40 Matching Annotations
  1. Oct 2023
  2. research.securitum.com research.securitum.com
    Mutation XSS via namespace confusion - DOMPurify < 2.0.17 bypass - research.securitum.com
    1
    1. kael 21 Oct 2023
      dompurify security xss js html wikipedia:en=Cross-site_scripting#Mutated_XSS_(mXSS)
    Visit annotations in context

    Tags

    Annotators

    URL

    research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/
  3. Aug 2023
  4. github.com github.com
    Content Security Policy support · Issue #93 · sveltejs/kit
    1
    1. kael 13 Aug 2023
      sveltekit csp security http js xss
    Visit annotations in context

    Tags

    Annotators

    URL

    github.com/sveltejs/kit/issues/93
  5. rodneylab.com rodneylab.com
    SvelteKit Content Security Policy: CSP for XSS Protection
    1
    1. kael 13 Aug 2023
      sveltekit csp security js http xss <meta http-equiv="content-security-policy"/> http:header=report-to
    Visit annotations in context

    Tags

    Annotators

    URL

    rodneylab.com/sveltekit-content-security-policy/
  6. cheatsheetseries.owasp.org cheatsheetseries.owasp.org
    Cross Site Scripting Prevention - OWASP Cheat Sheet Series
    1
    1. kael 10 Aug 2023
      xss security html html:data-* css js wikipedia:en=Cross-site_scripting
    Visit annotations in context

    Tags

    Annotators

    URL

    cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
  7. developer.mozilla.org developer.mozilla.org
    Content Security Policy (CSP)
    1
    1. kael 10 Aug 2023
      csp security js xss http http:header=content-security-policy http:header=content-security-policy-report-only <meta http-equiv="content-security-policy"/> wikipedia:en=Content_Security_Policy wikipedia:en=Sniffing_attack wikipedia:en=Cross-site_scripting
    Visit annotations in context

    Tags

    Annotators

    URL

    developer.mozilla.org/en-US/docs/Web/HTTP/CSP
  8. Mar 2023
  9. wiki.owasp.org wiki.owasp.org
    Testing for HTML Injection (OTG-CLIENT-003) - OWASP
    1
    1. kael 11 Mar 2023
      html security xss
    Visit annotations in context

    Tags

    Annotators

    URL

    wiki.owasp.org/index.php/Testing_for_HTML_Injection_(OTG-CLIENT-003)
  10. blogs.msmvps.com blogs.msmvps.com
    HTML data attributes – stop my XSS – Tales from the Crypto
    1
    1. kael 11 Mar 2023
      html:data-* security js xss
    Visit annotations in context

    Tags

    Annotators

    URL

    blogs.msmvps.com/alunj/2015/05/10/html-data-attributes-stop-my-xss/
  11. hunter2.com hunter2.com
    3 Security Pitfalls Every React Developer Should Know
    4
    1. kael 06 Mar 2023
      Pitfall #1: Server-Side Rendering Attacker-Controlled Initial State

      ```html

      <script>window.__STATE__ = ${JSON.stringify({ data })}</script>

      ```

      reactjs security json ssr xss
    2. kael 06 Mar 2023
      Pitfall #3: Misunderstanding What it Means to Dangerously Set
      reactjs security html:innerHTML xss
    3. kael 06 Mar 2023
      Pitfall #2: Sneaky Links

      ```html

      <div>data:text/html, click me</div>

      ```

      reactjs security datauri xss
    4. kael 06 Mar 2023
      reactjs security xss
    Visit annotations in context

    Tags

    Annotators

    URL

    hunter2.com/3-security-pitfalls-every-react-developer-should-know
  12. thomasnguyen.site thomasnguyen.site
    Preventing XSS in React Applications
    4
    1. kael 06 Mar 2023
      One option is to use the serialize-javascript NPM module to escape the rendered JSON.

      html { username: "pwned", bio: "</script><script>alert('XSS Vulnerability!')</script>" }

      reactjs ssr security json xss
    2. kael 06 Mar 2023
      This is risky because JSON.stringify() will blindly turn any data you give it into a string (so long as it is valid JSON) which will be rendered in the page. If { data } has fields that un-trusted users can edit like usernames or bios, they can inject something like this:

      json { username: "pwned", bio: "</script><script>alert('XSS Vulnerability!')</script>" }

      reactjs ssr security json xss
    3. kael 06 Mar 2023
      Sometimes when we render initial state, we dangerously generate a document variable from a JSON string. Vulnerable code looks like this:

      ```html

      <script>window.__STATE__ = ${JSON.stringify({ data })}</script>

      ```

      reactjs ssr security json xss
    4. kael 06 Mar 2023
      Server-side rendering attacker-controlled initial state
      reactjs ssr security xss
    Visit annotations in context

