Questions tagged [web-application]
An application that is accessed over a network such as the Internet or an intranet using a browser.
3,428 questions
-1
votes
1
answer
41
views
(Web App Hardening) Modern Laravel Car Rental Application Security Advice for CRUD Structure of Sensitive Documents [closed]
I am finalizing the security architecture for a new Laravel car rental platform that must store highly sensitive personally identifiable information (PII), specifically driver's licenses.
My primary ...
2
votes
2
answers
215
views
How to prevent javascript in a single webapp from communicating with outside servers
I want to use certain javascript webapp running in browser and be certain it doesnt send data outside.
I self host this webapp on my own server and connect to it via my PC browser. So I can edit ...
- 23
0
votes
0
answers
57
views
Issues DAST Scanning Blazor Web Application
I am trying to use a DAST tool to scan a Blazor web app front end but am currently having no luck acquiring relaible results. Googiling around it seems Blazor's use of BlazorPack makes this a hard ask ...
- 1
1
vote
0
answers
127
views
HTTP headers needed for cross-origin communication with postMessage()/onmessage
I'm experimenting with Direct Sockets TCPServerSocket, TCPSocket, and UDPSocket in an Isolated Web App (IWA) on Chromium browser.
The maintainers are trying to uphold the claim that a window can ...
- 149
1
vote
1
answer
204
views
How do you handle MFA during pentests?
Trying to test behind login pages with MFA or SSO is always a pain. Do you guys request bypass creds or use token capture? Curious what tools or workflows have worked best for you.
- 11
0
votes
2
answers
229
views
Best implementation or methods/practices for making a "Secure As Possible" remember me cookie?
I've been researching the best ways and practices for handling remember-me cookies for my website's users so that they have active sessions and stay logged in for 30 days.
These articles here for ...
2
votes
1
answer
93
views
Is it best practice to expose tenant login configurations via a public GET endpoint for Auth0?
I was recently checking out a company that provides financial dashboards, and I noticed something curious about their login process.
When visiting their login page, the browser makes a GET request to ...
- 23
0
votes
1
answer
103
views
Is this an effective scheme to store EEE key on browser client?
Application
For the application, I have a user password encrypted private-key, which is basically the root-key stored in servers.
User is prompted for password when he logs in, it decrypts the private ...
- 51
1
vote
0
answers
83
views
Using browser extension to allow webapp to extract user cookies for third party website [closed]
I have written an app that uses a bespoke browser extension to extract my cookies for a third party website so that the cookies can then be passed to selenium running on a server which allows selenium ...
- 11
2
votes
2
answers
212
views
What is the problem with Deserialization?
BinaryFormatter has been removed from C# due to security concerns. In the migration guide it is written:
"Any deserializer, binary or text, that allows its input to carry information about the ...
- 121
15
votes
2
answers
5k
views
Web application contains a link to a non-existing domain, is this a vulnerability?
I got a Dynamic Application Security Testing (DAST) scan that reports an issue on a web application.
It says "The web application contains a link to a non-existing domain" and it's marked ...
- 559
1
vote
1
answer
185
views
What's the deal with CISA adding CVE-2024-49035 (Microsoft Partner Center vulnerability) to its catalog of exploited vulnerabilities?
Two weeks ago (Feb 25, 2025), CISA added CVE-2024-49035 to its catalog of actively exploited vulnerabilities.
Now, the thing is: CVE-2024-49035 is not a "classic" vulnerability in a software ...
- 3,950
0
votes
0
answers
60
views
standard to identify security checklist for web application/apis
I am looking for a standard to refer to in order to write a security checklist that could be followed to proactively implement security at design level.
I went through the OWASP ASVS, it mentions some ...
- 559
2
votes
1
answer
741
views
How to protect web app against login CSRF while also allowing mobile app/curl to access REST API?
I am using Django REST framework.
I want a single API for all of my clients (web, mobile, curl).
I understand that I need to include a CSRF token in requests originating from the web client, to ...
- 125
4
votes
1
answer
853
views
Attack surface of a reverse proxy secured with mTLS?
Suppose that I have a reverse proxy such as caddy or Traefik that requires a client certificate to authenticate via mTLS, globally across reverse proxy.
What is the attack surface for services behind ...
- 43