All Questions
Tagged with web-browser javascript
188 questions
3
votes
0
answers
831
views
Is it safe to use Internet Archive following its cyber-attack?
This is a follow-up to a question regarding recent Internet Archive hacking.
Website web.archive.org was restored in a readonly mode but is it safe to use it? Looking at the brief disclosure of the ...
- 233
4
votes
2
answers
4k
views
Why should an attacker perform a clickjacking attack when they can simulate the click with JavaScript?
What's the reason why an attacker should choose to perform a clickjacking attack?
If they create a malicious website, they could just perform the action automatically, they don't need to "trick&...
- 197
1
vote
0
answers
62
views
Is this code attempting to identify individual computers? [closed]
The bbc news home page is directing some users to download and run some javascript from a data collection company. This collects many hardware and device identifiers, as their privacy policy ...
- 375
5
votes
1
answer
910
views
What are the reasons for CORS failure errors to not be available to JS?
From Cross-Origin Resource Sharing (CORS) - HTTP | MDN:
CORS failures result in errors but for security reasons, specifics about the error are not available to JavaScript. All the code knows is that ...
- 1,621
2
votes
1
answer
204
views
Securely storing derived key in web app and handling user identity
I am currently working on an open source project to securely store notes, payment card numbers, etc. I would like to implement a zero knowledge encryption method so that no one but the user can ...
- 23
0
votes
0
answers
89
views
Methods to look for when checking if a javascript program is making network requests
I'm trying to quickly audit a js browser extension to see if it doesn't talk to the outside. Am I right in thinking that I can just grep the code for the following:
XMLHttpRequest
fetch
$.ajax
axios....
- 101
0
votes
0
answers
100
views
What can be leaked using a browser extension where one of the extensions loads JavaScript from a remote site?
Can one remotely log my IP, browser history, and saved passwords?
I think the IP should be easily done if one of the extensions load a remote JavaScript to run in my browser. I'm not sure about other ...
- 157
1
vote
0
answers
132
views
Is there a way to prevent/detect DOM Clobbering in the browser?
It is possible to clobber document attributes, e.g.:
<img name="cookie">
...
typeof(document.cookie)
//=> 'object'
Is there any way to prevent this from happening, access the ...
- 11
0
votes
0
answers
122
views
Are there any html Sanitizer() API configs that allow javascript execution?
I'm talking specifically about the HTML Sanitizer API: https://developer.mozilla.org/en-US/docs/Web/API/HTML_Sanitizer_API
The API allows you to configure the sanitizer with a list of allowed elements ...
- 101
0
votes
0
answers
121
views
Can WebASM provide JavaScript style interactivity without the same vulnerabilities?
JavaScript is useful for interactivity. However, it is often disabled by security conscious browsers, such as the Tor Browser Bundle, and blocked with plugins such as NoScript.
I was wondering if it ...
- 713
2
votes
3
answers
374
views
Is Chrome's view-source dangerous when visiting malicious sites? [duplicate]
What are the risks of viewing the source code of malicious pages on Google Chrome?
I want to go directly to view-source:https://example-site.com to visit the sites without rendering anything malicious ...
2
votes
1
answer
984
views
Is the Web Crypto API secure when the server is trusted?
I've heard a lot of people say that the Web Crypto API is not very safe. For example: https://tonyarcieri.com/whats-wrong-with-webcrypto, Problems with in Browser Crypto. However, I'm looking to use ...
- 73
0
votes
1
answer
136
views
What other methods would an attacker use for making an HTTP request that isn't Fetch() or an XHR or using the DOM?
We are running user-submitted JavaScript, server-side to be executed within a headless browser that doesn't have a DOM or any child of the window or document or location objects - because these are ...
- 47.3k
9
votes
2
answers
2k
views
Does the "auto formfill" feature in Chromium-based browsers actually send this to the webpage?
I use Vivaldi. I have previously filled in forms where I used a certain name and e-mail.
Today I cleared the browser data except for the autofill stuff.
Then I went to Stack Exchange to register an ...
- 107
0
votes
1
answer
157
views
Encryption options when one-way secure channel is available
I would like to ask what encryption options are available for the following real scenario:
There is an unsecure, full-duplex communication channel between a server and client
There is also a secure ...
3
votes
1
answer
674
views
Website with embedded PDFs and JavaScript for Acrobat
Context
On my website, users can upload their PDF files, and then some, other users can view the uploaded PDF files.
I was wondering if this could come with security issues.
The uploaded PDF are ...