    Tags

    Annotators

    URL

    thomasnguyen.site/preventing-xss-in-react-applications
  13. www.youtube.com www.youtube.com
    Frederik Braun – Using a CDN that can not XSS you - with Subresource Integrity
    1
    1. kael 03 Mar 2023
      sri security http html js caching cdn xss
    Visit annotations in context

    Tags

    Annotators

    URL

    youtube.com/watch
  14. frederik-braun.com frederik-braun.com
    Frederik Braun - A CDN that can not XSS you: Using Subresource Integrity
    1
    1. kael 03 Mar 2023
      sri security http html js caching cdn xss
    Visit annotations in context

    Tags

    Annotators

    URL

    frederik-braun.com/using-subresource-integrity.html
  15. Dec 2022
  16. spaceraccoon.dev spaceraccoon.dev
    I Hope This Sticks: Analyzing ClipboardEvent Listeners for Stored XSS
    1
    1. kael 19 Dec 2022
      js clipboard security xss
    Visit annotations in context

    Tags

    Annotators

    URL

    spaceraccoon.dev/analyzing-clipboardevent-listeners-stored-xss/
  17. cheatsheetseries.owasp.org cheatsheetseries.owasp.org
    XS Leaks - OWASP Cheat Sheet Series
    1
    1. kael 12 Dec 2022
      js security xss cookies
    Visit annotations in context

    Tags

    Annotators

    URL

    cheatsheetseries.owasp.org/cheatsheets/XS_Leaks_Cheat_Sheet.html
  18. blog.ropnop.com blog.ropnop.com
    How to Store Session Tokens in a Browser (and the impacts of each)
    1
    1. kael 12 Dec 2022
      js security xss cookies storage
    Visit annotations in context

    Tags

    Annotators

    URL

    blog.ropnop.com/storing-tokens-in-browser/
  19. security.stackexchange.com security.stackexchange.com
    Are Javascript closures a useful technique to limit exposing data to XSS?
    1
    1. kael 11 Dec 2022
      js security xss
    Visit annotations in context

    Tags

    Annotators

    URL

    security.stackexchange.com/questions/234099/are-javascript-closures-a-useful-technique-to-limit-exposing-data-to-xss
  20. Aug 2022
  21. tech.meituan.com tech.meituan.com
    前端安全系列(一):如何防止XSS攻击?
    1
    1. caocao485 28 Aug 2022
      攻击者提交恶意代码。
      xss
    Visit annotations in context

    Tags

    Annotators

    URL

    tech.meituan.com/2018/09/27/fe-security.html
  22. www.google.com www.google.com
    xss 攻击 - Google 搜索
    1
    1. caocao485 28 Aug 2022

      通过利用网页开发时留下的漏洞,通过巧妙的方法注入恶意指令代码到网页,使用户加载并执行攻击者恶意制造的网页程序

      xss
    Visit annotations in context

    Tags

    Annotators

    URL

    google.com/search
  23. bugs.chromium.org bugs.chromium.org
    1202970 - chromium - An open-source project to help move the web forward. - Monorail
    1
    1. kael 20 Aug 2022
      js:sanitizer chrome bug js html security xss
    Visit annotations in context

    Tags

    Annotators

    URL

    bugs.chromium.org/p/chromium/issues/detail
  24. cheatsheetseries.owasp.org cheatsheetseries.owasp.org
    Cross Site Scripting Prevention - OWASP Cheat Sheet Series
    1
    1. TylerRick 15 Aug 2022
      security: cross-site scripting (XSS) vulnerability security
    Visit annotations in context

    Tags

    Annotators

    URL

    cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
  25. Jun 2022
  26. github.com github.com
    cure53/DOMPurify
    1
    1. kael 05 Jun 2022
      DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG
      dompurify dom js security xss
    Visit annotations in context

    Tags

    Annotators

    URL

    github.com/cure53/DOMPurify
  27. Jun 2021
  28. disqus.com disqus.com
    Disqus Comments
    1
    1. TylerRick 10 Jun 2021
      In short: storing the token in HttpOnly cookies mitigates XSS being used to get the token, but opens you up to CSRF, while the reverse is true for storing the token in localStorage.
      cookies: HttpOnly mitigation security: cross-site scripting (XSS) vulnerability CSRF localStorage trade-offs
    Visit annotations in context

    Tags

    Annotators

    URL

    disqus.com/embed/comments/
  29. cheatsheetseries.owasp.org cheatsheetseries.owasp.org
    Cross-Site Request Forgery Prevention · OWASP Cheat Sheet Series
    1
    1. TylerRick 10 Jun 2021
      Remember that any Cross-Site Scripting (XSS) can be used to defeat all CSRF mitigation techniques!
      CSRF mitigation security: cross-site scripting (XSS) vulnerability
    Visit annotations in context

