Data dodania Pytanie
2017-01-14 15:01 Securing a web request in Windows Forms »
I have a Windows Form (C#) that sends a web request with an account ID. The server then marks that account ID as verified. However without any sort of...
(0) odpowiedzi
2017-01-12 12:01 Protect your delete.php links sended by email »
How to protect my delete.php files $id = (int) $_GET['id']; $delete = $connection->prepare("DELETE FROM `articles` WHERE `id` = :id"); $delete-&gt...
(3) odpowiedzi
2017-01-04 21:01 With strict type hints enabled, array_map converts types anyways »
I've came across a really interesting bug in PHP 7.0.11 where declare(strict_types=1); enabled does not make the array_map() nor array_walk() aware of...
(1) odpowiedzi
2016-12-29 22:12 Securing Single-page-application from CSRF and XSS using CSP + localStorage »
I have a single page application, having sensitive content, and needs to be secured. This question is specific with securing against XSS and CSRF atta...
(0) odpowiedzi
2016-12-27 05:12 When or when not to use CSRF in APIs? »
Spring Security Documentation states that 18.3 When to use CSRF protection When should you use CSRF protection? Our recommendation is to use ...
(1) odpowiedzi
2016-12-25 12:12 API CSRF protection »
I have an app that consists of simple JSON API and React frontend. Authentication is handled via cookies and frontend is served from the same domain I...
(1) odpowiedzi
2016-12-21 16:12 LDAP injection in LDAP query c# »
this is my bool connection for validating whether an user is in AD group or not. I got a security flag in my code. private bool testconnection(st...
(0) odpowiedzi
2016-12-20 12:12 Spring Security testing with CookieCsrfTokenRepository »
I created simple project in Spring Security and I'm trying to test my code. I use AngularJS as a frontend layer. My problem is related with CSRF. I ge...
(0) odpowiedzi
2016-12-18 19:12 Secure WebApi call using a client certificate c# »
I am trying to make a secure web api call to a 3rd party. They provided us with a .jks client certificate. I used keytool to convert it into .pfx file...
(0) odpowiedzi
2016-12-18 07:12 CSRF protection with verifying the origin header and referrer header »
I saw a documentation about protecting CSRF attack. It's said to protect from CSRF, if origin header is presents, verify it value matches the target o...
(0) odpowiedzi
2016-12-14 18:12 Why doesn't pre-flight CORS block CSRF attacks? »
Everyone says CORS doesn't do anything to defend against CSRF attacks. This is because CORS blocks outside domains from accessing (reading) resources ...
(1) odpowiedzi
2016-12-14 10:12 Is it necessary to generate anti-XSRF/CSRF token in server side? »
Almost all doc about anti-CSRF mechanism states that CSRF token should be generated in server side. However, I'm wondering whether it is necessary. I...
(1) odpowiedzi
2016-12-13 14:12 Changing a ajax request to a different php file vulnerability, potential exploit clarification »
I am creating an application, that accepts a ajax call (jquery) and returns the validated user an entry token to the website. Say for example the aj...
(1) odpowiedzi
2016-12-07 00:12 jCaptcha java API security issue »
We are using jCaptcha (Altassian) java API in our project. Refer the implementation: https://jcaptcha.atlassian.net/wiki/display/general/5+minutes+app...
(0) odpowiedzi
2016-12-06 18:12 Possible values for X-Requested-With header? »
The x-requested-with header is kind of confusing to me. I know it can be used to defend against CSRF attacks, and that it is used to identify Ajax cal...
(1) odpowiedzi
2016-12-06 10:12 HTTP served page marked as insecure in chrome »
As of January Chrome will show it's users that a site is being insecure if it contains either a password or credit-card field and isn't served via htt...
(1) odpowiedzi
2016-11-28 22:11 Why does Google Chrome not recognize my SameSite cookie? »
I'm trying to explore how Google Chrome handles SameSite cookies. So by using the console (ctrl+Shift+J), I added an aditional key-value pair for the ...
