Questions tagged [web-browser]
A web browser is an application which uses HTTP and related protocols to retrieve HTML and XML data from servers. As the web has become a critical source of information and communication, web browsers have become a critical component in information request, transfer and management.
1,677 questions
4
votes
3
answers
1k
views
of the cookies created by OTHER websites, which ones would the browser allow a website to access?
I know that sites can share some information between each other by sharing cookies amongst themselves. They have to be in some kind of agreement with each other I assume? Or can any random site read ...
- 203
0
votes
1
answer
103
views
Are cookies stored with encryption and and how do browsers protect them?
I was using yt-dlp to download YouTube videos. It has an option to obtain cookies directly from the browser, probably all of them.
Do the browsers store the cookies with any encryption?
If so, how ...
- 111
3
votes
1
answer
568
views
Browser- side caching of encrypted sensitive informations in sessionStorage?
We are currently implementing envelope encryption to securely encrypt sensitive data(name, emails, phone numbers, photo, previous employers etc.) about our users. However, we are now thinking about to ...
- 347
4
votes
1
answer
382
views
Image loaded despite Cross-Origin-Embedder-Policy: require-corp
I have a web page with a Cross-Origin-Embedder-Policy: require-corp header. When I include an cross-origin image without CORP or CORS headers in the response, I expect the image to be blocked, because ...
- 34.4k
1
vote
1
answer
104
views
Are the encrypted browser-saved passwords randomly overwritten when deleted?
Normal ‘deleting’ of data and actually randomly overwriting it are very different in terms of security. So, just deleting passwords is not considered secure, because they can be recovered.
And ...
- 3,035
3
votes
0
answers
828
views
Is it safe to use Internet Archive following its cyber-attack?
This is a follow-up to a question regarding recent Internet Archive hacking.
Website web.archive.org was restored in a readonly mode but is it safe to use it? Looking at the brief disclosure of the ...
- 233
4
votes
2
answers
4k
views
Why should an attacker perform a clickjacking attack when they can simulate the click with JavaScript?
What's the reason why an attacker should choose to perform a clickjacking attack?
If they create a malicious website, they could just perform the action automatically, they don't need to "trick&...
- 197
4
votes
1
answer
307
views
Do I need to worry about infection from a .PDF from an untrusted sender previewed within GMail?
Context: I received an email claiming an order has been shipped for a service that I am subscribed to but did not believe was due for renewal. I panicked and clicked to preview the attached invoice ...
- 43
16
votes
4
answers
5k
views
What prevents a browser from saving and tracking passwords entered to a site?
Since we are accessing Gmail from the Edge browser, Microsoft could have access to the Gmail password. Theoretically, Microsoft can track this password along with sending it to Gmail servers. What ...
- 473
1
vote
2
answers
64
views
Changing credentials: Should I send the password next to the JWT?
I'm wondering: when the user changes their password or their e-mail address, should I expect the current password in the request body and verify it at my backend? The advantage seems to be that a ...
- 113
1
vote
0
answers
160
views
I have an open redirect but it requires referer header
I have a question which I didn't find an answer for :
I have a request like https://mywebsite.com/redirect/**any website to redirect to it**
In the backend, there is a check, where if the website the ...
- 11
1
vote
1
answer
111
views
Is it possible that a website is built in such a way that when I upload a pdf to the website, something else in my folder will also be uploaded?
For example I am using the newest version of firefox and want to upload some pdf files to be merged into one at one of the website used to merge pdf. Would it be possible for the website to also ...
- 111
2
votes
1
answer
319
views
How to spoof browser fingerprint without it being obvious?
Is there a way to spoof browser fingerprint without websites being able to tell you have done it? This includes spoofing most or all types of known browser/device fingerprints such as canvas, ...
- 21
1
vote
0
answers
173
views
Why is my browser fingerprint unique when running a fresh TOR browser installation?
Downloaded a fresh tor browser instance to test if the fingerprint is unique. (Signature was verified)
https://amiunique.org says that the browser fingerprint is unique
https://coveryourtracks.eff.org/...
- 183
4
votes
1
answer
175
views
Site preventing Page-closing, CTRL+W, Window Button, etc
I was happily learning ReactJS when I accidentally clicked the URL for www.someurl.com. After all the redirects, the final page prevented me from leaving using CTRL+W, Windows key, Escape, Opening the ...
- 143
1
vote
0
answers
62
views
Is this code attempting to identify individual computers? [closed]
The bbc news home page is directing some users to download and run some javascript from a data collection company. This collects many hardware and device identifiers, as their privacy policy ...
