NDevTK
NDevTK
Add references to the demos on https://xsinator.com/ - CSP Directive Leak in #132 - Max redirects and Fetch Redirect Leak in #133 - Payment API leak in #134 - POST...
Currently code from a embed has to be copy and pasted on to a safe origin for testing.
**https://xsleaks.dev/docs/attacks/timing-attacks/connection-pool/** It seems powerful since it allows for timing attacks even when theirs CSRF protection. And theirs limits that only affect one host allowing for better precision and tracking such...
Can be used to detect browser activity, Allows more ways to leak data from other origins. ```js let old; for(;;) { let start = performance.now(); let time = performance.now() -...
https://gohugo.io/content-management/multilingual I think this would allow for better accessibility. I can try to move the strings to a English toml file (not sure if wanted)
Security!
The following input tested on https://automattic.github.io/juice/ ```js audio{a" onerror=alert(document.domain)>":""} ``` Resulted in the valid XSS payload ```js ": '';"> ``` From what I can tell juiceDocument is not affected.
It seems currently this API exposes the contents of all website with just a attacker controlled navigation. I think if websites had the global screen recording state maybe via navigator.mediaDevices.isRecording...