/lynxchan/ - LynxChan

The best engine you will ever shitpost with.

Keep threads on-topic.
Installation video tutorial
Vichan migration script


Max Message Length: 4096
Don't show location
Make sure I have a block bypass
Spoiler Max File Size: 1.00 MB
File Limit Per Post: 3
Remember to follow the rules .

LYNXCHAN IS UNSAFE Cat 02/17/2019 (Sun) 13:07:39 Id: 456c94 No. 724
Prevent XSS ! Context Based Encoding
Cross Site Scripting (XSS) is one of the most common but ignored types of attacks. Since Node.js is implemented with JavaScript, there is high-risk of developers introducing XSS vulnerabilities in the code. Output encoding is one of the best ways to prevent XSS attacks. Most view engines such as Jade provides built-in encoding mechanisms. But most important thing is that you should use appropriate encoding to based on the context. Following are some situations that you should use context specific encoding.

URL encode parameters which are appended as url parameters. URL encoding can be done using encodeURI() and encodeURIComponent()javascript built-in methods.
HTML encode parameters which are displayed in HTML. HTML encoding is provided by view engines such as jade as well as frontend frameworks like Angularjs. You also can explicitly do it from server side using htmlencode npm module.
CSS encode parameters which are used in element styles

sTEPHEN C LYNX Cat 02/17/2019 (Sun) 13:09:19 Id: 456c94 No. 725
LYNXCHAN IS UNSAFE Prevent CSRF (Cross Site Request Forgery) with Anti-Forgery Tokens
Cross Site Request Forgery (CSRF) allows an attacker to execute a certain function on the web application on behalf of yourself. To prevent these kinds of attacks, we can implement Anti-CSRF tokens so that the server can validate whether the request is coming from intended sender. Anti-CSRF tokens are one time tokens which are sent along with the user’s request and used by the server to validate the authenticity of the request. Please refer to my previous blog post about what Anti-CSRF tokens are.

Express.js framework is a web framework for Node.js which has in-built support for CSRF prevention. Following example shows how to initialize CSRF protection with Express.js and Node.js. When this protection is added, express.js creates a secure token which is sent to the server via both request body and cookies. These two tokens are validated by the server for forgery. If server fails to validate these two tokens, server returns a 403 Forbiddenresponse to the client.

This mechanism prevents an attacker sending requests to the server on behalf of yourself since attacker has no access to the cookie for the domain in your browser. Even if he collects one token, he cannot replay it again since the token is one time.

Cat Board owner 02/17/2019 (Sun) 14:04:36 Id: ddc83d No. 727
If you find a vulnerability related to that, just let me know.

Cat 02/17/2019 (Sun) 14:32:37 Id: a1d8b2 No. 728
Open file ( 49.99 KB 800x800 6.jpg )
>>727 Fuck off, faggot. You use an UN-SECURE node.js base, an UN-SECURE mongo db and then you pretend you do not know anything about the tons of vulnerabilities that are inherent to such shit code. To prove my point, lynxhub.com will get a little surprise soon. We are anonymous. Stephen Lynx is a faggot. We are legion. We do not forget. We do not forgive. Expect us.

Cat 02/17/2019 (Sun) 21:23:24 Id: 03898f No. 730
I found several vulns in lynxchan…. it looks like they were coded in on purpose. That poster is right

Cat 02/18/2019 (Mon) 18:22:27 Id: 931cf5 No. 731
>To prove my point, lynxhub.com will get a little surprise soon.
I'll be waiting.

Delete only files
Delete media (Actually removes the saved files from the server, standard file deletion only removes the reference to the selected posts)

Captcha(Used for reporting and bans by board staff): No cookies?