Hypothesis

11 Matching Annotations

Jun 2021
disqus.com disqus.com

Disqus Comments

1
1. TylerRick 10 Jun 2021
  
  in Public
  
  In short: storing the token in HttpOnly cookies mitigates XSS being used to get the token, but opens you up to CSRF, while the reverse is true for storing the token in localStorage.
  
  cookies: HttpOnly mitigation security: cross-site scripting (XSS) vulnerability CSRF localStorage trade-offs
Visit annotations in context

Tags

security: cross-site scripting (XSS) vulnerability

cookies: HttpOnly

localStorage

mitigation

trade-offs

CSRF

Annotators

TylerRick

URL

disqus.com/embed/comments/
cheatsheetseries.owasp.org cheatsheetseries.owasp.org

Cross-Site Request Forgery Prevention · OWASP Cheat Sheet Series

1
1. TylerRick 10 Jun 2021
  
  in Public
  
  Remember that any Cross-Site Scripting (XSS) can be used to defeat all CSRF mitigation techniques!
  
  CSRF mitigation security: cross-site scripting (XSS) vulnerability
Visit annotations in context

Tags

security: cross-site scripting (XSS) vulnerability

mitigation

CSRF

Annotators

TylerRick

URL

cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
pragmaticstudio.com pragmaticstudio.com

The Pragmatic Studio

2
1. TylerRick 10 Jun 2021
  
  in Public
  
  That means if an attacker can inject some JavaScript code that runs on the web app’s domain, they can steal all the data in localStorage. The same is true for any third-party JavaScript libraries used by the web app. Indeed, any sensitive data stored in localStorage can be compromised by JavaScript. In particular, if an attacker is able to snag an API token, then they can access the API masquerading as an authenticated user.
  
  localStorage security: cross-site scripting (XSS) vulnerability code injection
2. TylerRick 10 Jun 2021
  
  in Public
  
  But there’s a drawback that I didn’t like about this option: localStorage is vulnerable to Cross-site Scripting (XSS) attacks.
  
  localStorage security: cross-site scripting (XSS) vulnerability
Visit annotations in context

Tags

security: cross-site scripting (XSS) vulnerability

localStorage

code injection

Annotators

TylerRick

URL

pragmaticstudio.com/tutorials/rails-session-cookies-for-api-authentication
May 2021
owasp.org owasp.org

HttpOnly - Set-Cookie HTTP response header | OWASP

1
1. TylerRick 27 May 2021
  
  in Public
  
  the majority of XSS attacks target theft of session cookies. A server could help mitigate this issue by setting the HttpOnly flag on a cookie it creates, indicating the cookie should not be accessible on the client.
  
  security: cross-site scripting (XSS) vulnerability cookies: HttpOnly mitigation
Visit annotations in context

Tags

security: cross-site scripting (XSS) vulnerability

cookies: HttpOnly

mitigation

Annotators

TylerRick

URL

owasp.org/www-community/HttpOnly
en.wikipedia.org en.wikipedia.org

Cross-site request forgery - Wikipedia

1
1. TylerRick 27 May 2021
  
  in Public
  
  Cross-site scripting (XSS) vulnerabilities (even in other applications running on the same domain) allow attackers to bypass essentially all CSRF preventions.
  
  relationship between security: cross-site request forgery security: cross-site scripting (XSS) vulnerability
Visit annotations in context

Tags

security: cross-site request forgery

security: cross-site scripting (XSS) vulnerability

relationship between

Annotators

TylerRick

URL

en.wikipedia.org/wiki/Cross-site_request_forgery
Feb 2021
stackoverflow.com stackoverflow.com

Why are iframes considered dangerous and a security risk?

1
1. TylerRick 03 Feb 2021
  
  in Public
  
  IFRAME element may be a security risk if any page on your site contains an XSS vulnerability which can be exploited
  
  security: cross-site scripting (XSS) vulnerability web: iframes
Visit annotations in context

Tags

security: cross-site scripting (XSS) vulnerability

web: iframes

Annotators

TylerRick

URL

stackoverflow.com/questions/7289139/why-are-iframes-considered-dangerous-and-a-security-risk
Dec 2020
github.com github.com

Rich-Harris/devalue

2
1. TylerRick 16 Dec 2020
  
  in Public
  
  ${JSON.stringify(state)}
  
  interpolating without escaping (using raw unescaped value) avoid doing (bad ideas) security security: cross-site scripting (XSS) vulnerability
2. TylerRick 16 Dec 2020
  
  in Public
  
  XSS mitigation
  
  security: cross-site scripting (XSS) vulnerability
Visit annotations in context

Tags

security: cross-site scripting (XSS) vulnerability

avoid doing (bad ideas)

security

interpolating without escaping (using raw unescaped value)

Annotators

TylerRick

URL

github.com/Rich-Harris/devalue
Oct 2020
helpx.adobe.com helpx.adobe.com

Canonicalize

1
1. TylerRick 01 Oct 2020
  
  in Public
  
  security: cross-site scripting (XSS) vulnerability
Visit annotations in context

Tags

security: cross-site scripting (XSS) vulnerability

Annotators

TylerRick

URL

helpx.adobe.com/coldfusion/cfml-reference/coldfusion-functions/functions-c-d/Canonicalize.html
May 2020
www.facebook.com www.facebook.com

What is a Self-XSS scam on Facebook? | Facebook Help Center | Facebook

1
1. TylerRick 28 May 2020
  
  in Public
  
  scam security: cross-site request forgery security: cross-site scripting (XSS) vulnerability
Visit annotations in context

Tags

security: cross-site request forgery

security: cross-site scripting (XSS) vulnerability

scam

Annotators

TylerRick

URL

facebook.com/help/246962205475854