Data dodania Pytanie
2017-04-21 10:04 Python is reading past the end of the file. Is this a security risk? »
So I just noticed this, and after some experimentation, I managed to make it reproducible. I didn't see this posted anywhere. Python seems to be readi...
(0) odpowiedzi
2017-04-19 21:04 .net core security headers middleware not adding headers to external http requests »
I'm using security headers middleware in a web app to add security headers to all outgoing http requests. Security headers seem to get added to all ne...
(1) odpowiedzi
2017-04-18 21:04 spring boot + security + oauth2 + react + csrf token »
I am working on spring boot 1.5.2 security with oauth2 and I am using reactjs also. I have separate authentication server for user authentication and ...
(0) odpowiedzi
2017-04-18 17:04 How is the (X/C)SRF-TOKEN cookie more secure than the JSESSIONID cookie? »
The csrf token cookie is said to protect against cross-site attack because it would better warranty that the request is coming from the javascript pro...
(1) odpowiedzi
2017-04-17 03:04 Universal user profile for subproject sites – securely trasfering user data from main server »
I have a site (A) for main project with user system (which is supposed to display all student competitions and academic events in my country for regis...
(1) odpowiedzi
2017-04-16 23:04 Web API security using tokens »
I have built a Web API and now I am trying to determine the best approach to secure it. I would like to use tokens along with credentials and thus, o...
(1) odpowiedzi
2017-04-16 12:04 Can an HTML <script> fragment on the URL be used for XSS in a purely client side application? »
Background Say I have the following webpage: <html> <script> document.write('querystring=' + location.search.substr(1)); </sc...
(2) odpowiedzi
2017-04-02 23:04 Should API Secrets Be Hashed? »
It might sound like a silly question, because passwords of course need to be hashed and never store the original. However, for API secrets, generally...
(1) odpowiedzi
2017-03-23 11:03 Chrome and Safari not honorring HPKP »
I added HPKP header to my site, but it is not honored by Chrome or Safari. I tested it manually by setting a proxy and by going to chrome://net-intern...
(2) odpowiedzi
2017-03-22 07:03 Email and SMS not working after setting up configuration of nwebsec »
I have configured nwebsec for security purpose in .net framework. Also added connect tag with email and sms api url but still not working. Any help ? ...
(0) odpowiedzi
2017-03-21 23:03 Javascript - masking account number within a string »
I have a fun challenge I couldn't find an answer for here. I have a string of text, that could potentially contain an account number. Example: "Hi, m...
(4) odpowiedzi
2017-03-21 22:03 How to slow down too many requests in web api instead of returning 429? »
We have an API that is an interface to a huge database. We sell the access to it as a service, and our clients are then able to get the data. However...
(0) odpowiedzi
2017-03-19 02:03 XSRF and double submit cookie JWT alternative - is this implementation safe? »
I was looking into HTTP security for my REST API and I was hoping to make it more secure by using the Double Submit Cookie pattern but I'm pretty sure...
(1) odpowiedzi
2017-03-14 20:03 Rails 5 API protect_from_forgery »
I have a Rails 5 API app (ApplicationController < ActionController::API). The need came up to add a simple GUI form for one endpoint of this API. ...
(3) odpowiedzi
2017-03-10 19:03 How in Django/Python can I ensure safety from WYSIWYG-entered HTML? »
I would like to remove vulnerabilities to XSS / JavaScript injection in a web application where users are allowed to use an editor like CKEditor which...
(1) odpowiedzi
2017-03-08 19:03 Spring Security CSRF Token genaration »
CSRF prevention Spring paramters, _csrf.parameterName and _csrf.token are not getting generated in JSP. <input type="hidden" path="${_csrf.paramet...
(0) odpowiedzi
2017-03-06 11:03 Windows authentication on Angular + Web Api »
I am developing web application using angularJS and web api. I have hosted two separate projects on IIS. The URL for AngularJS is 'http://10.36.217.16...
(0) odpowiedzi
2017-03-02 11:03 Adding CSRF token for window.location.href »
I have used window.location.hrefseveral places in my javascripts. Is there any generic way to add CSRF token to all of them? Since the window.loca...
