http   70322

« earlier    

Webhook Tester
Easily test webhooks and HTTP requests with this handy tool that displays requests in realtime.

Easily test webhooks and HTTP requests with this handy tool that displays requests in realtime.

tools  testing  webhooks  hooks  development  debug  http  selfhosted  logging 
11 hours ago by michaelfox
Pushpin | Documentation | About
Pushpin is a reverse proxy server that makes it easy to implement WebSocket, HTTP streaming, and HTTP long-polling services.
http  proxy  websocket  http-streaming  http-polling  opensource 
18 hours ago by bkittelmann
New attack steals SSNs, e-mail addresses, and more from HTTPS pages | Ars Technica
HEIST is able to count the number of frames and windows sent by interacting with a set of newly approved APIs, one called Resource Timing and another called Fetch. In the process, they allow a piece of JavaScript to determine the exact size of an HTTPS response. The malicious HEIST code then works in tandem with BREACH to ferret pieces of plaintext out of the encrypted response by adding thousands of guesses to requests and analyzing the size of each resulting response.

Van Goethem and fellow researcher Mathy Vanhoef have already disclosed their findings to researchers at both Google and Microsoft. That means Wednesday's demonstration isn't likely to catch them by surprise. Still, when asked how practical the attack is against Gmail, Bank of America, and other real-world sites, Van Goethem gave the following answer:

If I would take my time, and write exploits for a number of websites, then visiting a malicious site (it even doesn't have to be a malicious one, there could also happen to be a malicious JavaScript file on there; there are numerous of possibilities for that to happen), could cause a lot of havoc. Probably the most damage could be dealt out by exploiting BREACH, as it allows the attacker to read out CSRF tokens. Depending on the functionality offered by the website, it could be that by knowing the CSRF token the attacker could simply take over the complete account of the victim.
I haven't inspected the requests and responses of every website in detail, but as a user one should expect the worst. An attacker only has to find a single endpoint that contains a secret token and reflects part of the request in the response to extract this token. As I mentioned, knowing this token is typically enough to compromise the user's account.
Van Goethem said the only mitigation he knows of is to disable the third-party cookies, since responses sent by the HTTPS site are no longer associated with the victim. At the moment, most Web browsers by default enable the receipt of third-party cookies, and some online services don't work unless third-party cookies are allowed.
security  http  advertising  google 
yesterday by janpeuker
7 Helpful HTTP Tools | Nordic APIs |
We review HTTP CLIs and GUI clients like cURL, http-console, HTTPpie, http-prompt, and others used to aid API development and testing.
yesterday by pks
Functional HTTP Requests in Go
For when you need an HTTP request package that:
* is atomic--All HTTP request configurations should be set, intuitively, on the request only.
* wraps useful channels-ridden asynchronous patterns.
* has helper functions like marshaling and posting JSON.
* stays true to net/http APIs.
* is idiomatic Go.
golang  http 
3 days ago by jwd

« earlier    

related tags

1.0  413  acidtests  advertising  advise  ajax  alexa  android  api  article  async  atomic  authentication  authorization  axios  benchmark  benchmarking  bestpractice  bestpractices  browser  cache  caching  certificates  cli  client  code  coding  commandline  comparison  compression  configuration  content  cook  css  curl  data  database  debug  decentralization  design  development  diff  distributed  dns  docker  dom  dump  entity  episode-104  error  fetch  fetchapi  file  forge  forum  fpm  github  go  golang  google  grpc  headers  history  hooks  host  hosting  howto  htaccess  html  http-polling  http-streaming  https  ie  ietf  inspection  internet  isolation  java  javascript  jquery  js  json  kotlin  kubernetes  large  libraries  library  local  logging  merge  metrics  mfc  micro  microservices  migration  minimalism  mitm  mixed  mocks  network  networking  nginx  node-js  node.js  node  nodejs  oauth2  openapi  opensource  optimization  optimizing  page  password  patch  performance  php  podcast  postgresql  programming  promise  proxy  python  quotes  react  redirect  reference  request  requests  responsive  rest  restful  reverseproxy  rewrite  rpc  ruby  rust  search  security  selfhosted  seo  seotools  server  servers  simulator  specification  sre  standard  statistics  status  structure  styleguide  sublimetext3  swagger  tcp  tcpip  technology  testing  tests  timings  tips  too  tool  toolkit  tools  transition  troubleshooting  tunnel  tutorial  typescript  unit  url  video  vip  vue-resource  vue  wasp  web  webbrowsers  webdesign  webdev  webhooks  webliteracy  webserver  webservices  websocket  webstandardsproject  wretch  xhr  youtube  zeit   

Copy this bookmark: