• Really typing Vue

      Logo


      inb4: This is not another "setting up" a new project with Vue and TypeScript tutorial. Let's do some deep dive into more complex topics!


      typescript is awesome. Vue is awesome. No doubt, that a lot of people try to bundle them together. But, due to different reasons, it is hard to really type your Vue app. Let's find out what are the problems and what can be done to solve them (or at least minimize the impact).

      Read more →
      • +11
      • 3.5k
      • 1
    • Top 10 JavaScript Hack for Optimized Performance

      JavaScript has been ruling the tech arena for more than two decades and helping developers simplifying complex tasks. It allows developers to implement complex task web pages in a most simplified manner. For most of the developers minified JavaScript file is the common phenomena while very few developers may be aware of Optimized JavaScript code. While meeting through many Javascript developers, I have come to know that Optimized JavaScript code is something that confuses developers, some of them might be doing it, but they are not aware of this.


      What is an Optimized JavaScript Code


      When combinations of uniquely programmed logics along with small hacks utilized to enhance performance and speed is known as Optimized JavaScript code. Optimization not only optimizes performance and speed but also saves maximum development time. When you save time, you save some bucks as well.


      So, I am here with some useful and fruitful hacks to help developers optimize performance, enhance speed and save time. Hope, you like the article and after going through it, you may utilize the best of Optimized JavaScript code.

      Read more →
    • AdBlock has stolen the banner, but banners are not teeth — they will be back

      More
      Ads
    • Protocol for communication between iframe and the main window

      • Translation

      From time to time, developers need to establish communication between several browser tabs to be able to send messages from one tab to another and receive responses. We have also faced this need at some point.


      Some solutions already exist (like, for instance, BroadcastChannel API). However, its browser support leaves a lot to be desired, so we decided to use our own library. When the library was ready, that functionality was no longer required. Nevertheless, another task emerged: communication between an iframe and the main window.


      On closer examination, it turned out that two-thirds of the library would not have to be changed — only some code refactoring was necessary. The library is a communication PROTOCOL that can work with text data. It can be applied in all cases in which text is transferred, such as iframes, window.open, worker, browser tabs or WebSocket.


      How it works


      Currently, the protocol has two functions: sending messages and subscription to events. Any message in the protocol is a data object. For us, the main field in that object is type, which tells us what kind of message it is. The type field is an enum with the following values:

      Read more →
    • Let's help QueryProvider deal with interpolated strings

      • Translation

      Specifics of QueryProvider


      QueryProvider can’t deal with this:


      var result = _context.Humans
                            .Select(x => $"Name: {x.Name}  Age: {x.Age}")
                            .Where(x => x != "")
                            .ToList();

      It can’t deal with any sentence using an interpolated string, but it’ll easily deal with this:


      var result = _context.Humans
                            .Select(x => "Name " +  x.Name + " Age " + x.Age)
                            .Where(x => x != "")
                            .ToList();

      The most painful thing is to fix bugs after turning on ClientEvaluation (exception for client-side calculation), since all Automapper profiles should be strictly analyzed for interpolation. Let’s find out what’s what and propose our solution to the problem.

      Read more →
    • Hack the JWT Token

      • Tutorial

      For Educational Purposes Only! Intended for Hackers Penetration testers.

      Issue


      The algorithm HS256 uses the secret key to sign and verify each message. The algorithm RS256 uses the private key to sign the message and uses the public key for authentication.

      If you change the algorithm from RS256 to HS256, the backend code uses the public key as the secret key and then uses the HS256 algorithm to verify the signature. Asymmetric Cipher Algorithm => Symmetric Cipher Algorithm.

      Because the public key can sometimes be obtained by the attacker, the attacker can modify the algorithm in the header to HS256 and then use the RSA public key to sign the data.
      The backend code uses the RSA public key + HS256 algorithm for signature verification.

      Example


      Vulnerability appear when client side validation looks like this:

      const decoded = jwt.verify(
         token,
         publickRSAKey,
         { algorithms: ['HS256'  , 'RS256'] }          //accepted both algorithms 
      )

      Lets assume we have initial token like presented below and " => " will explain modification that attacker can make:

      //header 
      {
      alg: 'RS256'                         =>  'HS256'
      }
      //payload
      {
      sub: '123',
      name: 'Oleh Khomiak',
      admin: 'false'                       => 'true'
      }

      The backend code uses the public key as the secret key and then uses the HS256 algorithm to verify the signature.
      Read more →
    • The most common OAuth 2.0 Hacks

        OAuth 2 overview


        This article assumes that readers are familiar with OAuth 2. However, below a brief description of it is presented below.



        1. The application requests authorization to access service resources from the user. The application needs to provide the client ID, client secret, redirect URI and the required scopes.
        2. If the user authorizes the request, the application receives an authorization grant
        3. The application requests an access token from the authorization server by presenting authentication of its own identity, and the authorization grant
        4. If the application identity is authenticated and the authorization grant is valid, the authorization server issues the access and refresh (if required) token to the application. Authorization is complete.
        5. The application requests the resource from the resource server and presents the access token for authentication
        6. If the access token is valid, the resource server serves the resource to the application

        The are some main Pros and Cons in OAuth 2.0


        • OAuth 2.0 is easier to use and implement (compared to OAuth 1.0)
        • Wide spread and continuing growing
        • Short lived Tokens
        • Encapsulated Tokens

        — No signature (relies solely on SSL/TLS ), Bearer Tokens
        — No built-in security
        — Can be dangerous if used from not experienced people
        — Too many compromises. Working group did not make clear decisions
        — Mobile integration (web views)
        — Oauth 2.0 spec is not a protocol, it is rather a framework — RFC 6749

        Read more →
        • +16
        • 16.4k
        • 2