious if this is an insecure way of passing data to the view Template: {% for object in order.all %} ...other code <form method="POST&...
user avatar
1vote
0answers
33views

Read PDF in a folder blocked by .htaccess and display in html

I have question about reading PDF in the folder where is blocked for security reason. I want to display in admin page but since it is blocked by .htaccess, I have to find alternative way to display it ...
user avatar
1vote
1answer
502views

Is it safe to only escape HTML instead of using a library like DOMPurify to prevent XSS?

I'm currently using this answer to escape my HTML before inserting it into a <div> using dangerouslySetInnerHTML in my app. However, I noticed there are also libraries like DOMPurify, which ...
user avatar
  • 9,701
1vote
0answers
18views

Can user unbind page load event handlers, using developer tools console, before loading the page?

I am wondering if there is any possibility for the user (web page user, has no access to the web page source) to unbind event handlers attached on page load. For example: <script> $(window)....
user avatar
  • 143
1vote
1answer
830views

What is security risk of allow-same-origin sandbox on iframe from 3rd party host?

What exactly is the security risk of sandbox="allow-same-origin" on an iframe where the document is loaded from a 3rd party? I've read tons of answers here and elsewhere that explain what it ...
user avatar
  • 70.1k
1vote
0answers
242views

back4app | How secure is the visible APPLICATION ID in website

I program with JavaScript, Node JS, html, css. Building a web app I'm trying to figure out, how to use back4app.com as database. Starting with the examples, I've created a connection. Now I'm ...
user avatar
1vote
1answer
123views

Can someone send form data from different host to my PHP script which inserts fetched data into MySQL? If so, how can we secure it?

I want to know if that's possible for someone to create a automation script to send some kind of random form data to my PHP script which simply inserts received form data into the MySQL Database? Will ...
user avatar
1vote
2answers
781views

Alien code appears in wordpress installation critical files

From 4 days ago to now some code automatically generated in my website which is operating with wordpress as a CMS. The code that was generated inside index.php file is this: /*12a36*/ @include "\...
user avatar
1vote
1answer
2kviews

Executing cross site scripting using html entity

I have a question about XSS: As I read html entity supposed to prevent XSS, but reading from the following site: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#HTML_entities I see ...
user avatar
  • 11
1vote
0answers
36views

How can user send malware code via input=file

After the file is uploaded via input=file it is converted to b64 standard. But what is the exact path the file is going through and where in javascript code we can catch that uploaded file. And if I ...
user avatar
1vote
1answer
3kviews

It is possible to override/remove page Content Security Policy through the external script?

I'm write an external script for a single web page and i need to make one POST JSON request to another resource through this script. However, when i do, it throws CSP error: "Refused to connect to &...
user avatar

15 30 50 per page
1
2 3 4 5
7