- 31
0
votes
2
answers
2k
views
Keep encryption password in javascript file hidden from browser debug tool
I'm sort of new to Frontend programming. I'm trying to build a PWA, it stores data (client data i.e: address, name, phones) to be ready in an offline state, for which I'm using localForage. I've ...
0
votes
0
answers
292
views
How do developers prevent a third party from looking at exposed information on a javascript console? For example on a public computer
If a user was using your application on a public computer and were to log out of your website without closing the tab, the next person to use this computer could snoop through the console and look for ...
- 101
0
votes
1
answer
319
views
What technologies used in a web browser, if any, can be used to push a binary from a server to a client machine?
This question is about if any technologies used by a web browser (HTTP, TCP, JavaScript, etc.) can be used to push a binary file from the web server to a random folder on the client.
This is for a ...
user63673
1
vote
0
answers
128
views
Is checking to see if any parameters contain "__proto___" an effective way to mitigate Prototype Pollution vulnerability?
let key = keys[j] === '' ? (currentParams as any).length : keys[j];
if (key === '__proto__') {
throw new Error('Prototype pollution detected.');
}
It at least defeats basic url-encoding,...
- 514
5
votes
2
answers
499
views
A runtime sometimes converts string arguments (or string returns) from WTF-16 to UTF-16 between functions in a call stack. Is this a security concern?
Suppose that we have this code (in TypeScript syntax):
function one(str: string): string {
// do something with the string
return str
}
function two() {
let s = getSomeString() // returns some ...
- 81
1
vote
1
answer
967
views
How could I know if a website is fingerprinting you via WebGL?
I would like to know if a website is fingerprinting me via WebGL,
first of all, knowing if the site is doing it
Knowing when they send the request to my browser
Knowing what value I am reporting to ...
- 111
4
votes
3
answers
4k
views
Is Firefox's new JavaScript support within PDF files a security concern?
Historically, we have learned that many security vulnerabilities and exploits have resulted from allowing document files to contain executable code, whether it be JavaScript, VBScript, another ...
- 3,174
2
votes
1
answer
234
views
Is an XSS attack possible under these constraints?
The output is:
<img src="http://example.com/[input]" oncontextmenu="openUrl('http://example.com/[input]')">
Where [input] is the user input, which is sanitised through this ...
- 121
0
votes
0
answers
678
views
Global variables accessible to other websites opened in same tab
Today I found a security issue with Chrome (or maybe other browsers I haven't tested yet).
What happens is that once you open a site and then open another site in the same tab, the previous site's ...
- 121
0
votes
0
answers
253
views
Can a hacker hack my phone by not installing anything on my device?
I know that a device can be compromised by a drive-by download.
But could an attacker access my device without installing any malicious app? Can he access my camera by just executing a malicious ...
- 9
1
vote
1
answer
627
views
Is there a way to check if my site visitor has visited another site?
I want to know if the current visitor has already visited a specific site. The site is owned by someone else and is on a different domain.
Is there a way?
- 13
0
votes
0
answers
308
views
Can I skip "if" statement with chrome debugger or another javascript debugger?
I see this code in a bug bounty program
The code:
<!DOCTYPE html>
<html>
...
</html>
<script>
if(window.location.pathname === '/' || window.location.pathname.includes('.html')){...
- 73
4
votes
3
answers
1k
views
Source code being injected into every website
I had a client contact me today because a website I developed (that deals with sensitive information) wasn't loading correctly on one computer on Chrome. After poking around for a while it appears to ...
- 141
2
votes
1
answer
2k
views
Is it secure to use window.origin with postMessage?
When using postMessage it's important to define a targetOrigin to ensure we don't leak data to other sites.
It's equally important to check the origin when receiving a message to prevent other sites ...
- 121
1
vote
0
answers
154
views
Would Indistinguishability obfuscation make Javascript cryptography viable?
I know Javascript Cryptography is considered harmful because:
Secure delivery of Javascript to browsers is a chicken-egg problem.
Browser Javascript is hostile to cryptography.
The "view-source&...
- 111
0
votes
2
answers
409
views
DataURL Browser Cache Security Implications
What are the security implications that come with loading an image in dataURL format <img src="dataURL" />?
After signing into my website the browser loads an image in dataURL format ...
- 125
24
votes
3
answers
2k
views
Solution to the ‘Browser Crypto Chicken-and-Egg Problem’?
From time to time, questions come up in this board concerning web applications that utilize client-side cryptography (or ‘in-browser’ cryptography), where these applications claim to be designed in ...
