Newest security Questions

Q&A for professional and enthusiast programmers

Stop someone from hogging wireless bandwidth by streaming videos? [on hold]

What options do you have, nefarious or otherwise, to stop people on a wireless network you are also on (but have no admin rights to) from hogging bandwidth by streaming videos?.It's an interviewing ...

What can be the flaws/cons of using custom encryption into a JWS? (and avoid JWE temporary)

so I am working on a software that will have to eventually communicate with one or more servers. I am experimenting on implementing Json Web Tokens for specific parts of this communication (basically ...

http-auth 'logout' works, but then login fails

Since there is no real way to log out of a site using http-auth, I am using a kludge. <meta http-equiv="refresh" content="1;url=https://log:out@example.com" /> This works, the http-auth login ...

Passport.deserlializeUser() security

I am using Passport.js for authentication in my Node.js application. I understand that the function deserializeUser(): passport.deserializeUser(function (id, done) { User.findById(id, function (...

Password Recovery for logged in profile

I have long lost account from my forum web site. I forgot the password. Some how the website still remembering my profile. I able to login. I check through the chrome settings there is no saved ...

Security of sha1 hashed password in memory

My program allows the user to input a password. The password is immediately hashed with sha1 and a constant salt and stored in memory. Lets assume an Attacker has physical access to the computer where ...

How to secure communication between client and server in TCP

We have a TCP server with multiple client sockets connecting to it.We want to secure communication between the client sockets and server such that every message is validated before performing what it ...

Hidden HTML Iframe

I have a page with iframe, to simplify this case lets assume that it looks like this: <!DOCTYPE html> <html> <head> <title></title> </head> <body> ...

What does “from updates excluded (updateinfo)” mean on “yum check-update --security” [on hold]

I've got an CentOS 7.3 installation running with automated security updates. Sometimes i check if there are available security updates. I noticed that many updates are excluded. The function i ran is ...

Connect to a WiFi connection with a security password via python 2.7 in windows 10

I am trying to write a python 2.7 script in windows 10 that can connect to a WiFi network after the application prompts the user to enter the name (SSID) and then the security password of the given ...

Spring security permitAll requires Authorization header

I have an application that has two REST endpoints: GET /api/products (not secure) POST /api/products (secure) For the first endpoint i don't want to send the "Authorization" header. For this, I ...

AWS security groups between accounts

We have two AWS accounts, one for dev and another for prod. Long story short we have a singular database used by services in both accounts which is in prod account. The problem arises when dev ...

Why NF2.1_Configurable_Info_Login for idempiere 1.0a security patch have failed hunk

I'm looking for security patches for iDempiere v1.0a I found this site Category:New_Features_Security that contains the list of security patches. My problem is, I tried to apply NF2....

Why authentication URL is not needed in other Oauth 2.0 grant type than authorization code?

I have good knowledge of all Oauth grant type including use case but i have a question, i have seen many examples of authorization code so if i talk part step of authorization code grant type where ...

Server side JSON string validation

Is there a secure way to validate an incoming untrusted JSON string in php? The client shows a dynamic form. The user can enter data into that form. The data needs to be saved on the server. The ...

Avoiding windows security dialog upon first installation of a software

During driver installation on a new Windows 7 system, usually the following dialog pops up: If the checkbox is checked and install is clicked the driver is installed and in any subsequent ...

Is it better to separate rest API routes according to permissions?

I am working on a ressource that can be updated using put request to update any fields depending on the request content. I am facing an issue to manage permissions for this route. Some fields can be ...

Net::ReadTimeout exception is always thrown while connecting to a particular network

I'm writing test scripts in Ruby Watir. I work in two networks - let's say home and office network. While running in office network, it is always throwing 'Net::ReadTimeout' exception but in home ...

Does enforcing a password complexity requirement in randomly generated passwords make them more secure?

I came across some code that looks approximately like this: function generatePassword() { let password; do { password = generateRandomString(); } while (!checkPasswordComplexity(password)); ...

Jasperserver 6.2 password encryption customization

There is this documentation online about encrypting passwords in url. http://community.jaspersoft.com/documentation/tibco-jasperreports-server-security-guide/v610/encrypting-passwords-urls The ...

What's the most secure way to ensure one account per user in a cross-platform mobile app?

I'm working on a polling system, and I want to prevent people from making multiple accounts or generating accounts with a bot. It will have clients on iOS, Android, and web. How can I best protect the ...

Does FileShare.None combined with FileOptions.DeleteOnClose securely protect the content of a file?

Consider the following pattern: const int defaultBufferSize = 4096; var stream = new FileStream( Path.GetTempFileName(), FileMode.CreateNew, FileAccess.ReadWrite, FileShare.None, ...

JavaScript map function Security Error on FireFox

i'm using a js-code to get the above the fold css code from my websites. It works fine on google Chrome. But if i use it on FIrefox i'll get an Security Error: **SecurityError: The operation is ...

Warning: base64_decode() has been disabled for security reasons

I'm using a WordPress site, recently I had to update my site to WordPress 4.6.2. And now I'm experiencing an error. Can anyone help me out with this? check out the image for the error message: ...

Can a Malicious Attacher Steal?

