How does sync.com provide “zero knowledge” for web application upload?

It is completely clear how desktop and mobile platforms for sync.com allow zero knowledge. However, it blows my mind when I try to understand how “ZERO KNOWLEDGE” could be theoretically possible when using a browser, i.e. web application upload.

So I login to sync.com with Chrome. Then I hit upload a file button, and a file from my PC is getting uploaded and encrypted on the fly by the browser? Then the browser must know my encryption key, i.e. my login password!!!!!!! Does this mean the browser (and the sync.com) is keeping my login credentials while I’m logged in? As far as I know the credentials should not be kept like this, the modern practice is JWT token or somethin……. Anyway… encription…. des a browser even have such a complicated encryption capability (comparable with the desktop app) …..or are my files being simply uploaded to the server and encrypted there????? But either way that would not be a zero knowledge

How can we let customers upload filled-out forms on our website? [closed]

I’m not sure if this is the right place for this question, but here goes:

We have a website where customers can login, and see some safety forms as PDF documents.

The idea is that they need to fill out these forms, and send them to us somehow.

Right now, there are 2 choices:

  1. We can let the customer print the form, fill it out with a pencil/pen, scan it, and upload it to us as a file
  2. We can convert the form into HTML, and have them fill out a regular HTML form

Both would work, but:

  • Option 1 is incredibly inconvenient for the customer
    • They need a printer and scanner
    • They need to go through the effort of printing and scanning potentially dozens of pages per day
  • Option 2 is incredibly inconvenient for us
    • For every Safety Form we want to show the customer, which could be dozens, each one made up of dozens of pages, we would need to spend time converting it to HTML
    • The managers running our website that have new safety forms to show the customer don’t know HTML, so they’ll constantly be bugging web developers to convert PDF files to HTML. Our web developers have better things to do than convert PDFs to HTML all day long

The only thing I can think of to make it easy for everyone is to use some sort of javascript based PDF annotation library. The customers would be able to add text directly overtop of a PDF, and hit a button to send it to us. The managers would just upload the PDF they want the customer to fill out, without needing to do anything else.

There are a few libraries that can do this that I have come across, but they all seem to be insanely expensive. pdfjs.express is $ 375/month. My boss would be unlikely to pay 1/10th of that as a one time fee…

Is there a free library to let someone use their browser to write text overtop of a PDF file, and send it to the server when they are done?

Failing that, are there any other ideas?

Edit: We can also do something like convert each PDF uploaded by the managers to a set of images (one image per page), show them to the customer as images, and use something like marker.js to let them modify the images. It may be a bit of work to get working, but right now, that’s my best option

Can a file upload function be vulnerable without it the file name getting passed?

From googling, a lot of file upload vulnerabilities rely on injecting something into the filename and also rely on the picture being stored on the server, is it safe to just do a post request of the picture’s content (file-contents: ‰PNG...... via post request) then display it on the browser like, as <img src="data:image/png;base64,.....> ?

How exactly does Windows Defender in Windows 10 determine when to upload your local files to Microsoft?

Every time I install Windows 10, I painstakingly go through every setting that can be found in any GUI setting for the OS, disabling everything that sounds creepy.

One of the most disturbing things I’ve found is what I believe is called “automatic sample submission“, which means that the built-in anti-virus tool in Windows 10 can, by default, decide to upload any file it deems “potentially risky” to Microsoft, “for further analysis”. It also mentions that it doesn’t do this for files which “may contain personal data”.

But how can it know that? Does it:

  1. Simply look at the file extension and only upload .EXE and other “obvious binaries”?
  2. Does it ignore the file extension and instead look inside the file to check if it contains executable code?
  3. A combination of both?

What happens if I have a word processing document full of private information, but which also has a malicious macro or something accidentally baked (embedded) into it?

What happens if I have an EXE which actually has had all data files baked into it while I’m developing a game as to be a single file? (This is an actual situation I’ve been in in the past.)

Does it deem the data files for my local PostgreSQL database full of ultra-private information as “potentially dangerous” and upload those?

I can think of numerous situations where even the smartest code in the world would not be able to determine what contains private data or not. And, frankly, I have virtually zero confidence left in Microsoft’s judgment at this point, having wasted a huge amount of my life fighting the OS to be able to use it at all. I’ve found numerous typos in their “stable” releases, making me extremely scared of how much data has been uploaded in spite of all the care I’ve tried to take to avoid it.

I also remember that it eagerly wanted to re-enable this feature, even harassing me about it. I can imagine that the vast majority of users have no idea about this, let alone have gone through the trouble of force-disabling it.

Does input type=”file” selection support url ( upload from web ) ? -html

I wonder can I use the option of input type=”file” in html to upload from url ( web/ftp etc. ) ? Is there option to it? To more explain, I want to select zip file with url and uoload it to website.Which operating systems support it? How can do it on linux,mac and windows 10? I talking about the option on the link:

<input type="file">: How to Use This HTML Value

Clickjacking and XSS on file upload input?

I reported a self-xss on file uploader input to a bug bounty company and they said that they will only accept it if i can find a good clickjacking exploit for that input. My question is: Is it possible to make a clickjacking proof of concept on a file uploader input? This XSS trigger if i select a file named <script>alert(1)<.pdf as file to upload. Is it possible to make automatically load a file with a custom name inside of an iframed page file uploader input with just few clicks?

pasting a url into a chrome file upload dialog box

when using chrome, can a maliciously designed or temporarily compromised website that has a file upload dialog box, when selecting a file to upload on such a website, and pasting, for instance, an image from a website as the file (does this use edge?) somehow impact the explorer.exe process or windows filesystem? can this access be contained within edge’s browser cache or can it go further?