Hacker News with Generative AI: Web Security

AI Data Poisoning (schneier.com)
Cloudflare has a new feature—available to free users as well—that uses AI to generate random pages to feed to AI web crawlers:
Artificial Intelligence, Security, Web Security, Cloudflare
7 points by pongogogo 7 days ago | 1 comments
Next.js and the corrupt middleware: the authorizing artifact (zhero-web-sec.github.io)
Recently, Yasser Allam, known by the pseudonym inzo_, and I, decided to team up for some research. We discussed potential targets and chose to begin by focusing on Next.js (130K stars on github, currently downloaded + 9,4 million times per week), a framework I know quite well and with which I already have fond memories, as evidenced by my previous work. Therefore, the “we” throughout this paper will naturally refer to the two of us.
Web Security, Next.js, Research
94 points by ash 11 days ago | 36 comments
Cloudflare builds AI to lead AI scraper bots into horrible maze of junk content (theregister.com)
Cloudflare has created a bot-busting AI to make life hell for AI crawlers.
Artificial Intelligence, Web Security, Bots
21 points by gpi 13 days ago | 7 comments
Privacy and the :visited selector (mozilla.org)
Before about 2010, the CSS :visited selector allowed websites to uncover a user's browsing history and figure out what sites the user had visited. This was done through window.getComputedStyle and other techniques. This process was quick to execute, and made it possible not only to determine where the user had been on the web, but could also be used to guess a lot of information about the user's identity.
Privacy, Web Security, CSS, Browsing History
14 points by s4i 22 days ago | 0 comments
Why do we have both CSRF protection and CORS? (smagin.fyi)
Hello, Internet. I thought about cross-site requests and realised we have both CSRF protection and CORS and it doesn’t make sense from the first glance. It does generally, but I need a thousand words to make it so.
Web Security
264 points by smagin 31 days ago | 132 comments
Certificate Transparency in Firefox (transparency.dev)
Certificate Transparency (CT) has been one of the biggest advancements in web security, keeping users safe from threats such as certificate fraud and man-in-the-middle attacks. While CT has been around for over 11 years, enforcement has varied across browsers.
Web Security, Browsers, Certificate Transparency
184 points by tracymiranda 36 days ago | 111 comments
OWASP Non-Human Identities Top 10 (owasp.org)
We're thrilled to introduce the OWASP Non-Human Identities Top 10 for 2025!
Cybersecurity, Web Security, OWASP, Non-Human Identities
157 points by raskelll 58 days ago | 33 comments
Caddy module to block IPs and prevent AIs from training on your website (github.com/JasonLovesDoggo)
The Caddy Defender plugin is a middleware for Caddy that allows you to block or manipulate requests based on the client's IP address. It is particularly useful for preventing unwanted traffic or polluting AI training data by returning garbage responses.
Web Security, AI, Web Development, Caddy
6 points by thunderbong 69 days ago | 1 comments
DoubleClickjacking: A New type of web hacking technique (paulosyibelo.com)
“Clickjacking” attacks have been around for over a decade, enabling malicious websites to trick users into clicking hidden or disguised buttons they never intended to click.
Web Security, Hacking, Cybersecurity
237 points by shinzub 79 days ago | 100 comments
Magic Links Have Rough Edges, but Passkeys Can Smooth Them Over (rmondello.com)
Independent media venture 404 Media recently published a post titled, “We Don’t Want Your Password”. The piece is a cogent explanation of the problems with password-based accounts online followed by a defense of the website’s login strategy, magic links, in the face of feedback about them being inconvenient and difficult to use.
Web Security, User Experience, Passwords, Authentication, Magic Links
50 points by mooreds 87 days ago | 57 comments
SHA-256, ECDH, Ecdsa and RSA Not Approved by ASD in Australia for 2030 (medium.com)
I am a bit shocked … SHA-256, RSA, ECDSA and ECDH will not be approved for use in Australia by 2030. Basically, these four methods are used for virtually every Web connection that we create, and where ECDH is used for the key exchange, ECDSA or RSA is used to authenticate the remote server, and SHA-256 is used for the integrity of the data sent. The removal of SHA-256 definitely goes against current recommendations.
