stackoverflow.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2025-08-14.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2025-08-14 2025 | oauth 2.0 - How does CSRF work without state parameter in OAuth2.0? - StackCSRF | Reference on CSRF vulnerabilities in OAuth 2.0, detailing an attack flow where an attacker intercepts a callback URL and tricks a logged-in user into visiting it. This exploit allows the attacker to gain unauthorized access to the victim's account on the service provider by exchanging the resulting authorization code for an access token. The discussion specifically questions the role of the state parameter in preventing such Cross-Site Request Forgery attacks within the OAuth 2.0 framework. |
| 2025-08-14 2025 | ruby - Sinatra CSRF Authenticity tokens - Stack OverflowCSRF | Library demonstrating CSRF authenticity tokens in the Sinatra web framework. This resource addresses how to implement CSRF protection, specifically noting Sinatra's use of Rack Protection. It provides guidance on generating or utilizing these tokens to secure user input forms within Sinatra applications. |
| 2025-08-14 2025 | asp.net - Bypass XSS blacklist "", "&" input nvarchar - Stack OverflowXSS | Library for bypassing XSS blacklists on ASP.NET applications. This resource details a scenario where a blacklisting approach fails to prevent Cross-Site Scripting, even when character inputs like `<`, `>`, and `&` are blocked. The vulnerability arises because the application stores user input in `nvarchar` fields and later outputs it as JavaScript variables. While the JavaScript encoding escapes characters within the string variables, it does not prevent XSS when these variables are rendered into the HTML. |
| 2024-11-29 2024 | Python Twisted proxy - how to intercept packetsBurpPython | Library for intercepting and modifying HTTP request and response bodies using Python's Twisted framework. Demonstrates a basic proxy setup using `twisted.web.proxy` and `twisted.internet.reactor`, enabling developers to inspect and alter data as it flows through the proxy. The provided code snippet serves as a starting point for building custom HTTP proxy functionalities. |
| 2023-10-03 2023 | Is XSS Attack via PDF Javascript Possible?XSS | Analysis of PDF JavaScript execution in browsers, investigating its potential for XSS attacks. The entry addresses whether JavaScript embedded within PDF documents, like the example using `app.alert`, can access browser data such as cookies or perform redirects, and whether sandboxing mechanisms prevent such actions when PDFs are opened via a web browser. |
| 2023-05-21 2023 | JWT (Json Web Token) Audience aud versus Client_Id - What's the difference?AuthNJWT | Reference explaining the JWT `aud` (Audience) claim, detailing its purpose in identifying intended recipients according to RFC 7519. It highlights that the `aud` claim is optional and application-specific, requiring recipients to validate if their identifier is present in the claim's string or array values. The entry clarifies that `aud` differs from OAuth Client ID and provides an example of using it to distinguish between access and refresh tokens. |
| 2021-12-06 2021 | How to run BeEF behind an nginx reverse proxy with SSL correctlyRecon | Library for configuring BeEF behind an nginx reverse proxy with SSL, addressing "Blocked Mixed Active Content" errors. It details BeEF's `config.yaml` settings for `allow_reverse_proxy`, `public`, and `public_port`, along with Nginx `proxy_pass` directives to correctly handle HTTPS requests and ensure BeEF hooks function on secure pages. |
| 2021-10-07 2021 | What content-type's execute javascript in the browser?XSS | Reference discussing JavaScript execution based on `Content-Type` headers in browsers. It highlights that while `text/html` is the standard, some browsers (specifically IE) may execute JavaScript in other types like `application/form-data` or `text/xhtml+xml`. The entry also notes that browser behavior can be influenced by file extensions (`.htm`, `.html`), overriding MIME type expectations, particularly to handle malformed server configurations. |
| 2021-02-28 2021 | How to learn internals of the Go Programming Language? For noob - Stack Ove | Reference for Go internals, focusing on understanding core concepts rather than specific implementation details that may change between releases. Emphasizes the "why" behind features like channels, explaining their synchronization and buffering capabilities, and their advantages over manual mutex use due to the `select` statement. It also covers goroutines, differentiating them from OS threads and highlighting benefits such as the integrated network poller and dynamic stacks. Key topics include slices, interfaces, string encoding, `[]byte` conversion, blocking I/O, and scheduler mechanics (P, G, M). |
| 2016-01-21 2016 | python/scapy DNS sniffer and parser - Stack OverflowPython | Library using Scapy to sniff and parse DNS traffic. The provided Python code demonstrates how to capture UDP packets on port 53, distinguishing between DNS queries (DNSQR) and responses (DNSRR), and extracting timestamp information. |