Unanswered Questions
163 questions with no upvoted or accepted answers
5
votes
1
answer
378
views
XSS security concerns from untrusted parent domains
There's lots of discussion about protecting content on example.com from user controlled content on subdomain.example.com (e.g. Github pages). What are the risks the other way around?
If my content is ...
CommunityBot
- 1
5
votes
1
answer
563
views
What's the worst security issue what can happen by using eval() in Android WebView?
I've come across a hybrid Android app - meaning most of its UI is implemented in a WebView using HTML and JavaScript technologies. The app itself is connecting to the server and one of the possible ...
- 1
4
votes
0
answers
102
views
XSS with failing method in the injected DOM within onclick
If I have a DOM XSS such as
<button type="button" data-dismiss="modal" onclick="Register.search('{INJECTION_PAYLOAD}');">
Search
</button>
Where I could ...
- 41
4
votes
0
answers
1k
views
In memory local variables (javascript), OAuth token storage, and XSS
Quoting from a long-dead Auth0 forum post: https://community.auth0.com/t/why-is-storing-tokens-in-memory-recommended/17742
"Any values stored in memory are still vulnerable to XSS attacks since
...
- 1,053
4
votes
0
answers
1k
views
XSS and CSRF Protection in a SPA with session cookies and auth in sub-domain (confused)
The problem is, that the more I read about XSS and CSRF and the protection against these attacks for my website, the more I get confused what would be the right strategy.
Setup:
SPA (Reactjs and ...
- 15.9k
4
votes
0
answers
167
views
What are commonly used security practices when writing a hybrid mobile app with a framework like ionic 2?
I'm new to hybrid app development and web development in general. Are there common coding practices/techniques I can use to ensure that I write code which does not put the end user at risk of ...
- 141
4
votes
0
answers
2k
views
Is it safe to use DOMParser to parse client side XML files?
Some JavaScript frameworks or libraries use the DOMParser API to parse XML files from the client.
Is it safe to do this? Malicious code can easily be embedded into the XML file (in either the ...
- 1,356
4
votes
0
answers
456
views
How to indicate that content in an iframe is untrusted
As part of a website I am developing, untrusted content is displayed in a sandboxed iframe. The content is loaded using the srcdoc attribute, but the iframe is sandboxed using sandbox="allow-scripts", ...
- 96
3
votes
0
answers
323
views
CSP for iFrame without any src attribute
I am looking for recommendations on how to implement our CSP policy. We have an Angular SPA application, that has an iframe without any src attribute. We populate the content of the iframe dynamically ...
- 31
3
votes
2
answers
535
views
Securing a Node.js REST API for React.js webapp as well as a standalone API
I'm trying to create a secure method of authentication for my Node.js REST API that will work both for direct API requests as well as from my React.js web application. I've done some reading on how to ...
CommunityBot
- 1
3
votes
0
answers
485
views
Sandboxing untrusted JavaScript execution by redeclaring variables
Some irrelevant background (read only if you want to say "no, just use an iframe")
Scenario
Suppose that I downloaded a string jsCode containing arbitrary JavaScript code from a (potentially ...
- 133
3
votes
2
answers
1k
views
Using SessionStorage for Some User Info
I have an application that currently keeps a few properties from a user's profile in session storage for the app to use when necessary. We don't keep sensitive data like username or password or ssn in ...
CommunityBot
- 1
3
votes
0
answers
3k
views
How can Web Crypto API and IndexedDB protect data stored on the client side against user manipulation?
Imagine web apps that are supposed to work with no or only a few interactions with the web server, for example:
a browser game in which the player's level and progress are to be saved locally.
a game, ...
- 65.9k
3
votes
1
answer
6k
views
Security risks with setDomStorageEnabled(true) in Android?
What are the security risks associated with enabling setDomStorageEnabled(true) method?
Reference.
CommunityBot
- 1
3
votes
0
answers
681
views
How to remember the trusted machine in an application
We need to remember trusted devices in our application. I have done some R&D for this and found out that Facebook achieves this using cookies. But, if I see Google, they don't use cookies, I guess....
- 31