Cryptography, Security, Australia, Web Security, Standards
10 points by gnabgib 106 days ago | 2 comments
Manifest V3 fails to prevent data theft and malware exploitation (techradar.com)
Web Security, Browser Extensions, Software Security, Malware
14 points by josephcsible 143 days ago | 0 comments
Web Locks API (mozilla.org)
The Web Locks API allows scripts running in one tab or worker to asynchronously acquire a lock, hold it while work is performed, then release it. While held, no other script executing in the same origin can acquire the same lock, which allows a web app running in multiple tabs or workers to coordinate work and the use of resources.
Web Development, APIs, JavaScript, Web Security, Browser Features
218 points by mooreds 143 days ago | 104 comments
Ancient Monkey: Pwning a 17-Year-Old Version of SpiderMonkey (pspaul.de)
Last year, @swapgs and I found a fun bug in the popular enterprise VPN solution Zscaler.
Security, Web Security, Vulnerabilities
93 points by todsacerdoti 155 days ago | 6 comments
Show HN: KyberLock – Crystals-Kyber Post-Quantum Cryptography in the Browser (kyberlock.com)
Cryptography, Web Security, Post-Quantum Cryptography, JavaScript
3 points by leonardoeloy 166 days ago | 0 comments
New passkey specifications will let users import and export them (9to5mac.com)
Passkeys were introduced two years ago, and they replace traditional passwords with more secure authentication using a security key or biometrics. To make the technology even better, the FIDO Alliance published on Monday new specifications for passkeys, which ensure a way to let users import and export them.
Security, Passwords, Authentication, Web Security
5 points by alwillis 170 days ago | 2 comments
Coming soon: Securely import and export passkeys (1password.com)
Passkeys are superior to passwords in almost every way. They’re simpler to use because there’s nothing to memorize, type out, or paste in. They’re also always strong and come with multi-factor authentication built right in. In short, passkeys are awesome.
Security, Passwords, Authentication, Web Security
8 points by samcat116 170 days ago | 0 comments
CS 253 Web Security (web.stanford.edu)
This course is a comprehensive overview of web security. The goal is to build an understanding of the most common web attacks and their countermeasures. Given the pervasive insecurity of the modern web landscape, there is a pressing need for programmers and system designers to improve their understanding of web security issues.
Web Security, Computer Science, Education
58 points by udev4096 172 days ago | 0 comments
How to Hack the Breakthrough Prize (Ft. Session Confusion) (varun.ch)
In 2023, I discovered a critical vulnerability in the Breakthrough Challenge website. After over one year since it was patched, I am disclosing the bug for the sake of transparency. I believe this class of vulnerability, which I am introducing as 'Session Confusion', is often overlooked.
Security, Web Security, Bug Bounty, Transparency
29 points by varun_ch 189 days ago | 8 comments
htmx Web Security Basics (htmx.org)
As htmx has gotten more popular, it’s reached communities who have never written server-generated HTML before.
Web Security, htmx, HTML
95 points by indigodaddy 206 days ago | 22 comments
Securing Your Downloads: An In-Depth Look at Mark of the Web (MOTW) (medium.com)
Security, Software, Internet, Web Security
6 points by rolph 240 days ago | 0 comments
Researchers: Weak Security Defaults Enabled Squarespace Domains Hijacks (krebsonsecurity.com)
Security, Cybersecurity, Web Security, Domains, Squarespace
180 points by todsacerdoti 261 days ago | 104 comments
MDN tool that tells you of security gaps in your website (mozilla.org)
Web Security, Security Tools, Mozilla, Web Development
56 points by lilouartz 272 days ago | 11 comments
Many website admins have yet to get memo to remove Polyfillio links (arstechnica.com)
Web Security, JavaScript, Website Development
6 points by kurthr 273 days ago | 0 comments
OWASP Juice Shop: Hacking a Modern Web Application (javascripttoday.com)
Web Security, OWASP, Application Security, JavaScript
101 points by whatamidoingyo 285 days ago | 17 comments
How New Headless Chrome and the CDP Signal Are Impacting Bot Detection (datadome.co)
Web Security, Bot Detection, Chrome, Headless Browsing
23 points by avastel 293 days ago | 2 comments
Response Filter Denial of Service: shut down a website by triggering WAF rule (sicuranext.com)
Cybersecurity, Web Security
95 points by albinowax_ 317 days ago | 26 comments
Plain Text Offenders (plaintextoffenders.com)
Security, Web Security
14 points by EndXA 330 days ago | 8 comments
Common Google XSS (matan-h.com)
Web Security, Google
159 points by matan-h 331 days ago | 16 comments