Tecnología y otros placeres
Bienvenido a este pequeño lugar de internet donde recopilo todos los articulos y publicaciones que he ido realizando estos años y algunas cosas nuevas.
Todas las entradas
Feb 6, 2023
Secure Your Secrets with Blackbox: A Guide to Using Blackbox in Your GitHub Actions Pipelines
Jan 22, 2023
The OpenSSF Scorecard is a great tool for evaluating the security of your project, and we plan to implement it in Node.js by 2023.
Nov 21, 2022
I co-authored the document. This document was created aiming to provide context on what will/will not be considered a vulnerability in Node.js, targeting Security Researchers, as well as serve as a guide for application security operations in support of development teams building on top of the Node.js platform.
Oct 27, 2022
I co-authored the guide. This guides intends to extend the current threat model and provide extensive guidelines on how to secure a Node.js application.
Apr 8, 2020
To be very clear: this header does not protect you from XSS attacks much. It protects against a very particular kind of XSS, and other mitigation measures are far better.
Apr 8, 2020
The Attack is focused on the user input like crafted urls with malicious payload
Apr 8, 2020
Apr 8, 2020
The Referer HTTP header is typically set by web browsers to tell a server where it’s coming from. For example, if you click a link on example.com/index.html that takes you to wikipedia.org, Wikipedia’s servers will see Referer: example.com.
Apr 8, 2020
It's a technical attack that requires a great understanding of JS internals like `__proto__`, `prototype`, deep|shadow copy...
Apr 8, 2020
Adobe Flash and Adobe Acrobat can load content from your domain even from other sites (in other words, cross-domain).
Apr 8, 2020
This attack is very specific to the Nodejs ecosystem and it was discovered in 2019 by Liran Tal.
Apr 8, 2020
By default, old versions of Internet Explorer will allow you to open those HTML files in the context of your site, which means that an untrusted HTML page could start doing bad things in the context of your pages.
Apr 8, 2020
As we are not forcing the HTTPS traffic to be keep using HTTPS. The users can use the HTTP (vanilla) protocol to access our site.
Apr 8, 2020
There are some corner cases that the HTTP Specification doesn't cover like HTTP Parameter Pollution or HTTP.
Apr 8, 2020
If you include Express on your stack, I highly recommend to extend the HTTP Headers definitions using the middleware Helmet
Apr 8, 2020
As an example you can see almost 1 million servers with the X-Powered-By: Express active in Shodan queries
Apr 8, 2020
The X-Frame-Options header tells browsers to prevent your webpage from being put in an iframe. When browsers load iframes, they’ll check the value of the X-Frame-Options header and abort loading if it’s not allowed.
Apr 8, 2020
Web browsers have lots of different features, from vibration to fullscreen to microphone access. While some of these can be useful, you may not wish to use all of them, and you may not want any third-party scripts you include to use them either.
Apr 8, 2020
Expect-CT is an HTTP header that allows sites to opt in to reporting and/or enforcement of Certificate Transparency requirements, which prevents the use of misissued certificates for that site from going unnoticed.
Apr 8, 2020
Apr 8, 2020
This MIME sniffing can be an attack vector. A user could upload an image with the .jpg file extension but its contents are actually HTML.
Apr 8, 2020
Browsers can start these DNS requests before the user even clicks a link or loads a resource from somewhere. This improves performance when the user clicks the link, but has privacy implications for users.
Apr 8, 2020
This attack can be mitigated by using a different and personalized token in each request. In nodejs, the csurf library is highly recommended.
Apr 8, 2020
Most modern browsers support a header called `Content-Security-Policy`, which is effectively a whitelist of things allowed to be on your page. You can whitelist JavaScript, CSS, images, plugins, and much more. Things are opt-in, so you’re saying “this stuff is allowed” instead of “this stuff is not allowed”
Apr 8, 2020
Cross-origin resource sharing (CORS) is a browser mechanism which enables controlled access to resources located outside of a given domain
Apr 8, 2020
In Nodejs there was a bug in the Buffer core library that was reported in 2016 and was fixed in Nodejs already
Mar 19, 2020
A backdoor in our code that can perform OS injection is one of the most scary scenarios ever. Currently, npm has more than 1.2M of public packages available. For the last 3 years, our dependencies have become the perfect target for cybercriminals.
Feb 6, 2020
A new Node.js security release was published earlier today, 6th of February, 2020 which fixes one Critical severity and two High severity issues. This release also includes stricter HTTP parsing.
Apr 24, 2017
Pequeña reflexión sobre los retos a los que nos enfrentamos los artesanos que trabajamos en el ecosistema de Node.js y JavaScript a la hora de lidiar con la asincronía.
Feb 26, 2017
¿Por que es tan difícil reclutar developers? y sobretodo… ¿por que no retenemos ese talento en nuestras empresas?.
Oct 25, 2015
¡Usemos Firebase y Arduino para seguir la cotización del Bitcoin en Tiempo real!
Oct 18, 2015
Como hacer un reloj binario decimal usando JavaScript, Arduino, una pantalla LCD y una matriz de leds
Jun 21, 2015
Versión extendida del clasico piedra, papel, tijeras con Arduino y siguiendo los pasos de la serie Big Bang Theory
May 17, 2015
Conectemos EduBasica Shield a Nodejs para aprender electrónica y róbotica de una forma fácil
Mar 22, 2015
Aunque las Google Cardboard son geniales, siempre pense que sería más interesante un modelo alternativo DIY de tela y plástico reciclado
Jan 26, 2015
Hora de sacar el polvo de nuestras raspis y meter un bot en Google Hangouts que nos haga la vida más fácil