Stack Overflow
Stack Overflow

Questions tagged [client-side-attacks]

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side script into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. -Source Wiki

56 questions
12
votes
1 answer

HTTP GET requests being made to my website for unknown .php files. Why and how to prevent this

I have an application deployed on a digital ocean droplet. About 1 day after deploying, my server crashed, the final logs look like this: GET /vehicle/tank/all/1 304 2.965 ms - - GET /vehicle/tank/all/1 304 2.582 ms - - GET /vehicle/tank/all/1 304…
mLoftus
  • 141
  • 4
9
votes
3 answers

Cross Site History Manipulation resolution

We have developed a new application, and before moving the changes we did a static scan of code using checkmarx. There is a medium level vulnerablity that is found in the code named Cross Site History Manipulation. This is detacted in the JSP page…
Tushar
  • 1,450
  • 6
  • 18
  • 30
5
votes
3 answers

Why should we include CSP headers in the HTTP response for an API?

OWASP recommends to use Content-Security-Policy: frame-ancestors 'none' in API responses in order to avoid drag-and-drop style clickjacking attacks. However, the CSP spec seems to indicate that after the HTML page is loaded any other CSP rules in…
Renan
  • 1,705
  • 2
  • 15
  • 32
5
votes
2 answers

Best practice for securing a client side call to an API endpoint

I'm building an application where I need to make a request in the client-side frontend app to an external API, and I'm at a bit of a loss for how to make this maximally secure so that only valid requests can be forwarded to this external API and not…
Intenex
  • 1,907
  • 3
  • 20
  • 33
5
votes
0 answers

Cross-site scripting (XSS) patterns can be submitted

Cross-site scripting (XSS) patterns can be submitted. [HttpPost] [AllowAnonymous] [ValidateInput(false)] public async Task Index(string Xml) => await Process(Xml); If i remove ValidateInput(false) Tag it throws exception. "Potential…
Rahul
  • 427
  • 4
  • 20
5
votes
0 answers

Meteor Site Under attack. Help Using Sikka

My site is currently under attack. I created a users directory that automatically puts the last logged in people on top. Whoever loads the home page gets placed on top. I have one user (at least one that's logged in, not sure if there are more…
socialight
  • 487
  • 1
  • 5
  • 18
4
votes
1 answer

How to prevent "billion laughs" DoS attack in Python's xlrd?

The Billion Laughs DoS attack seems preventable by simply stopping entities in XML files from being expanded. Is there a way to do this in Python's xlrd library (i.e. a flag of some sort)? If not, is there a recommended way to avoid the attack?
Cisplatin
  • 2,860
  • 3
  • 36
  • 56
4
votes
1 answer

Should I keep all UUIDv4 generated oAuth2 Bearer Tokens in my database to prevent an attack?

I generate oauth2 access and refresh tokens and store them in my database. I generate these tokens using UUID v4 and remove the dashes. I used to delete the tokens after they expire but now I store all of them because I thought of something that…
programmerdave
  • 1,088
  • 1
  • 9
  • 17
3
votes
0 answers

localhost javascript bundled is trying to be injected to my website by an user. (Reported by Sentry an error and performance tracking tool)

I can see in Sentry report that, Along with my vendors~main-6319dfea084cb55e85bf.js,main-6319dfea084cb55e85bf.js and other resource.scripts and resource.css files i can see https://localhost:49506/7pp3ab609c5236b3bf34c2b621ac79ba.js script is been…
Ela
  • 91
  • 6
3
votes
0 answers

Logjam determine if site is vulnerable

Recently one more TLS attack was published: Logjam. The issue has a really clear description and demonstrated that sites that use 512 key size are vulnarable and it takes up to 10 mins to "decrypt client server keys exchanges". Based on the attack…
user1459144
  • 4,439
  • 5
  • 28
  • 35
3
votes
0 answers

How to slow down program execution

I have a simple executable binary. It takes as input a user supplied string and compares it with a private string using strcmp. How can I slow down the execution of this program such that I can launch a statistical timing attack on the string…
robertkin
  • 179
  • 9
3
votes
3 answers

Client Cross Frame Scripting Attack resolution

We have developed a new application, and before moving the changes we did a static scan of code using checkmarx. There is a medium level vulnerablity that is found in the code named Client Cross Frame Scripting Attack. This is detacted at first line…
Tushar
  • 1,450
  • 6
  • 18
  • 30
2
votes
1 answer

How to trigger xss with html encoded xss attack vector inside script tags?

I am reading the OWASP XSS prevention cheat sheet and got stuck in understanding something: Why Can't I Just HTML Entity Encode Untrusted Data HTML entity encoding is okay for untrusted data that you put in the body of the HTML document, such as…
Razor Sharp
  • 41
  • 1
  • 4
2
votes
1 answer

My ASP.NET Website is Attacked With SQL Injection

Hacker reached my database User list and other tables. First of all, I use parameterized command in all of the transactions by using command.Parameters.Add("@Parameter1", SqlDbType.NVarChar).Value All transactions are stored procedures. I am…
codeblock
  • 31
  • 5
2
votes
0 answers

Google Maps potential quota abuse scenario

Let say I have added a map on my website, how would I prevent a user from exhausting my quota by indefinitely refreshing page to use up my quota and therefore increase my bill? I have tested this scenario by running a Selenium script and it seems…
Ang
  • 125
  • 1
  • 3
1
2 3 4