(1) odpowiedzi
2017-02-26 12:02 C# Encrypting/Decrypting a String using Windows Master Password »
According to this HowToGeek article, Chrome encrypt's a password using the Windows master password. To perform the encryption (on Windows), Chrome...
(0) odpowiedzi
2017-02-24 18:02 can't verify CSRF token authenticity after session expires - Rails + devise + redis »
We have an issue with CSRF tokens that started when moving our sessions to Redis. The issue is that users sign-out, and leave the login screen for a l...
(1) odpowiedzi
2017-02-24 16:02 Is there a way to have different ticket expiry lengths in OpenIddict? »
I have an app using OpenIddict for token authorization (access and refresh tokens) and overall, it's working great. The problem is that my use case ha...
(1) odpowiedzi
2017-02-23 12:02 Which specific packages are sealed when sealing a .jar? »
When sealing a .jar file (the whole .jar, not specific packages), which packages are actually sealed? Is it only the packages that contain .class file...
(1) odpowiedzi
2017-02-23 06:02 what is the difference between X-XSRF-TOKEN and X-CSRF-TOKEN? »
When use hidden field and when use header and why ? X-XSRF_TOKEN when we use? X-CSRF TOKEN when we use? ...
(1) odpowiedzi
2017-02-21 17:02 How to add "X-Frame-Options" header in .htaccess file to protect against 'ClickJacking' attacks »
I have a Coldfusion Web application. To protect my site from Cross-Frame Scripting attack I'm planning to add a HTTP Response Header "X-Frame-Options"...
(1) odpowiedzi
2017-02-19 18:02 PHP Security (strip_tags, htmlentities) »
I'm working in a personal project and besides using prepared statements, I would like to use every input as threat. For that I made a simple function....
(2) odpowiedzi
2017-02-16 11:02 CSRF Basics with SSL & CSRF Relatioship »
I am trying to implement CSRF and SSL(they are not entirely dependent) and listing below my understanding on the topic for having a proof of understan...
(0) odpowiedzi
2017-02-15 20:02 CSRF in microservice architecture »
What should be proper way to implement CSRF protection in microservice architecture? Where services are stateless. To put CSRF verification on syste...
(0) odpowiedzi
2017-02-08 17:02 Facebook app secret was leaked. Is there a way to invalidate all access tokens for all users? »
My facebook app's secret was recently obtained by a malicious party. They subsequently approved my app for thousands of user accounts, either that th...
(1) odpowiedzi
2017-02-05 15:02 How to log out of an expired session in Laravel 5.x? »
More recent versions of Laravel (correctly) use POST to logout of a session. The reasoning for this is that GET/HEAD should only be used for passive a...
(1) odpowiedzi
2017-01-28 21:01 Conversion of Facebook payload to sha1 value to check and match with x-hub-signation »
I am trying to implement facebook webhook security. The below code works fine for text messages but the moment attachments are sent , the sha value d...
(0) odpowiedzi
2017-01-25 08:01 What is the most secure way to authorize an user in Android? »
In my app, user logs in with a web service, and web service returns an Authorization Key. After that point, every request user makes is done with this...
(2) odpowiedzi
2017-01-19 09:01 Are laravel's routes safeguarding enough against file traversal attacks? »
Route::get('/transaction/{name}', 'TransactionController@download'); public function download($name){ $path = storage_path('app/something/') . $...
(2) odpowiedzi
2017-01-14 15:01 Securing a web request in Windows Forms »
I have a Windows Form (C#) that sends a web request with an account ID. The server then marks that account ID as verified. However without any sort of...
(0) odpowiedzi
2017-01-12 12:01 Protect your delete.php links sended by email »
How to protect my delete.php files $id = (int) $_GET['id']; $delete = $connection->prepare("DELETE FROM `articles` WHERE `id` = :id"); $delete-&gt...
(3) odpowiedzi
2017-01-04 21:01 With strict type hints enabled, array_map converts types anyways »
I've came across a really interesting bug in PHP 7.0.11 where declare(strict_types=1); enabled does not make the array_map() nor array_walk() aware of...
(1) odpowiedzi