15 Matching Annotations
  1. Jun 2021
  2. disqus.com disqus.com
    Disqus Comments
    1
    1. TylerRick 10 Jun 2021
      In short: storing the token in HttpOnly cookies mitigates XSS being used to get the token, but opens you up to CSRF, while the reverse is true for storing the token in localStorage.
      cookies: HttpOnly mitigation security: cross-site scripting (XSS) vulnerability CSRF localStorage trade-offs
    Visit annotations in context

    Tags

    Annotators

    URL

    disqus.com/embed/comments/
  3. cheatsheetseries.owasp.org cheatsheetseries.owasp.org
    Cross-Site Request Forgery Prevention · OWASP Cheat Sheet Series
    1
    1. TylerRick 10 Jun 2021
      Remember that any Cross-Site Scripting (XSS) can be used to defeat all CSRF mitigation techniques!
      CSRF mitigation security: cross-site scripting (XSS) vulnerability
    Visit annotations in context

    Tags

    Annotators

    URL

    cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
  4. pragmaticstudio.com pragmaticstudio.com
    The Pragmatic Studio
    2
    1. TylerRick 10 Jun 2021
      That means if an attacker can inject some JavaScript code that runs on the web app’s domain, they can steal all the data in localStorage. The same is true for any third-party JavaScript libraries used by the web app. Indeed, any sensitive data stored in localStorage can be compromised by JavaScript. In particular, if an attacker is able to snag an API token, then they can access the API masquerading as an authenticated user.
      localStorage security: cross-site scripting (XSS) vulnerability code injection
    2. TylerRick 10 Jun 2021
      But there’s a drawback that I didn’t like about this option: localStorage is vulnerable to Cross-site Scripting (XSS) attacks.
      localStorage security: cross-site scripting (XSS) vulnerability
    Visit annotations in context

    Tags

    Annotators

    URL

    pragmaticstudio.com/tutorials/rails-session-cookies-for-api-authentication
  5. May 2021
  6. owasp.org owasp.org
    HttpOnly - Set-Cookie HTTP response header | OWASP
    1
    1. TylerRick 27 May 2021
      the majority of XSS attacks target theft of session cookies. A server could help mitigate this issue by setting the HttpOnly flag on a cookie it creates, indicating the cookie should not be accessible on the client.
      security: cross-site scripting (XSS) vulnerability cookies: HttpOnly mitigation
    Visit annotations in context

    Tags

    Annotators

    URL

    owasp.org/www-community/HttpOnly
  7. en.wikipedia.org en.wikipedia.org
    Cross-site request forgery - Wikipedia
    1
    1. TylerRick 27 May 2021
      Cross-site scripting (XSS) vulnerabilities (even in other applications running on the same domain) allow attackers to bypass essentially all CSRF preventions.
      relationship between security: cross-site request forgery security: cross-site scripting (XSS) vulnerability
    Visit annotations in context

    Tags

    Annotators

    URL

    en.wikipedia.org/wiki/Cross-site_request_forgery
  8. Feb 2021
  9. stackoverflow.com stackoverflow.com
    Why are iframes considered dangerous and a security risk?
    1
    1. TylerRick 03 Feb 2021
      IFRAME element may be a security risk if any page on your site contains an XSS vulnerability which can be exploited
      security: cross-site scripting (XSS) vulnerability web: iframes
    Visit annotations in context

    Tags

    Annotators

    URL

    stackoverflow.com/questions/7289139/why-are-iframes-considered-dangerous-and-a-security-risk
  10. Dec 2020
  11. github.com github.com
    Rich-Harris/devalue
    2
    1. TylerRick 16 Dec 2020
      ${JSON.stringify(state)}
      interpolating without escaping (using raw unescaped value) avoid doing (bad ideas) security security: cross-site scripting (XSS) vulnerability
    2. TylerRick 16 Dec 2020
      XSS mitigation
      security: cross-site scripting (XSS) vulnerability
    Visit annotations in context

    Tags

    Annotators

    URL

    github.com/Rich-Harris/devalue
  12. Oct 2020
  13. helpx.adobe.com helpx.adobe.com
    Canonicalize
    1
    1. TylerRick 01 Oct 2020
      security: cross-site scripting (XSS) vulnerability
    Visit annotations in context

    Tags

    Annotators

    URL

    helpx.adobe.com/coldfusion/cfml-reference/coldfusion-functions/functions-c-d/Canonicalize.html
  14. May 2020
  15. www.facebook.com www.facebook.com
    What is a Self-XSS scam on Facebook? | Facebook Help Center | Facebook
    1
    1. TylerRick 28 May 2020
      scam security: cross-site request forgery security: cross-site scripting (XSS) vulnerability
    Visit annotations in context

    Tags

    Annotators

    URL

    facebook.com/help/246962205475854
  16. Nov 2018
  17. zh.wikipedia.org zh.wikipedia.org
    跨站请求伪造 - 维基百科,自由的百科全书
    1
    1. catcuts 21 Nov 2018
      跟跨网站脚本(XSS)相比,XSS 利用的是用户对指定网站的信任,CSRF 利用的是网站对用户网页浏览器的信任。

      XSS 是对客户端的攻击

      CSRF 是对服务端的攻击

      xss csrf
    Visit annotations in context

    Tags

    Annotators

    URL

    zh.wikipedia.org/wiki/跨站请求伪造
  18. Oct 2018
  19. dzone.com dzone.com
    Using the SameSite Cookie Attribute to Prevent CSRF Attacks - DZone Security
    1
    1. kael 26 Oct 2018
      xss http security
    Visit annotations in context

    Tags

    Annotators

    URL

    dzone.com/articles/using-the-same-site-cookie-attribute-to-prevent-cs
  20. scotthelme.co.uk scotthelme.co.uk
    Cross-Site Request Forgery is dead!
    1
    1. kael 26 Oct 2018
      xss security http
    Visit annotations in context

    Tags

    Annotators

    URL

    scotthelme.co.uk/csrf-is-dead/
  21. Sep 2018
  22. github.com github.com
    cure53/DOMPurify
    1
    1. kael 21 Sep 2018
      DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG
      dompurify json-ld dom security xss
    Visit annotations in context

    Tags

    Annotators

    URL

    github.com/cure53/DOMPurify