Data dodania Pytanie
2017-03-19 02:03 XSRF and double submit cookie JWT alternative - is this implementation safe? »
I was looking into HTTP security for my REST API and I was hoping to make it more secure by using the Double Submit Cookie pattern but I'm pretty sure...
(1) odpowiedzi
2017-03-14 20:03 Rails 5 API protect_from_forgery »
I have a Rails 5 API app (ApplicationController < ActionController::API). The need came up to add a simple GUI form for one endpoint of this API. ...
(3) odpowiedzi
2017-03-10 19:03 How in Django/Python can I ensure safety from WYSIWYG-entered HTML? »
I would like to remove vulnerabilities to XSS / JavaScript injection in a web application where users are allowed to use an editor like CKEditor which...
(1) odpowiedzi
2017-03-08 19:03 Spring Security CSRF Token genaration »
CSRF prevention Spring paramters, _csrf.parameterName and _csrf.token are not getting generated in JSP. <input type="hidden" path="${_csrf.paramet...
(0) odpowiedzi
2017-03-06 11:03 Windows authentication on Angular + Web Api »
I am developing web application using angularJS and web api. I have hosted two separate projects on IIS. The URL for AngularJS is 'http://10.36.217.16...
(0) odpowiedzi
2017-03-02 11:03 Adding CSRF token for window.location.href »
I have used window.location.hrefseveral places in my javascripts. Is there any generic way to add CSRF token to all of them? Since the window.loca...
(1) odpowiedzi
2017-02-26 12:02 C# Encrypting/Decrypting a String using Windows Master Password »
According to this HowToGeek article, Chrome encrypt's a password using the Windows master password. To perform the encryption (on Windows), Chrome...
(0) odpowiedzi
2017-02-24 18:02 can't verify CSRF token authenticity after session expires - Rails + devise + redis »
We have an issue with CSRF tokens that started when moving our sessions to Redis. The issue is that users sign-out, and leave the login screen for a l...
(1) odpowiedzi
2017-02-24 16:02 Is there a way to have different ticket expiry lengths in OpenIddict? »
I have an app using OpenIddict for token authorization (access and refresh tokens) and overall, it's working great. The problem is that my use case ha...
(1) odpowiedzi
2017-02-23 12:02 Which specific packages are sealed when sealing a .jar? »
When sealing a .jar file (the whole .jar, not specific packages), which packages are actually sealed? Is it only the packages that contain .class file...
(1) odpowiedzi
2017-02-23 06:02 what is the difference between X-XSRF-TOKEN and X-CSRF-TOKEN? »
When use hidden field and when use header and why ? X-XSRF_TOKEN when we use? X-CSRF TOKEN when we use? ...
(1) odpowiedzi
2017-02-21 17:02 How to add "X-Frame-Options" header in .htaccess file to protect against 'ClickJacking' attacks »
I have a Coldfusion Web application. To protect my site from Cross-Frame Scripting attack I'm planning to add a HTTP Response Header "X-Frame-Options"...
(1) odpowiedzi
2017-02-19 18:02 PHP Security (strip_tags, htmlentities) »
I'm working in a personal project and besides using prepared statements, I would like to use every input as threat. For that I made a simple function....
(2) odpowiedzi
2017-02-16 11:02 CSRF Basics with SSL & CSRF Relatioship »
I am trying to implement CSRF and SSL(they are not entirely dependent) and listing below my understanding on the topic for having a proof of understan...
(0) odpowiedzi
2017-02-15 20:02 CSRF in microservice architecture »
What should be proper way to implement CSRF protection in microservice architecture? Where services are stateless. To put CSRF verification on syste...
(0) odpowiedzi
2017-02-08 17:02 Facebook app secret was leaked. Is there a way to invalidate all access tokens for all users? »
My facebook app's secret was recently obtained by a malicious party. They subsequently approved my app for thousands of user accounts, either that th...
(1) odpowiedzi
2017-02-05 15:02 How to log out of an expired session in Laravel 5.x? »
More recent versions of Laravel (correctly) use POST to logout of a session. The reasoning for this is that GET/HEAD should only be used for passive a...
