The common name for the language used primarily for scripting in web browsers. It is not related to the Java language. Standardized as ECMAScript, its dialects/implementations include JavaScript and JScript.
3
votes
2answers
113 views
Limiting latter dom-based XSS when setting document.title
Given some JavaScript which modifies the page's title by taking in variable data
document.title = someVariable
I am looking to address dom based XSS while keeping the title fairly readable. ...
2
votes
2answers
215 views
Attack using weird characters followed by some javascript in a URL?
I'm seeing a very weird attack this morning from a pile of VPS instances spread out across the US. The URLs look like this:
/js/bundles/,!0):this.element.propAttr(
...
4
votes
1answer
151 views
Can source javascript files be infected from a developer's machine?
First a little bit of background, About two weeks back one of the developers in my team said they were seeing advertisement popups and links appearing all over the web app we were developing, when ...
2
votes
1answer
99 views
How to trace source of clickjacking attack within a website using developer tools?
When surfing a popular Wordpress website on my mobile, clicking on a link to an article within would sometimes open a new window to a malicious website or launch the Apps Store. I am interested to ...
2
votes
1answer
136 views
Safe to render data directly to DOM from localStorage? XSS attack possible?
I read that localstorage is susceptible to XSS attacks.
I currently store JSON Web Token (JWT) in localstorage, and I access and display data about the user through localstorage:
var localstore = ...
0
votes
1answer
42 views
Is it possible to get a flash src after a redirect or an element inside an embed/object/iframe tag (cross-domain)?
The URL example.com/auth will automatically redirect the user (HTTP 302) to example.com/signed_in.SWF?token=SENSITIVE.
Is it possible for an attacker to steal the token, using javascript or flash, in ...
0
votes
1answer
35 views
Can 3rd party JavaScript libraries access the http headers of the hosting html page
So, I have website, it uses a cookie stored in the http header of the downloaded html document to maintain the session while the end user is logged on and accessing there 'secure' data. This webpage ...
0
votes
1answer
267 views
Best practices to invalidate JWT while changing passwords and logout in node.js?
I would like to know the best practices to invalidate JWT without hitting db while changing password/logout.
I have the idea below to handle above 2 cases by hitting the user database.
1.Incase of ...
2
votes
0answers
33 views
Do any specific steps need to be taken into account for the user's browser and browser caching for a HIPAA compliant web application?
I'm currently writing a web application that will need to be HIPAA compliant.
It is very JavaScript heavy, and ePHI will be sent over an encrypted connection in the form of JSON. The transmission ...
2
votes
0answers
54 views
How to indicate that content in an iframe is untrusted
As part of a website I am developing, untrusted content is displayed in a sandboxed iframe. The content is loaded using the srcdoc attribute, but the iframe is sandboxed using sandbox="allow-scripts", ...
2
votes
0answers
77 views
Suspicious web-application requests containing encoded JavaScript function(?)
I've been seeing some odd traffic in the logs for a web-application (Apache) that I'm wondering about, and I'm hoping that someone here has seen this before.
The raw requests were variations of:
...
2
votes
0answers
125 views
How does JavaScript Injection work?
I was watching a DefCon talk and the speaker was saying he was able to infect JavaScript cache files, once the user visited his website/server. From there he was able to load scripts from other sites ...
2
votes
0answers
79 views
Securing a JavaScript app with RESTful backend
I went through the question Securing a JavaScript Single Page App with RESTful backend that has discussions / options around securing a Javascript client side app that invokes RESTful APIs.
However, ...
1
vote
0answers
43 views
Can static analysis of JavaScript be done?
Is it possible to statistically analyze JavaScript to find obfuscated JavaScript? Any algorithms or equations with coefficients that can find obfuscated JavaScript?
1
vote
0answers
73 views
ASP.NET WCF security, javascript and handling sensitive information
I've come upon what I would call some "nasty" javascript coding (I come from a KnockoutJS / Angular / Web API 'world') in which WCF services are exposed to javascript by production URL's, i.e. ...
1
vote
0answers
149 views
XSS Vectors for new Image()
What are possible XSS vectors to this JavaScript code
new Image().src = encodeURI('[user url here]');
Let's assume two cases:
[user url here] is some string provided by user (with no validation)
...
1
vote
0answers
112 views
Hacking attempts:in.js
A client of mine keeps getting hacked by seemingly SQL injection where a script tag containing a link to an "in.js" file is added. Sometimes from a domain called sportserve.co.uk, other times from ...
0
votes
0answers
61 views
injecting javascript in webviews in Android
I am relatively new to mobile application security. Currently I am supposed to audit an android application which uses a webview to display some static FAQ page in an activity.
The webview in ...
0
votes
0answers
86 views
Problem in 'underscore.js' “new Function()” when CSP header is set.
In underscore.js, template rendering causes violation of the 'unsafe-eval' property, with CSP error at following line:
"render = new Function(settings.variable || 'obj', '_', source);"
The solution ...
0
votes
0answers
60 views
Securing REST API with HMAC and SPA
I'm developing a JS based SPA and the backend is a rest api which uses HMAC. The site/app doesn't have the concept of registered users but it has the concept of session.
How do i make sure that the ...
0
votes
0answers
90 views
Securing my API: concept of access tokens
First of all I want to excuse for the bad spelling and grammar. English is not my mother tongue.
I have built a JSON communication between a front-end (website) and my Node.js web server. I want to ...
