Questions tagged [owasp]
For question about OWASP products or the practices of the organization. Do not use just because the vulnerability you are asking about is included on the OWASP Top Ten list.
166
questions
0
votes
1
answer
82
views
Are all stateless authentication systems vulnerable to IDOR?
I have recently been introduced to the Insecure Direct Object Reference vulnerability (https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html) with ...
0
votes
0
answers
434
views
How to pentest Blazor Server apps?
I am trying to pentest a blazor server app but its very different to a traditional web app, client communicates to server via SignalR through web-sockets. The messages in web-sockets are MessagePack ...
0
votes
1
answer
154
views
Double Submit Cookie Bypass
I am trying to work on an example for my class on how double submit cookie works and how attackers can bypass it
The idea i have is I have two domain att.com and victim.com. The login functionality on ...
0
votes
0
answers
126
views
unsafe-hashes an alternatives
I need to run the following inline script to inject some Thymeleaf model variables into a javascript file of mine.
<script th:inline="javascript">
/*<![CDATA[*/
var ...
1
vote
1
answer
156
views
Verbose Headers/Information Leakage via HttpResponse Headers vs fingerprinting via named headers
I understand that a header like X-Powered-By can reveal details about the operating environment that can be used to find known vulnerabilities because you often get the language and compiler/...
0
votes
1
answer
392
views
Compatibility of ModSecurity Core Rule Set 4
OWASP Core Rule Set has many versions the latest is version 4.0 (release candidate), but I cannot find any indication about compatibility among various modsecurity releases.
Could these be used with ...
2
votes
1
answer
279
views
Benefits of certificate pinning to leaf with intermediate as a backup?
According to the OWASP Cheat Sheet on Certificate Pinning, their recommendation is to pin to the leaf certificate, but also pin to the intermediate CA as a backup.
Any security measure is only as good ...
1
vote
2
answers
671
views
ModSecurity / CRS: Need custom rule to deal with false positive (user-inserted HTML formatted listings)
ModSecurity 3.0.8
ModSecurity-Nginx 1.0.3
CRS 4.0.0-rc1
I have a marketplace where sellers can list anything for sale. On the "item description" section, we allow users to copy and paste ...
0
votes
2
answers
2k
views
Execution error - PCRE limits exceeded
I have problem when implementing modsecurity and crs. Here is the issue, I hope anyone can give us some guide for resolving this issue.
Apache version :
Server version: Apache/2.4.29 (Ubuntu) Server ...
1
vote
1
answer
125
views
Interpreting OWASP prohibition: no sensitive-account login to any frontend interface
OWASP’s Authentication Cheat Sheet states unequivocally:
Do NOT allow login with sensitive accounts (i.e. accounts that can be used internally within the solution such as to a back-end / middle-ware /...
0
votes
1
answer
209
views
Is using newsequentialid bad?
I found a project that uses T-SQL's newsequentialid() for one of their external ID columns which is used for public APIs.
When that column is added to an existing table, each row gets an incremented ...
2
votes
0
answers
78
views
Normative reference for a web application disclosing existing values of integration secrets to users
In a web-based SaaS product, one of the configuration pages allows users to set credentials for system-wide integrations with other products. These include usernames, passwords, and API secrets.
The ...
1
vote
0
answers
646
views
Azure WAF support for OData
I have noticed some of the OWASP rules from Azure WAF are rejecting OData default filtered such as $select, suspecting it to be SQL injection. How can you handle the nature of OData from Azure WAF?
1. ...
0
votes
1
answer
1k
views
ModSecurity rule 941160 triggered by WordPress legacy-widget-preview
We have an issue with ModSecurity rule 941160 being triggered by the WordPress feature legacy-widget-preview because the request to upload an image file into the widget matches "<img src="...
0
votes
1
answer
1k
views
CORS without Access-Control-Allow-Credentials [duplicate]
I'm testing a web application and burp detected this issue:
Cross-origin resource sharing: arbitrary origin trusted
Looking at the response, I only see this header:
Access-Control-Allow-Origin: https:/...