- 375
0
votes
1
answer
220
views
What the reasoning behind block specific ports like 10080 on internet browsers
Context:
For security reasons I am running k3s kubernetes in rootless mode. That requires me to use ports over 10000 so I have choose the port 10080 to listen as web-server. To my surprise, my browser ...
- 101
6
votes
1
answer
236
views
Do browsers like FireFox, Chrome, Opera, and Tor store TLS 1.3 session tickets on the disk?
Do browsers save TLS 1.3 session tickets on the disk to resume a TLS session after the browser process has been killed and restarted?
Are there any glaring security risks of caching TLS 1.3 session ...
- 61
8
votes
4
answers
4k
views
Should order numbers be guessable?
We wrote a e-commerce system where we were asked to generate orders based on a format provided to us
The format was extremely simple which was today's date with total number of orders in the database +...
- 83
0
votes
0
answers
77
views
Tabnabbing, adblocking and web browser security
My question regards tabnabbing and how to block it. I will first describe my understanding of the subject, but I'm no expert, so this introduction is meant for you to correct me if applicable.
Here is ...
- 19
0
votes
0
answers
58
views
How to allow users to securely use their private key to decrypt data in the browser [duplicate]
I'm working on an application where encrypted data can be stored on the server. Users can do this by obtaining public keys from the server, and use them to encrypt data locally before sending it to ...
- 101
0
votes
1
answer
281
views
(Advanced) client-side session handling in browser
Is there a way (maybe via browser extensions) to make sessions forcefully expire after a while, even if the server side is set for longer durations?
e.g. you authenticate to example.com and it starts ...
- 193
5
votes
1
answer
910
views
What are the reasons for CORS failure errors to not be available to JS?
From Cross-Origin Resource Sharing (CORS) - HTTP | MDN:
CORS failures result in errors but for security reasons, specifics about the error are not available to JavaScript. All the code knows is that ...
- 1,621
0
votes
0
answers
33
views
Is my home network infected? [duplicate]
Today, my family brought me a quite old laptop (it had Windows 7 Enterprise from around 2009). When I tried to turn it on, it was already complicated because I got a black screen with options, but the ...
- 1
21
votes
6
answers
13k
views
Are Cyrillic characters a real threat?
I've seen people in security saying URLs with Cyrillic characters are dangerous. If you ever type such characters on a browser you'd see they break into crazy unrecognizable URLs that have nothing to ...
- 375
0
votes
1
answer
110
views
How can the Beef Tool be used? [closed]
Can the hijacked browser's history and saved information be viewed?
Is it possible to create a backdoor in the browser? In other words, can it be secretly redirected to any site or downloaded and ...
- 1
2
votes
1
answer
204
views
Securely storing derived key in web app and handling user identity
I am currently working on an open source project to securely store notes, payment card numbers, etc. I would like to implement a zero knowledge encryption method so that no one but the user can ...
- 23
13
votes
3
answers
7k
views
Why are iframes allowed by default?
Clickjacking is still very possible in 2024, because iframe embedding is allowed by default. Why is this the case?
In 2013 there was a question about why iframes exist at all (Why are iframes allowed ...
- 237
0
votes
1
answer
181
views
Does enabling hardware acceleration increase the attack surface of software?
For software that process untrusted data and have an option to use hardware acceleration, does enabling hardware acceleration increase the attack surface of the software? Examples of situations where ...
- 963
2
votes
2
answers
626
views
How to determine which Chrome extension is re-directing me to ad sites
Twice now, seemingly randomly, I've been redirected to an ad site.
I believe it has occurred both times when I have a new tab open, type what I'm searching for (Google is my default search engine), ...
- 21
2
votes
1
answer
291
views
CSP: Allow inline scripts while blocking javascript: in iframe src
We wan't to prevent attacks comming in from src attribute "javascript:" but still allow lnline script tags.
Currently the only option is to add sha-hash's but there are too many inline ...
2
votes
0
answers
178
views
How is this website able to determine my country? [closed]
Today I wanted to visit https://scp-wiki.wikidot.com/scp-4999 to conduct some scientific research. Upon loading the page, I was greeted with a text saying Russia (the country I'm in) and Belarus are ...
- 951
0
votes
1
answer
178
views
Can you retrieve messages from instagram or messenger off of a SIM card?
Can you retrieve personal information ie; messages from browsers, off of a SIM card?
1
vote
1
answer
613
views
Are 2FA browser plugins sufficiently secure?
