Questions tagged [html]
HTML (HyperText Markup Language) is a language used to create web pages using tags inline with the content to indicate to browsers how to display that content, using the tags to interpret formatting, images, scripts and other content.
350 questions
3
votes
1
answer
162
views
Is there an official, or accepted, recommendation to turn off autocomplete for bank account details
Part of the WCAG recommendations for web accessibility involves using autocomplete attributes to make it easier to fill in forms: see here, and here.
However on multiple places I've seen people ...
- 131
2
votes
1
answer
400
views
XSS CTF - How to execute payload inside an HTML comment (blacklisted words & encoded characters)
I'm trying to solve a CTF challenge that requires me to obtain the admin cookie through XSS. Here's the situation:
-Main form: When I enter any input, it gets reflected in the page, but it is inserted ...
- 21
3
votes
1
answer
841
views
Is there a way to guarantee that a static HTTP page is unchanged from when it was last reviewed
I'm making a simple web service that (skipping other details) allows a user to upload a message that can be retrieved by another user but can be decrypted only with a certain key. The message is ...
- 35
9
votes
5
answers
5k
views
Why don't we use HTML password inputfields for usernames and 2FA codes in the front-end of web applications?
When entering a username and password on a web application I have always wondered why the username often equals personal email address (which is often known or easy to guess or find). A random ...
- 7,743
4
votes
2
answers
4k
views
Why should an attacker perform a clickjacking attack when they can simulate the click with JavaScript?
What's the reason why an attacker should choose to perform a clickjacking attack?
If they create a malicious website, they could just perform the action automatically, they don't need to "trick&...
- 547
0
votes
1
answer
104
views
Save password pop-up appears with encrypted password [closed]
I have an requirement for an web application that during login, while submitting login form the password should be transmitted as encrypted but also password manager's save password pop-up should show ...
2
votes
0
answers
120
views
Trying to send a POST request using curl to a HTB machine
I`m trying to perform a SSRF attack on a Hack The Box machine (editorial.htb). I'm trying to send a POST request using curl with the command
curl --data "hckyou.txt" -X POST http://...
- 21
1
vote
0
answers
134
views
How to launch XSS code from an INPUT tag?
I have a website with the following code:
<input class="Header--search--form-input" name="search" value="" onfocus="alert(1)" autofocus="...
0
votes
0
answers
132
views
Tabnabbing, adblocking and web browser security
My question regards tabnabbing and how to block it. I will first describe my understanding of the subject, but I'm no expert, so this introduction is meant for you to correct me if applicable.
Here is ...
- 19
0
votes
1
answer
765
views
Bypassing CSP and implementing XSS attack
I am using Content Security Policy (CSP) rules in my code to defend against XSS attacks. Here are the CSP rules I have implemented using Helmet:
.use(
helmet.contentSecurityPolicy({
directives: {
...
- 13
0
votes
1
answer
2k
views
Is it possible to disable or change sec-fetch-* HTTP headers?
I might have found a way to highjack an Oauth Flow, but the source server is responding with 403 errors when the Oauth request is sent with a Sec-Fetch-Dest HTTP header.
Is there a way to alter or ...
- 1,512
2
votes
1
answer
983
views
Secure way to output encoding HTML for insert raw html via javascript
I want to be 100% secure, I create raw html this way:
const template = document.createElement('template')
template.innerHTML = html_raw
const cloned = template.content.cloneNode(true)
document....
- 170
21
votes
6
answers
17k
views
Are Cyrillic characters a real threat?
I've seen people in security saying URLs with Cyrillic characters are dangerous. If you ever type such characters on a browser you'd see they break into crazy unrecognizable URLs that have nothing to ...
- 375
0
votes
0
answers
280
views
XSS Bypass Whitelist
I found a HTML injection on a markdown although it seems odd as the user already can use html in the box
So I tried to turn it to XSS but after a day with trial and error I concluded that the website ...
- 111
0
votes
1
answer
370
views
Obfuscated HTML [closed]
I'm looking at a potential phishing site and I see that some of the HTML is obfuscated. It's not Base64. All the links look like this:
<link
href="6bkaQeQe69e/st-...