(1) odpowiedzi
2017-01-28 21:01 Conversion of Facebook payload to sha1 value to check and match with x-hub-signation »
I am trying to implement facebook webhook security. The below code works fine for text messages but the moment attachments are sent , the sha value d...
(0) odpowiedzi
2017-01-25 08:01 What is the most secure way to authorize an user in Android? »
In my app, user logs in with a web service, and web service returns an Authorization Key. After that point, every request user makes is done with this...
(2) odpowiedzi
2017-01-19 09:01 Are laravel's routes safeguarding enough against file traversal attacks? »
Route::get('/transaction/{name}', 'TransactionController@download'); public function download($name){ $path = storage_path('app/something/') . $...
(2) odpowiedzi
2017-01-14 15:01 Securing a web request in Windows Forms »
I have a Windows Form (C#) that sends a web request with an account ID. The server then marks that account ID as verified. However without any sort of...
(0) odpowiedzi
2017-01-12 12:01 Protect your delete.php links sended by email »
How to protect my delete.php files $id = (int) $_GET['id']; $delete = $connection->prepare("DELETE FROM `articles` WHERE `id` = :id"); $delete-&gt...
(3) odpowiedzi
2017-01-04 21:01 With strict type hints enabled, array_map converts types anyways »
I've came across a really interesting bug in PHP 7.0.11 where declare(strict_types=1); enabled does not make the array_map() nor array_walk() aware of...
(1) odpowiedzi
2016-12-29 22:12 Securing Single-page-application from CSRF and XSS using CSP + localStorage »
I have a single page application, having sensitive content, and needs to be secured. This question is specific with securing against XSS and CSRF atta...
(0) odpowiedzi
2016-12-27 05:12 When or when not to use CSRF in APIs? »
Spring Security Documentation states that 18.3 When to use CSRF protection When should you use CSRF protection? Our recommendation is to use ...
(1) odpowiedzi
2016-12-25 12:12 API CSRF protection »
I have an app that consists of simple JSON API and React frontend. Authentication is handled via cookies and frontend is served from the same domain I...
(1) odpowiedzi
2016-12-21 16:12 LDAP injection in LDAP query c# »
this is my bool connection for validating whether an user is in AD group or not. I got a security flag in my code. private bool testconnection(st...
(0) odpowiedzi
2016-12-20 12:12 Spring Security testing with CookieCsrfTokenRepository »
I created simple project in Spring Security and I'm trying to test my code. I use AngularJS as a frontend layer. My problem is related with CSRF. I ge...
(0) odpowiedzi
2016-12-18 19:12 Secure WebApi call using a client certificate c# »
I am trying to make a secure web api call to a 3rd party. They provided us with a .jks client certificate. I used keytool to convert it into .pfx file...
(0) odpowiedzi
2016-12-18 07:12 CSRF protection with verifying the origin header and referrer header »
I saw a documentation about protecting CSRF attack. It's said to protect from CSRF, if origin header is presents, verify it value matches the target o...
(0) odpowiedzi
2016-12-14 18:12 Why doesn't pre-flight CORS block CSRF attacks? »
Everyone says CORS doesn't do anything to defend against CSRF attacks. This is because CORS blocks outside domains from accessing (reading) resources ...
(1) odpowiedzi
2016-12-14 10:12 Is it necessary to generate anti-XSRF/CSRF token in server side? »
Almost all doc about anti-CSRF mechanism states that CSRF token should be generated in server side. However, I'm wondering whether it is necessary. I...
(1) odpowiedzi
2016-12-13 14:12 Changing a ajax request to a different php file vulnerability, potential exploit clarification »
I am creating an application, that accepts a ajax call (jquery) and returns the validated user an entry token to the website. Say for example the aj...
(1) odpowiedzi
2016-12-07 00:12 jCaptcha java API security issue »
We are using jCaptcha (Altassian) java API in our project. Refer the implementation: https://jcaptcha.atlassian.net/wiki/display/general/5+minutes+app...
(0) odpowiedzi
2016-12-06 18:12 Possible values for X-Requested-With header? »
The x-requested-with header is kind of confusing to me. I know it can be used to defend against CSRF attacks, and that it is used to identify Ajax cal...
(1) odpowiedzi