Regarding 2FA browser plugins, I follow the uneducated opinion that they usually provide sufficient security. Since a desktop computer is a unique device (even a virtual machine) and provides that ...
- 113
2
votes
1
answer
194
views
Does not storing passwords in browser really matter given cookie hijacking exists?
I see lots of articles suggesting not storing passwords in the browser, and it made perfect sense to me, if I can access this data easily, an attacker probably can too.
But then I found out about ...
3
votes
1
answer
470
views
In the modern context, what max harm can a webpage do, if the creator is malignant? [duplicate]
Note: this does not answer my question as it mentions Java/Flash(not in the modern context. The question is from like 10 years ago so probably outdated), and mentions weakness introduced by the user(...
- 141
0
votes
0
answers
89
views
Methods to look for when checking if a javascript program is making network requests
I'm trying to quickly audit a js browser extension to see if it doesn't talk to the outside. Am I right in thinking that I can just grep the code for the following:
XMLHttpRequest
fetch
$.ajax
axios....
- 101
0
votes
0
answers
89
views
Which system variables are exposed from browser JavaScript context?
I know that the TZ variable aka TimeZone can be read by servers, especially with fingerprinting.
What are the exposed variables to browser's ?
- 101
1
vote
1
answer
547
views
How safe it is to view PDF file in browser without downloading the file into PC?
When I view the PDF file in a browser such as FireFox without downloading the file into my PC, does FireFox temporarily store the PDF file in my PC?
I heard that FireFox has been sandbox heavily and ...
- 11
1
vote
0
answers
381
views
Does the browser pass the name of the camera being used to the website [closed]
Does the browser pass the name of the camera being used to the website which is accessing our camera like when we use obs virtual cam so is the website able to detect that a virtual camera is being ...
- 11
0
votes
1
answer
107
views
How vulnerable is Opera using a version of Chromium that is 3 versions behind?
Uses Chromium 115 when current stable is 118. They do claim to have the latest chromium security updates.
Does patching old chromium with the latest security fixes bring it on par with the latest ...
1
vote
1
answer
538
views
Since yt-dlp simulates a browser, can it be fingerprinted in the same ways (e.g. canvas and audiocontext)?
I know that wget and curl can mitigate fingerprinting (aside from http header and user agent), but will yt-dlp give away more data?
- 11
0
votes
1
answer
180
views
How to properly migrate authentication cookies to using a new encryption scheme on a website while being backwards compatible?
When a user logs in with their email/password combo and gets authenticated to our website, the backend sends the web browser an encrypted cookie based off of their memberId with us. While this ...
- 309
0
votes
2
answers
599
views
Why do we use Session ID cookies on the web instead of a unique device identifier?
Session IDs aren't exactly secure, you can copy them from one device to another just by copying the browser's temp files. Techniques to tell apart one device from another have existed in browsers for ...
- 1
18
votes
2
answers
6k
views
How is Xiaomi changing my browser home page?
I have recently observed that the home page of Google Chrome on my Xiaomi Android phone has been altered to a website called "Mintnav". I did not update any software. How is Xiaomi able to ...
- 197
1
vote
2
answers
1k
views
CSP script-scr blob
What are the risks to allow a "blob:" directive to the script-src CSP? Is it safe?
I have a list of allowed domains defined in script-src, but nonetheless I got an error specifying the ...
0
votes
0
answers
100
views
What can be leaked using a browser extension where one of the extensions loads JavaScript from a remote site?
Can one remotely log my IP, browser history, and saved passwords?
I think the IP should be easily done if one of the extensions load a remote JavaScript to run in my browser. I'm not sure about other ...
- 157
1
vote
1
answer
479
views
Do CSRF Tokens need to be tied to user IDs?
I am implementing a web system using Golang and have incorporated gorilla/csrf for CSRF protection. However, I've encountered an issue. When I have tab1 open in my browser, logged in as user1, and ...
- 11
1
vote
1
answer
329
views
CryptoKey with IndexedDB to secure stateless authentication
Stateless authentication using e.g. JWT can be dangerous as they are non-revocable and can leak giving full access. But they are really flexible.
I'm considering a scenario where the issued JWT is ...
- 381
1
vote
0
answers
132
views
Is there a way to prevent/detect DOM Clobbering in the browser?
It is possible to clobber document attributes, e.g.:
<img name="cookie">
...
typeof(document.cookie)
//=> 'object'
Is there any way to prevent this from happening, access the ...
- 11