Data dodania Pytanie
2017-02-15 20:02 CSRF in microservice architecture »
What should be proper way to implement CSRF protection in microservice architecture? Where services are stateless. To put CSRF verification on syste...
(0) odpowiedzi
2017-02-08 17:02 Facebook app secret was leaked. Is there a way to invalidate all access tokens for all users? »
My facebook app's secret was recently obtained by a malicious party. They subsequently approved my app for thousands of user accounts, either that th...
(1) odpowiedzi
2017-02-05 15:02 How to log out of an expired session in Laravel 5.x? »
More recent versions of Laravel (correctly) use POST to logout of a session. The reasoning for this is that GET/HEAD should only be used for passive a...
(1) odpowiedzi
2017-01-28 21:01 Conversion of Facebook payload to sha1 value to check and match with x-hub-signation »
I am trying to implement facebook webhook security. The below code works fine for text messages but the moment attachments are sent , the sha value d...
(0) odpowiedzi
2017-01-25 08:01 What is the most secure way to authorize an user in Android? »
In my app, user logs in with a web service, and web service returns an Authorization Key. After that point, every request user makes is done with this...
(2) odpowiedzi
2017-01-19 09:01 Are laravel's routes safeguarding enough against file traversal attacks? »
Route::get('/transaction/{name}', 'TransactionController@download'); public function download($name){ $path = storage_path('app/something/') . $...
(2) odpowiedzi
2017-01-14 15:01 Securing a web request in Windows Forms »
I have a Windows Form (C#) that sends a web request with an account ID. The server then marks that account ID as verified. However without any sort of...
(0) odpowiedzi
2017-01-12 12:01 Protect your delete.php links sended by email »
How to protect my delete.php files $id = (int) $_GET['id']; $delete = $connection->prepare("DELETE FROM `articles` WHERE `id` = :id"); $delete-&gt...
(3) odpowiedzi
2017-01-04 21:01 With strict type hints enabled, array_map converts types anyways »
I've came across a really interesting bug in PHP 7.0.11 where declare(strict_types=1); enabled does not make the array_map() nor array_walk() aware of...
(1) odpowiedzi
2016-12-29 22:12 Securing Single-page-application from CSRF and XSS using CSP + localStorage »
I have a single page application, having sensitive content, and needs to be secured. This question is specific with securing against XSS and CSRF atta...
(0) odpowiedzi
2016-12-27 05:12 When or when not to use CSRF in APIs? »
Spring Security Documentation states that 18.3 When to use CSRF protection When should you use CSRF protection? Our recommendation is to use ...
(1) odpowiedzi
2016-12-25 12:12 API CSRF protection »
I have an app that consists of simple JSON API and React frontend. Authentication is handled via cookies and frontend is served from the same domain I...
(1) odpowiedzi
2016-12-21 16:12 LDAP injection in LDAP query c# »
this is my bool connection for validating whether an user is in AD group or not. I got a security flag in my code. private bool testconnection(st...
(0) odpowiedzi
2016-12-20 12:12 Spring Security testing with CookieCsrfTokenRepository »
I created simple project in Spring Security and I'm trying to test my code. I use AngularJS as a frontend layer. My problem is related with CSRF. I ge...
(0) odpowiedzi
2016-12-18 19:12 Secure WebApi call using a client certificate c# »
I am trying to make a secure web api call to a 3rd party. They provided us with a .jks client certificate. I used keytool to convert it into .pfx file...
(0) odpowiedzi
2016-12-18 07:12 CSRF protection with verifying the origin header and referrer header »
I saw a documentation about protecting CSRF attack. It's said to protect from CSRF, if origin header is presents, verify it value matches the target o...
(0) odpowiedzi
2016-12-14 18:12 Why doesn't pre-flight CORS block CSRF attacks? »
Everyone says CORS doesn't do anything to defend against CSRF attacks. This is because CORS blocks outside domains from accessing (reading) resources ...
(1) odpowiedzi
2016-12-14 10:12 Is it necessary to generate anti-XSRF/CSRF token in server side? »
Almost all doc about anti-CSRF mechanism states that CSRF token should be generated in server side. However, I'm wondering whether it is necessary. I...
