http://shivasurya.me/tags/waf/Recent content in Waf on ShivasuryaHugoen-usMon, 07 Dec 2020 00:00:00 +0000http://shivasurya.me/2020/12/07/leetcode-xss/Mon, 07 Dec 2020 00:00:00 +0000http://shivasurya.me/2020/12/07/leetcode-xss/<p>Reflected XSS (Cross-Site Scripting) attack is my favorite vulnerability category as it&rsquo;s relatively easy to exploit by checking for params as the source and rendering DOM as the sink.</p> <h3 id="problem">Problem</h3> <p>The core problem of the Reflected Cross-Site scripting attack is appending the URL parameter values in the DOM without validation or filtering. Though the reflected XSS requires user interaction by visiting the page or clicking on links in real-life attacks, people should think about Iframe tags that don&rsquo;t need any interaction to load them on other third party web pages.</p>http://shivasurya.me/2020/11/05/securing-express-server-part-1/Thu, 05 Nov 2020 00:00:00 +0000http://shivasurya.me/2020/11/05/securing-express-server-part-1/<p>As Javascript programming language popularity increases, platforms have already started adopting it from native desktop apps, mobile, browser to server-side, giving rise to exciting frameworks, style guides, tools.</p> <p>To JavaScript—you weren&rsquo;t born with a silver spoon in your mouth, but you&rsquo;ve outclassed every language that&rsquo;s challenged you in the browser.</p> <p>ExpressJS is not an exception that powers <a href="https://trends.builtwith.com/framework/Express">2.31% of the top 1 million websites</a> which runs on top of NodeJS and provides excellent features to develop web-based applications. So, let&rsquo;s jumpstart with a few basics, and this particular series will cover a lot more aspects of securing, maintaining and deploying production-grade expressjs server.</p>