If I Use Passwords , API Keys in my Android Code .Can a Attacker Steal those by Any Means. Please help

Runtime.getRuntime().exec() returns IOError: permission denied

I'm trying to run a file (marked as executable in my app package directory): process = Runtime.getRuntime().exec(command, envParams, new File(workingDir)); It worked before Android N but now it ...

TOMCAT : SPNEGO CONFIGURATION ERROR

I have troubles with SPNEGO TOMCAT 7 configuration: I follow this guide for setup: spnego-tomcat-config Here is my krb5.conf [libdefaults] default_realm=lctr.corp default_keytab_name="C:/tomcat/...

Prohibit copy/paste for a web application: possibilities?

Our company will present a web frontend to a handful of customers that are at a remote location. We want to avoid that they can copy/paste our assets (javascript, layouts etc.). What is the easiest ...

How does is_uploaded_file() add security?

I understand it as the function works against the $_FILES['nn']['tmp_name'] This tmp_name is created by php at server and cannot (from my understanding) be manipulated by the client. In what sense ...

Is it safe to store public information on a public directory? [on hold]

Let's say I'm working on some sort of site that has upvotes, like Stackoverflow. Imagine I have the following directory /ex/5627/votes.txt, votes.txt contains 3, is it safe to store that publiclly on ...

How to protect default Zuul endpoints?

I am investigating the possibility of using Zuul (Spring Cloud) as an Edge Proxy in front of a set of backend APIs. Zuul offers some default endpoints for monitoring and administration purposes. I ...

Safety implications on RestFul Service being consumed by AJAX request

Please, correct me if this should not be the place to post this question. Meanwhile, here we go. The team was asked for creating a RestFul service, it was developed in Web Api .Net A third party ...

Single Sign On : Get user name pc before authentication on Identity Provider

Well, I am new in security (SSO, SAML, etc). The scenario We have a Web Application , we want to catch user name (for example windows user) before it has been sent to be authenticated with the ...

Want a .bat file that will delete a folder once a program has ended

My reason for needing this is for security purposes at a job. I am trying to remote into a customer's computer and run diagnostic software, but the issue is that the customer can end the remote ...

I am so confused about Transport level security in WCF vs SSL on Internet

I have read a lot of articles saying that in WCF you have two types of security one is transport level and other is message level. Transport level security must be used when you have intranet ...

Angular2 share and mantain user secure data in all components

I have an angular2 app that authenticates through OAuth2 with password grant type. I store the session token on sessionStorage, and I need to store another data more secure, like user current roles. ...

why My website some time redirect to poptm

Some time if i click a link in my website, my browser open extra window and redirect to poptm url, so i try https://www.google.com/transparencyreport/safebrowsing/diagnostic/ the diagnostic result ...

Getting full user name in Windows 7

Unfortunately I couldn't find anywhere what variable can display the full name of the current user (I want the full name of the user, not the logon account). Example: FULL NAME : JOHN SMITH , Logon: ...

JBOSS 7 Security realm from remote and Authenticate user

What would be the best way to code in an access to JBOSS Security Realm from a remote and to authenticate a user? We are using JBOSS.

Security risks of file upload-download systems

I know that there are many posts about these topic. But those posts usually talk about restricting the file types and sizes on so on. Hence non serves to my needs as my system does not have any ...

android.os.FileUtils.setPermissions() returns 1 in Android Nougat

I use reflection (find class android.os.FileUtilsand method setPermissions() to mark my file (bundled in app package directory) as executable. It worked before Android Nougat but on N it returns 1: ...

Python3 security Webcam

i am new here and in Python 3. My Question is how complicated is it to programm a security System that can get pictures or videos from Cameras over a scocket and look is it the same person that i want ...

Secure file upload from Node.js server to PHP server

I'm trying to find a safe way to to allow logged in users of my Node.js app (N) to upload/delete files inside their own folder only on a PHP (P) server on a different domain. Can some expert tell me ...

Software development on system with only noexec mounts [on hold]

I am running a few linux systems that I have previously setup using several security guides. One of the settings I have is having noexec mount options on /tmp (tmpfs), /var/tmp, /home. These are ...

HTTP Basic Auth Alternatives for Testing / Staging Environment

Question Are there any alternatives to HTTP Basic Auth when trying to achieve the following Use Case Testers and stakeholders want to access an online testing or staging environment which is not ...

Android - Authentication against organisation

I'm developing an Android app which will be available to the public. Some data will be limited to users from a specific organisation only. To make sure the user belongs to this organisation a key is ...

How to use Seperate root folder based on login users permission/setting

We have an asp.net core app, that has the majority of the functionality of the app used for Staff logins, and a small amount of functionality for a customer login. The login page is shared between ...

Best way to build an activation/password reset link

What’s the best way to build a link containing an activation or password reset token? The URL would be delivered via email and the user would be expected to click on it to either activate their ...

Spring security: Custom login controller is never beeing entered

My security configuration is as following: @Autowired public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception { auth.jdbcAuthentication().dataSource(dataSource) ...

Are laravel's routes safeguarding enough against file traversal attacks?

Route::get('/transaction/{name}', 'TransactionController@download'); public function download($name){ $path = storage_path('app/something/') . $name . '.xml'; return response()->download($...
Translating... 0%