(1) odpowiedzi
2016-12-13 14:12 Changing a ajax request to a different php file vulnerability, potential exploit clarification »
I am creating an application, that accepts a ajax call (jquery) and returns the validated user an entry token to the website. Say for example the aj...
(1) odpowiedzi
2016-12-07 00:12 jCaptcha java API security issue »
We are using jCaptcha (Altassian) java API in our project. Refer the implementation: https://jcaptcha.atlassian.net/wiki/display/general/5+minutes+app...
(0) odpowiedzi
2016-12-06 18:12 Possible values for X-Requested-With header? »
The x-requested-with header is kind of confusing to me. I know it can be used to defend against CSRF attacks, and that it is used to identify Ajax cal...
(1) odpowiedzi
2016-12-06 10:12 HTTP served page marked as insecure in chrome »
As of January Chrome will show it's users that a site is being insecure if it contains either a password or credit-card field and isn't served via htt...
(1) odpowiedzi
2016-11-28 22:11 Why does Google Chrome not recognize my SameSite cookie? »
I'm trying to explore how Google Chrome handles SameSite cookies. So by using the console (ctrl+Shift+J), I added an aditional key-value pair for the ...
(1) odpowiedzi
2016-11-28 10:11 Why can't a malicious site obtain a CSRF token via GET before attacking? »
If I understand correctly, in a CSRF attack a malicious website A tells my browser to send a request to site B. My browser will automatically include ...
(2) odpowiedzi
2016-11-25 19:11 Protecting form actions from being invoked directly »
I am facing this issue in a Java app, but tests show that it is applicable for other languages as well, such as PHP. Searching shows that falls in th...
(0) odpowiedzi
2016-11-23 22:11 Storing keys in Android »
I am writting app for Android and I have to store two keys that I will use to encrypt/decrypt some messages. ( I have to store private key RSA). I've ...
(1) odpowiedzi
2016-11-21 17:11 CSRF Attack: Could you use javascript to modify the user agent header? »
Suppose I used the user agent header to look at which browser (if any) is being used in order to help me defend against potential CSRF attacks. While ...
(1) odpowiedzi
2016-11-20 23:11 How to protect a http post from Angular 2 to Express Server »
How do I protect a post call from a angular2 application to a Express server? In my angular2 application I have a the following HTTP Post. const h...
(1) odpowiedzi
2016-11-19 19:11 Potential dangers of using unprepared SQL queries when not processing user input? »
Everyone knows or should know parameterized queries help to protect against SQL injection. All of the tutorials and documentation I have seen have rev...
(1) odpowiedzi
2016-11-17 17:11 How is it impossible to spoof Referer Header during CSRF Attack? »
Suppose that an application's only defense against CSRF Attacks is to check the referer header for the same origin. Suppose, also, that all browsers w...
(1) odpowiedzi
2016-11-17 10:11 How can a password input be done in python with printing an asterisk for every character of the user? »
This question has been asked before and still lacks an answer, as far as I can see. So I'm asking this question again in order to maybe finally get an...
(5) odpowiedzi
2016-11-16 02:11 Login CSRF vs Automatic login »
I have been studying login csrf and I am confused about its meaning. Take the following scenarios : Scenario 1: I have a server side web app that imp...
(0) odpowiedzi
2016-11-07 18:11 How can I add custom filter order after spring security filter? »
My filter as follows: @Component @Order(1) public class MDCFilter implements Filter { ..... and application.properties security.filter-order=0 I...
(1) odpowiedzi
2016-11-04 14:11 What are the implications of Angularjs sandbox escaping? »
I've read that AngularJs uses some kind of sandbox to prevent running arbitrary expressions inside {{ }} curly brackets. There are several examples on...
(1) odpowiedzi
2016-11-02 13:11 Asp.net Core code based policy needs access to Authorize attribute »
In my multitenant application user permissions (read Roles if you are more comfortable with that) are set per tenant so we are adding claims to each u...
(1) odpowiedzi