Questions tagged [header]
129 questions
0
votes
1 answer
Getting confusion that this responce indicate CORS vulnerability
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 12
Connection: close
Date: Tue, 25 Sep 2018 12:59:56 GMT
x-amzn-RequestId: xxxxxxxxxxx
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers:…
![](../../users/profiles/165658.webp)
Dhananjay
- 3
- 3
0
votes
1 answer
CSP header default-src: data:
I am testing CSP header implementation. The implemented header value is:
Content-Security-Policy: default-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'
X-Content-Security-Policy: default-src…
![](../../users/profiles/156661.webp)
user187205
- 1,163
- 3
- 15
- 24
0
votes
1 answer
Check for insecure CORS settings with cURL
I'm trying to verify the CORS settings of a website using cURL. The following command should let me check whether the CORS settings can be considered as secure or if requests may be made across origins.
I'm performing a preflight check, but the same…
![](../../users/profiles/127732.webp)
SaAtomic
- 989
- 2
- 15
- 27
0
votes
1 answer
HTTP Security header implementation
Does any one know if:
X-Frame-Options
X-XSS-Protection
X-Content-Type-Options
Content-Security-Policy
are for HTTP and:
Strict-Transport-Security
Public-Key-Pins
are for HTTPS?
What I mean is that if I have a blog which serves pages on HTTP…
![](../../users/profiles/11859.webp)
Metahuman
- 493
- 1
- 5
- 12
0
votes
1 answer
Host Injection Vulnerability Successful HTTP codes?
I am trying to exploit Host Injection Vulnerability of a website.
If I change the host or add another host, what all are the HTTP response codes that will tell me about a successful HTML Host Injection Vulnerability?
I read a PoC…
![](../../users/profiles/71223.webp)
ErrorrrDetector
- 146
- 7
0
votes
1 answer
Why is calculating the checksum of an IP Datagram header and then encrypting it not appropriate to provide Data Origin Authentication?
So assuming Alice and Bob have agreed to use a particular symmetric cryptosystem and share an appropriate key, they want to achieve data origin authentication by computing the header checksum of an IP datagram and then encrypting it.
As far as I'm…
![](../../users/profiles/106190.webp)
ellefc
- 499
- 2
- 6
- 14
0
votes
1 answer
The sent gmail was modified to other version, how to trace the record beside header?
Recently, the emails I sent from gmail were either modified or the documents got replaced for others.
When i communicated with google, they only asked for the header but nothing else ..
Also, when i see the devices in recent activities, I see a…
![](../../users/profiles/103168.webp)
joe
- 1
-1
votes
1 answer
CORS attack using authentication token
I found a website which is vulnerable to cors.(https://portswigger.net/web-security/cors)
GET /api/requestApiKey HTTP/1.1.
Host: vulnerable-website.com.
Origin: https://evil.com.
AUTHENTICATION: eyssdsdsdsasa.....
And the server responds…
-2
votes
2 answers
Is CSRF possible if i know the value of the authorization bearer token?
If i know the value of bearer token of the victim, can i generate a get csrf page and set a custom Autorization: Bearer [token] header?
![](../../users/profiles/225864.webp)
apex
- 11
- 3