- 24.1k
2
votes
1
answer
598
views
Is javascript fingerprinting becoming obsolete?
Okta recently sent out an email to admins about changes to their new device detection strategy. According to them:
Due to browser advancements in anonymous web browsing, JavaScript fingerprinting ...
- 1,351
1
vote
0
answers
628
views
Are web worker / service worker secure environments to store a password, credit card information, access tokens?
If there is a case where I wish to store sensitive data like a password, credit card information, or access tokens:
Are web workers / service workers a secure environment, where such data can not be ...
- 111
2
votes
1
answer
208
views
Is possible to implement a Web Cryptography API custom provider?
I'm reading some basic info about Web Cryptography API and I'm wondering if is possible to implement some crypto provider (C/C++ library or something) with some extra algorithms or is mandatory to use ...
- 57
2
votes
2
answers
521
views
using NoScript - what approach to use with randomnly named CDN scripts?
I ran across this on namecheap.com. This question isn't about namecheap.com itself, which I have no problem trusting. Rather, what approach do you recommend in dealing with CDN scripts that have ...
0
votes
2
answers
324
views
Why not sandbox websites instead of using Same-Origin-Policy?
Why do Browsers implement a Same-Origin-Policy (SOP) to prevent open websites in the browser from executing scripts that may access / modify data of other open websites in the used browser?
Another ...
- 131
0
votes
1
answer
178
views
Why is JavaScript executed manually from the browser console not allowed to access everything?
Why is JavaScripts executed manually from the browser console not allowed to access "everything"? Especially the "visited" status (see this question) of links? What kind of security threat would that ...
- 499
2
votes
1
answer
2k
views
Can somebody explain why the IP address 192.168.1.1 is apparently "special" and not following the CORS rules?
I asked this question: What would happen if some random webpage made an Ajax request for http://127.0.0.1/private.txt?
The answers/comments confuse me. Am I right in interpreting them like this?
"...
- 21
2
votes
1
answer
524
views
Browser copy function overridden silently, is this security risk?
I came across a site which overrides copy functionality and injects current page url as paste value. I was trying to select couple of words and instead it copied the page link. Simple developer tools ...
- 207
0
votes
2
answers
315
views
Can JavaScript from different origins communicate securely
I want to know if there is a way for JS from one Origin to delegate a task to JS from another origin in a secure way.
The use case is to have a JS Agent from the users' home origin use the ...
- 455
11
votes
5
answers
6k
views
Running code generated in realtime in JavaScript with eval()
Consider a front-end JavaScript application where menu items needed to be shown or hidden based on somewhat simple logic (roles that user has and some other logical state).
A simple language was ...
- 237
1
vote
1
answer
3k
views
How can Instagram cause Chrome to attempt to login and show me my username when I'm using incognito mode?
When I reach Instagram user pages while in Incognito mode, Chrome pops up a window with my non-incognito username asking whether or not to sign in. See screenshot below. Although I assume Chrome ...
- 153
-2
votes
1
answer
995
views
Inspect Element Prevention?
I was just actually wondering if there is a permanent way of preventing or disabling inspect element on client-side?
Assuming with inspect element you could change values in hidden forms as well as ...
- 57
1
vote
1
answer
2k
views
How to hide my platform from a browser to keep my privacy? [duplicate]
I just visited https://amiunique.org/fp in order to try to understand what makes a web page realize what platform it is running on, aside from User-Agent request header.
So I learned about window....
- 673
2
votes
1
answer
556
views
Is it safe to let the user name an object key in JavaScript?
Recently I found a piece of code that takes input from the url. The input then get's saved into a javascript object:
https://website.com/?foo=bar
var x = {"foo": "bar"};
While the value doesn't ...
- 29
2
votes
0
answers
434
views
Persistent HTML form data across sessions
I'm currently testing an application which appears to have a somewhat persistent HTML form data storage, yet I don't understand how.
UserA logs in
Fills form with custom data
Logs out before sending ...
- 169
0
votes
1
answer
4k
views
Random Chrome Notifications and Strange Source Code
My elderly parents are receiving chrome notifications from a strange URL on their iMac:
(https://s1.snc.com.ru:443)
Example Messages
• Pending Payment: Paypal Has Sent You $65,900
• Clean your mac....
- 3
3
votes
0
answers
455
views
Sandboxing untrusted JavaScript execution by redeclaring variables
Some irrelevant background (read only if you want to say "no, just use an iframe")
Scenario
Suppose that I downloaded a string jsCode containing arbitrary JavaScript code from a (potentially ...
- 131