All Questions
20 questions
0
votes
2
answers
174
views
Is There a way to exploiting / Make exploit scenario for Header based reflected XSS?
I've found a reflected XSS, but the problem is that the attack vector is the header (any header). Is there a way to develop an exploit scenario based on this?
1
vote
1
answer
358
views
Blocking reflected XSS on common web servers
How is it possible to block reflected XSS on common web servers, such as IIS, Apache HTTP Server and Nginx?
The Content-Security-Policy: reflected-xss filter doesn't work on latest Chrome and X-XSS-...
- 33
1
vote
1
answer
166
views
Getting an abnormal amount of firewall warnings on web server
I just had a look at the firewall status and saw it had blocked over 300 requests from TOR, Python Urllib, and some script called aabbccdd.xss.ht/pigeonburger.xyz (pigeonburger.xyz being my website).
...
- 681
1
vote
1
answer
2k
views
There seems to have been an attempt to attack my website [duplicate]
I am using PHP as a server side language. And I don't use CMS or Framework. From the nginx log the website attack seems obvious.
I wonder what kind of attack the attacker attempted.
The attacker ...
- 11
0
votes
1
answer
241
views
When should you give up on attempting a xss on part of a website? [closed]
I'm wondering when do you give up on some type of user input to exploit? What are the things that go through your head and that you check off, that makes you think that the input is properly sanitized?...
- 519
2
votes
2
answers
851
views
Can hacker delete my server files and database where I am using below function?
I want to know how to protect my website from hackers. I am a php-mysql developer. For fetching data from databases I always use MySQLi. For preventing my website from SQL injection, I always use PHP'...
- 123
2
votes
0
answers
278
views
Protect website against attacks with iframe for user generated javascript?
I'm creating a small playground for people to write and test out their JavaScript on my website. I know websites like jsfiddle already exist but it's just for fun and for the sake of trying something ...
- 145
2
votes
1
answer
2k
views
AngularJS Sanitize function vs. server-side output encoding
I mainly audit web applications and provide the companies with security countermeasures and recommendations. Currently, I have an issue with giving a correct recommendation when it comes to AngularJS ...
- 129
0
votes
4
answers
234
views
Security risks other than those [closed]
I'm working on ASP.NET core MVC website, and I don't know if I'm missing any security risks that I need to watch out for (other than logical ones)
Here is a list of what I've studied and what I've ...
- 23
1
vote
1
answer
596
views
Executing XSS on .jsp page by escaping string and with raw bytecode?
Assume that a java (.jsp) page takes a from input as a string, the server does nothing to sanitize it, and then echoes it back to the user.
How would an attacker escape the string to execute ...
- 777
0
votes
2
answers
3k
views
How to detect XSS in GET requests?
How to detect XSS in HTTP/1.1 GET requests? A request can be malicious and I want to know how to detect if the GET request to a server is trying to XSS my website?
- 252
6
votes
1
answer
288
views
JS snippets on my live project do not appear in my code residing on my production server
I have a Django website project that is live (let's call it example.com). It's a forum where users can submit comments and reply to them. It has a Postgresql database, and gunicorn + nginx reverse ...
- 358
0
votes
1
answer
602
views
Can someone tell me whether this is Cross-site scripting attack or normal log entry?
Can someone shed light on this logs .
****GET /list25/ADMN/Eligibility/EligibilityResponse.aspx _TSM_HiddenField_=ctl00_ScriptManager1_HiddenField&_TSM_CombinedScripts_=%3b%3bAjaxControlToolkit%...
- 95
2
votes
0
answers
1k
views
How to validate Excel data to protect against XSS?
My application is dynamically constructing a source URL and then writing the resource file (Excel) directly to the response. The URL is read from a properties file, based on the application ...
- 121
4
votes
1
answer
731
views
Possible issues when one or more cookie not HttpOnly
I have a question related to HttpOnly cookie. Tracking other threads wasn't of much help, hence I am posting my query here to learn if you can foresee any issues with my understanding.
There is a ...
- 43
2
votes
3
answers
485
views
Beyond SQL injections and XSS
I'm a programmer working on a web service (by myself). Given the fact that I am not a security expert, I came to this website to ask my question.
I did all the major things to secure my website. I ...
- 255
0
votes
0
answers
234
views
Securing my API: concept of access tokens
First of all I want to excuse for the bad spelling and grammar. English is not my mother tongue.
I have built a JSON communication between a front-end (website) and my Node.js web server. I want to ...
3
votes
1
answer
1k
views
Possible to detect and log CORS and preflight requests in IIS?
I'd like to track and understand if CORS/cross site requests are hitting my website, and if they are succeeding or failing.
My goal is to understand if clients are following our documentation ...
- 51.1k
2
votes
1
answer
1k
views
How to do security configuration for ibm http server?
We are using IBM HTTP Server Version 7.0
Need help related to Cross Site Scripting Prevention in IBM http server.
Cross Site Scripting Prevention in Sun Java System Web Server 7.0 mentioned in ...
- 121
22
votes
1
answer
7k
views
Does the practice of blocking an off-site "Referer:" HTTP requests improve website security?
Is there any benefit for a security-paranoid website to disallow HTTP requests that have a Referer: from 3rd party sites?
The pitch is that if such a HTTP request were to come in, then certain XSS ...
- 51.1k