Tag Archive

Token Hijacking via PDF – Dawid Czagan

Published on July 20, 2020 By sanna

PDF files are everywhere and they can be used to hack your web application. Imagine that the attacker prepares a malicious PDF file which steals sensitive data from a user. The PDF file is uploaded to the web application, the user reads this PDF file, and finally sensitive data is exfiltrated from the user’s browser. […]

Bypassing CSP via ajax.googleapis.com – Dawid Czagan

Published on July 7, 2020 By sanna

Content Security Policy (CSP) is the number one defensive technology in modern web applications. Many developers add ajax.googleapis.com to CSP definitions, because they use libraries from this very popular CDN in their web applications. The problem is that it completely bypasses the CSP and obviously you don’t want that to happen. Since CSP should be […]