    Tags

    Annotators

    URL

    cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
  30. pragmaticstudio.com pragmaticstudio.com
    The Pragmatic Studio
    2
    1. TylerRick 10 Jun 2021
      That means if an attacker can inject some JavaScript code that runs on the web app’s domain, they can steal all the data in localStorage. The same is true for any third-party JavaScript libraries used by the web app. Indeed, any sensitive data stored in localStorage can be compromised by JavaScript. In particular, if an attacker is able to snag an API token, then they can access the API masquerading as an authenticated user.
      localStorage security: cross-site scripting (XSS) vulnerability code injection
    2. TylerRick 10 Jun 2021
      But there’s a drawback that I didn’t like about this option: localStorage is vulnerable to Cross-site Scripting (XSS) attacks.
      localStorage security: cross-site scripting (XSS) vulnerability
    Visit annotations in context

    Tags

    Annotators

    URL

    pragmaticstudio.com/tutorials/rails-session-cookies-for-api-authentication
  31. May 2021
  32. owasp.org owasp.org
    HttpOnly - Set-Cookie HTTP response header | OWASP
    1
    1. TylerRick 27 May 2021
      the majority of XSS attacks target theft of session cookies. A server could help mitigate this issue by setting the HttpOnly flag on a cookie it creates, indicating the cookie should not be accessible on the client.
      security: cross-site scripting (XSS) vulnerability cookies: HttpOnly mitigation
    Visit annotations in context

    Tags

    Annotators

    URL

    owasp.org/www-community/HttpOnly
  33. en.wikipedia.org en.wikipedia.org
    Cross-site request forgery - Wikipedia
    1
    1. TylerRick 27 May 2021
      Cross-site scripting (XSS) vulnerabilities (even in other applications running on the same domain) allow attackers to bypass essentially all CSRF preventions.
      relationship between security: cross-site request forgery security: cross-site scripting (XSS) vulnerability
    Visit annotations in context

    Tags

    Annotators

    URL

    en.wikipedia.org/wiki/Cross-site_request_forgery
  34. Feb 2021
  35. stackoverflow.com stackoverflow.com
    Why are iframes considered dangerous and a security risk?
    1
    1. TylerRick 03 Feb 2021
      IFRAME element may be a security risk if any page on your site contains an XSS vulnerability which can be exploited
      security: cross-site scripting (XSS) vulnerability web: iframes
    Visit annotations in context

    Tags

    Annotators

    URL

    stackoverflow.com/questions/7289139/why-are-iframes-considered-dangerous-and-a-security-risk
  36. Dec 2020
  37. github.com github.com
    Rich-Harris/devalue
    2
    1. TylerRick 16 Dec 2020
      ${JSON.stringify(state)}
      interpolating without escaping (using raw unescaped value) avoid doing (bad ideas) security security: cross-site scripting (XSS) vulnerability
    2. TylerRick 16 Dec 2020
      XSS mitigation
      security: cross-site scripting (XSS) vulnerability
    Visit annotations in context

    Tags

    Annotators

    URL

    github.com/Rich-Harris/devalue
  38. Oct 2020
  39. helpx.adobe.com helpx.adobe.com
    Canonicalize
    1
    1. TylerRick 01 Oct 2020
      security: cross-site scripting (XSS) vulnerability
    Visit annotations in context

    Tags

    Annotators

    URL

    helpx.adobe.com/coldfusion/cfml-reference/coldfusion-functions/functions-c-d/Canonicalize.html
  40. May 2020
  41. www.facebook.com www.facebook.com
    What is a Self-XSS scam on Facebook? | Facebook Help Center | Facebook
    1
    1. TylerRick 28 May 2020
      scam security: cross-site request forgery security: cross-site scripting (XSS) vulnerability
    Visit annotations in context

    Tags

    Annotators

    URL

    facebook.com/help/246962205475854
  42. Nov 2018
  43. zh.wikipedia.org zh.wikipedia.org
    跨站请求伪造 - 维基百科,自由的百科全书
    1
    1. catcuts 21 Nov 2018
      跟跨网站脚本(XSS)相比,XSS 利用的是用户对指定网站的信任,CSRF 利用的是网站对用户网页浏览器的信任。

      XSS 是对客户端的攻击

      CSRF 是对服务端的攻击

      xss csrf
    Visit annotations in context

    Tags

    Annotators

    URL

    zh.wikipedia.org/wiki/跨站请求伪造
  44. Oct 2018
  45. dzone.com dzone.com
    Using the SameSite Cookie Attribute to Prevent CSRF Attacks - DZone Security
    1
    1. kael 26 Oct 2018
      xss http security
    Visit annotations in context

    Tags

    Annotators

    URL

    dzone.com/articles/using-the-same-site-cookie-attribute-to-prevent-cs
  46. scotthelme.co.uk scotthelme.co.uk
    Cross-Site Request Forgery is dead!
    1
    1. kael 26 Oct 2018
      xss security http
    Visit annotations in context

    Tags

    Annotators

    URL

    scotthelme.co.uk/csrf-is-dead/