|
|
|
|
|
|
by ethanlew-is
762 days ago
|
|
|
A few others that jump out to me: * 04-AntiForgeryToken would not provide any actual protection against CSRF (there are a few ways to do it, but all at minimum require 1) the token to be generated by the server and 2) a way for the server to compare against a known good value, either from its session DB or by "double-submitting" the token [0]). * 18-SecureWebStorage encrypts the value without including an authentication tag, meaning it can likely be fully decrypted or modified by the user (lookup a Vaudenay attack or try out https://cryptopals.com/ if you're curious there) Those are the ones I have specific experience with and looked at first, so maybe the more frontend-oriented examples are better? [0] https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Re... |
|
|