/lynxchan/ - LynxChan

The best engine you will ever shitpost with.

Mode: Reply
Name
Subject
Message

Max message length: 4096

Files

Max file size: 1.00 MB

Max files: 3

E-mail
Password

(used to delete files and postings)

Misc

Remember to follow the rules



LYNXCHAN IS UNSAFE Cat 02/17/2019 (Sun) 13:07:39 Id:456c94 No. 724
Prevent XSS ! Context Based Encoding
Cross Site Scripting (XSS) is one of the most common but ignored types of attacks. Since Node.js is implemented with JavaScript, there is high-risk of developers introducing XSS vulnerabilities in the code. Output encoding is one of the best ways to prevent XSS attacks. Most view engines such as Jade provides built-in encoding mechanisms. But most important thing is that you should use appropriate encoding to based on the context. Following are some situations that you should use context specific encoding.

URL encode parameters which are appended as url parameters. URL encoding can be done using encodeURI() and encodeURIComponent()javascript built-in methods.
HTML encode parameters which are displayed in HTML. HTML encoding is provided by view engines such as jade as well as frontend frameworks like Angularjs. You also can explicitly do it from server side using htmlencode npm module.
CSS encode parameters which are used in element styles
LYNXCHAN IS UNSAFE Prevent CSRF (Cross Site Request Forgery) with Anti-Forgery Tokens
Cross Site Request Forgery (CSRF) allows an attacker to execute a certain function on the web application on behalf of yourself. To prevent these kinds of attacks, we can implement Anti-CSRF tokens so that the server can validate whether the request is coming from intended sender. Anti-CSRF tokens are one time tokens which are sent along with the user’s request and used by the server to validate the authenticity of the request. Please refer to my previous blog post about what Anti-CSRF tokens are.

Express.js framework is a web framework for Node.js which has in-built support for CSRF prevention. Following example shows how to initialize CSRF protection with Express.js and Node.js. When this protection is added, express.js creates a secure token which is sent to the server via both request body and cookies. These two tokens are validated by the server for forgery. If server fails to validate these two tokens, server returns a 403 Forbiddenresponse to the client.

This mechanism prevents an attacker sending requests to the server on behalf of yourself since attacker has no access to the cookie for the domain in your browser. Even if he collects one token, he cannot replay it again since the token is one time.
If you find a vulnerability related to that, just let me know.
(49.99 KB 800x800 6.jpg)
>>727 Fuck off, faggot. You use an UN-SECURE node.js base, an UN-SECURE mongo db and then you pretend you do not know anything about the tons of vulnerabilities that are inherent to such shit code. To prove my point, lynxhub.com will get a little surprise soon. We are anonymous. Stephen Lynx is a faggot. We are legion. We do not forget. We do not forgive. Expect us.
I found several vulns in lynxchan…. it looks like they were coded in on purpose. That poster is right
>To prove my point, lynxhub.com will get a little surprise soon.
I'll be waiting.
>>730
why don't you post them on /g/
(226.86 KB 600x600 729.gif)
>>759
Because it's all made up shit by some schizo. Why do you think I didn't give a fuck about it? I'm still waiting for his "surprise". It's been over a month, how long is "soon"?
>>728

*sniff*

do I smell a java developer?
You know, I'm starting to think you are talking to your self at this point by pretending to be multiple people.
lynxchan is cool and all but the logo is kinda creepy, might put people off and prevent gaining more popularity

Delete
Report/Ban

Captcha (required for reports and bans by board staff)


no cookies?