(1) odpowiedzi
2016-11-28 10:11 Why can't a malicious site obtain a CSRF token via GET before attacking? »
If I understand correctly, in a CSRF attack a malicious website A tells my browser to send a request to site B. My browser will automatically include ...
(2) odpowiedzi
2016-11-25 19:11 Protecting form actions from being invoked directly »
I am facing this issue in a Java app, but tests show that it is applicable for other languages as well, such as PHP. Searching shows that falls in th...
(0) odpowiedzi
2016-11-23 22:11 Storing keys in Android »
I am writting app for Android and I have to store two keys that I will use to encrypt/decrypt some messages. ( I have to store private key RSA). I've ...
(1) odpowiedzi
2016-11-21 17:11 CSRF Attack: Could you use javascript to modify the user agent header? »
Suppose I used the user agent header to look at which browser (if any) is being used in order to help me defend against potential CSRF attacks. While ...
(1) odpowiedzi
2016-11-20 23:11 How to protect a http post from Angular 2 to Express Server »
How do I protect a post call from a angular2 application to a Express server? In my angular2 application I have a the following HTTP Post. const h...
(1) odpowiedzi
2016-11-19 19:11 Potential dangers of using unprepared SQL queries when not processing user input? »
Everyone knows or should know parameterized queries help to protect against SQL injection. All of the tutorials and documentation I have seen have rev...
(1) odpowiedzi
2016-11-17 17:11 How is it impossible to spoof Referer Header during CSRF Attack? »
Suppose that an application's only defense against CSRF Attacks is to check the referer header for the same origin. Suppose, also, that all browsers w...
(1) odpowiedzi
2016-11-17 10:11 How can a password input be done in python with printing an asterisk for every character of the user? »
This question has been asked before and still lacks an answer, as far as I can see. So I'm asking this question again in order to maybe finally get an...
(5) odpowiedzi
2016-11-16 02:11 Login CSRF vs Automatic login »
I have been studying login csrf and I am confused about its meaning. Take the following scenarios : Scenario 1: I have a server side web app that imp...
(0) odpowiedzi
2016-11-07 18:11 How can I add custom filter order after spring security filter? »
My filter as follows: @Component @Order(1) public class MDCFilter implements Filter { ..... and application.properties security.filter-order=0 I...
(1) odpowiedzi
2016-11-04 14:11 What are the implications of Angularjs sandbox escaping? »
I've read that AngularJs uses some kind of sandbox to prevent running arbitrary expressions inside {{ }} curly brackets. There are several examples on...
(1) odpowiedzi
2016-11-02 13:11 Asp.net Core code based policy needs access to Authorize attribute »
In my multitenant application user permissions (read Roles if you are more comfortable with that) are set per tenant so we are adding claims to each u...
(1) odpowiedzi
2016-11-02 07:11 Using variable in ActiveRecord where condition »
I have a condition to filter/search the title and user of the post based on the some search keywords. As you can see the values can be used in where ...
(1) odpowiedzi
2016-10-30 17:10 Securing Web Api/MVC + security questions in general »
I am developing a WS with Web API and in parallel a MVC web app that will consume the service. From a security point of view i will authenticate the ...
(0) odpowiedzi
2016-10-27 11:10 JWT Authentication for Asp.Net Web Api »
I'm trying to support JWT bearer token (Json Web Token) in my web api application and I'm getting lost. I see support for .net core and for OWIN appl...
(2) odpowiedzi
2016-10-26 14:10 Spring Api Rest And Web JWT and CSRF Protection »
I would like to secure Api REST with JWT Token. Web interface will use the same API Rest endpoint. It's not necessary a single-page application, but I...
(0) odpowiedzi
2016-10-25 15:10 Persistent CSRF token is safe/secure? »
my previous algorithm for my CSRF token is using password_hash(), and this is multi-tab and cross-tab friendly. My only problem is that, when I start ...
(0) odpowiedzi
2016-10-25 13:10 Do browsers allow cross-domain requests to be "sent"? »
I am newbie to website security and currently trying to understand Same-Origin-Policy in some depth. While there are very good posts on stackoverflow ...
(2) odpowiedzi