Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix: A3 XSS Attack #300

Open
wants to merge 16 commits into
base: master
Choose a base branch
from
Open

Fix: A3 XSS Attack #300

wants to merge 16 commits into from

Commits on Oct 24, 2023

  1. Fix: A1-1 

    - Remove all eval functions in converting the user inputs
- Convert eval to parseInt
    @maytlead
    maytlead committed Oct 24, 2023
    Configuration menu
    Copy the full SHA
    876c1e7 View commit details
    Browse the repository at this point in the history

  2. Fix: A1-2 

    - Remove direct using of request data
- Add the validation to request data
    @maytlead
    maytlead committed Oct 24, 2023
    Configuration menu
    Copy the full SHA
    0661f8b View commit details
    Browse the repository at this point in the history

  3. Fix: A1-3 

    - Remove direct use user input in logging
- Log out the encoded logging context
    @maytlead
    maytlead committed Oct 24, 2023
    Configuration menu
    Copy the full SHA
    5b7e7db View commit details
    Browse the repository at this point in the history

Commits on Oct 25, 2023

  1. Fix: A1-2 

    - Change input type number
    @maytlead
    maytlead committed Oct 25, 2023
    Configuration menu
    Copy the full SHA
    b07c41f View commit details
    Browse the repository at this point in the history

  2. Merge pull request #3 from maytlead/fix/A1-3 

    Fix: A1-3
    @maytlead
    maytlead authored Oct 25, 2023
    Configuration menu
    Copy the full SHA
    ae8ced0 View commit details
    Browse the repository at this point in the history

  3. Merge pull request #2 from maytlead/fix/A1-2 

    Fix: A1-2
    @maytlead
    maytlead authored Oct 25, 2023
    Configuration menu
    Copy the full SHA
    3fdf550 View commit details
    Browse the repository at this point in the history

  4. Merge pull request #1 from maytlead/fix/A1-1 

    Fix: A1-1
    @maytlead
    maytlead authored Oct 25, 2023
    Configuration menu
    Copy the full SHA
    374c1b5 View commit details
    Browse the repository at this point in the history

  5. Fix: A2-1 Session Management 

    - Use hashed password for seeding the data
- Before saving the password, hash it
- Compare the password with hash method
    @maytlead
    maytlead committed Oct 25, 2023
    Configuration menu
    Copy the full SHA
    4fa0232 View commit details
    Browse the repository at this point in the history

  6. Fix: A2-2 Password Protection 

    - Add password protection using length, complexity
    @maytlead
    maytlead committed Oct 25, 2023
    Configuration menu
    Copy the full SHA
    a6c1f67 View commit details
    Browse the repository at this point in the history

  7. Fix: A2-1 Session Management 

    - Regenerating the session whenever the user log in
    @maytlead
    maytlead committed Oct 25, 2023
    Configuration menu
    Copy the full SHA
    e92abcc View commit details
    Browse the repository at this point in the history

  8. Fix: A2-2 Password Protection 

    - Use idential error message for both username and password to not expose
  what is wrong to the attacker
    @maytlead
    maytlead committed Oct 25, 2023
    Configuration menu
    Copy the full SHA
    a1846fb View commit details
    Browse the repository at this point in the history

  9. Merge pull request #4 from maytlead/fix/A2-1 

    Fix: A2-1 Session Management
    @maytlead
    maytlead authored Oct 25, 2023
    Configuration menu
    Copy the full SHA
    5b9e29f View commit details
    Browse the repository at this point in the history

  10. Merge pull request #5 from maytlead/fix/A2-2 

    Fix: A2-2 Password Protection
    @maytlead
    maytlead authored Oct 25, 2023
    Configuration menu
    Copy the full SHA
    7bd085f View commit details
    Browse the repository at this point in the history

Commits on Oct 26, 2023

  1. Fix: A3 XSS Attack 

    - Make cookie only accessible via http to prevent XSS attack
    @maytlead
    maytlead committed Oct 26, 2023
    Configuration menu
    Copy the full SHA
    1a8d308 View commit details
    Browse the repository at this point in the history

  2. Fix: A3 XSS Attack 

    - Run the server as https
    @maytlead
    maytlead committed Oct 26, 2023
    Configuration menu
    Copy the full SHA
    2f68b18 View commit details
    Browse the repository at this point in the history

  3. Fix: A3 XSS 

    - Enable autoescape for XSS
    @maytlead
    maytlead committed Oct 26, 2023
    Configuration menu
    Copy the full SHA
    2600122 View commit details
    Browse the repository at this point in the history