Web apps in a single, portable, self-updating, vanilla HTML file

https://hyperclay.com/

CVE-2025-53770: ServiceNow RCE via JSON Exploit

Exploit enables remote code execution in ServiceNow using JSON manipulation and HTTP method bypass

https://github.com/soltanali0/CVE-2025-53770-Exploit

Had a first meeting with an external company we want to hire to do a pentest on application layer for the project I'm working on. Honestly, I was psyched. After the meeting I was a bit underwhelmed. I do dabble a bit in technical pentesting myself. I do take an interest in #appsec and make an effort to develop secure #webapps. Not much of the questions I expected to be addressed were addressed.

Now I wonder: As a client, how can I distinguish a good vs a not so good pentest?

#Development #Analyses
Three HTTP versions but still messy forms · “We’re still submitting forms like it’s 1985.” https://ilo.im/165ocj

_____
#Uploads #Forms #WebApps #Browsers #URL #HTTP #Headers #WebDev #Frontend #Backend

#Development #Analyses
The orders of complexity of websites · Why big web features fail small websites https://ilo.im/164nnv

_____
#Simplicity #Complexity #WebPlatform #WebTechnology #Websites #WebApps #CMS #IndieWeb #SmallWeb #BigWeb

#AI is the new #Kubernetes is the new #CloudNative is the new #Microservices is the new #WebApps is the new #SOA is the new #Agile is the new #4GL is the new #PersonalComputing is the new …

Sorry when I forgot something or the order is not 100 % perfect. *sigh*

#Station: an open source desktop app that gathers various #webapps in one place | (I tried it and although it uses electron, the cpu and memory resources are used less than each one separately)

https://github.com/getstation/desktop-app

"TL;DR: Apple’s rules and technical restrictions are blocking other browser vendors from successfully offering their own engines to users in the EU. At the recent Digital Markets Act (DMA) workshop, Apple claimed it didn’t know why no browser vendor has ported their engine to iOS over the past 15 months. But the reality is Apple knows exactly what the barriers are, and has chosen not to remove them.

Safari is the highest margin product Apple has ever made, accounts for 14-16% of Apple’s annual operating profit and brings in $20 billion per year in search engine revenue from Google. For each 1% browser market share that Apple loses for Safari, Apple is set to lose $200 million in revenue per year.

Ensuring other browsers are not able to compete fairly is critical to Apple’s best and easiest revenue stream, and allows Apple to retain full control over the maximum capabilities of web apps, limiting their performance and utility to prevent them from meaningfully competing with native apps distributed through their app store. Consumers and developers (native or web) then suffer due to a lack of competition.

This browser engine ban is unique to Apple and no other gatekeeper imposes such a restriction. Until Apple lifts these barriers they are not in effective compliance with the DMA."

https://open-web-advocacy.org/blog/apples-browser-engine-ban-persists-even-under-the-dma/

Tyler Sanderson, Kathryn Grayson Nanz, and Brent Stewart present on Frontend Development at Nebraska.Code().

https://nebraskacode.amegala.com/

The @w3c Linked Web Storage specification aims to create #WebApps with loosely coupled components like data #storage and #authentication, unlike today's tightly integrated systems.
The "Linked Web Storage Use Cases" document is published as a Draft Note. It presents user stories, use cases, and necessary requirements.
https://www.w3.org/TR/lws-ucs/

You’re welcome to contribute! https://github.com/w3c/lws-ucs/

File encryption with a browser.

I've been exploring the #WebCryptoAPI and I'm impressed!

When combined with the #FileSystemAPI, it offers a seemingly secure way to #encrypt and #store files directly on your device. Think #localstorage, but with #encryption!

I know #webapps can have #security vulnerabilities since the code is served over the web, so I've #OpenSourced my demo! You can check it out, and it should even work if #selfhosted on #GitHubPages.

Live Demo: https://dim.positive-intentions.com/?path=/story/usefs--encrypted-demo

Demo Code: https://github.com/positive-intentions/dim/blob/staging/src/stories/05-Hooks-useFS.stories.js

Hook Code: https://github.com/positive-intentions/dim/blob/staging/src/hooks/useFS.js

IMPORTANT NOTES (PLEASE READ!):
* This is NOT a product. It's for #testing and #demonstration purposes only.
* It has NOT been reviewed or audited. Do NOT use for sensitive data.
* The "password encryption" currently uses a hardcoded password. This is for demonstration, not security.
* This is NOT meant to replace robust solutions like #VeraCrypt. It's just a #proofofconcept to show what's possible with #browser #APIs.

Safari-Änderungen bei iOS 26 gehen über die Adressleiste hinaus
Apple hat Safari mit iOS 26 überarbeitet, und die Neuerungen betreffen weit mehr als nur die Adressleiste. Die aktuelle Softwareversion bietet nicht nur gestalterische Verbesserungen, s
https://www.apfeltalk.de/magazin/news/safari-aenderungen-bei-ios-26-gehen-ueber-die-adressleiste-hinaus/
#iPad #iPhone #News #Apple #BrowserUpdates #HDRBilder #IOS26 #IPadOS26 #MacOS26 #MobileSoftware #Safari #SVGIcons #TechnikNews #WebApps

Finishing up an @owasp #SAMM assessment and validation report for a major company in APAC region.

Built a lot of new templates and tools to assist with the process and looking forward to doing more of these assessments.

The #OWASPSAMM framework is solid and takes a very different approach to web-application security than more traditional compliance or audit frameworks. I'd recommend taking a look at it if your company primarily is an application developer or SaaS provider.

One of the stronger points for it is that it is geared towards self-assessment with a focus on continual improvement and a maturity approach. We kept telling our client, "We are not auditors and this is not an audit. We are here to help you document where you are today and where you want to be in the future." This lead to a very collaborative and non-adversarial engagement and lots of deep knowledge being freely shared by the development staff that you'd not see in a compliance audit (Trust me, I've done a lot of those too). We even had the
#InfoSec team tell us several times, "This is great because you're helping to validate our concerns and budget requests. Your vast experience from other companies is helping to guide us in solutions and bolsters our budget requests to executive management."

Again, if you are primarily developing #webapps for clients or running a #SaaS definitely consider doing your own self-assessment using the #OWASPSAMM toolkit. @owasp provides it for FREE in various flavors including Google Docs, Excel, and Docker. There is even the ability to use the JavaScript to build internal tools around it easily. Then if you decide you want a third-party validation, you can contract from the OWASP SAMM Practitioners list at: https://owaspsamm.org/practitioners/.

If you end up finding any of it useful or want more information, or to contribute you can also join @owasp and their SAMM meetings too. Find out more at: https://owaspsamm.org/contributing/

Web Apps for Python Devs with Auto-Generated UI

https://davia.ai/

How to Detect Memory Leaks in Your Web App, by (not found on Mastodon or Bluesky):

https://www.youtube.com/watch?v=6IlTjqU_Tc0