Newest security Questions

Q&A for professional and enthusiast programmers

Using the Android hardware-backed KeyStore

I wish to use the Android hardware-backed KeyStore, but I'm concerned about security and usability. From what I've read here, KeyStore gets wiped when the user changes the device lock, unless ...

how is arbitrary and remote code execution achievable? [on hold]

I have seen arbitrary code execution happen on games but i don't understand how it happened.I need a very clear explanation of the things that causes arbitrary code execution and how to prevent it.

How to restrict users to push data or adding child more than one to firebase database child

In firebase security rules how do we restrict users to push data more than one to the database? I've been trying this but didn't work { "rules": { ".read": false, ".write": false, ...

CSS file can be intentionally changed

I have been informed that that our CSS file can be intentionally changed by a bad actor on our web application. To give you a bit more context: We are sending to our clients emails containing a link (...

Create a security level through authentification when connecting to a ActiveMQ destination

I use Apache Activemq version 5.14.4 to send some messages into a queue and to read them. I want to implement a security level so as when I connect to the destination to be asked to give a username ...

Disable root login SSH nginx [on hold]

I have changed PermitRootLogin and PasswordAuthentication to no in /etc/ssh/sshd_config file and restarted ssh using this command sudo service sshd restart but checking my auth.log I still see log ...

What is keystore and truststore and how they differ from each other

Can anyone give some idea on what is keystore and truststore , are they both same ? or any difference between them ? which file will be present on client side and which file will be on server side .

Firebase Rules allowing permissions

I have the following rules set in my Firebase App: { "rules": { "EVENT_TABLE":{ "$id":{ "allowed_users":{ ".read":"data.parent().parent()....

design new network with better security

I'm a beginner in the network security and I don't have a lot of concepts,I have a question and I want to know the solution to go in depth of network security.. My question depend on the picture. is ...

Error: SecurityError: DOM Exception 18 Tizen

I'm trying to insert data in my local database. When I get to opening the db it give me that error. I searched and found that it must be in a try catch block. I did it but still the same problem. var ...

How to identify ajax requests?

My website presents a paid (not free) API. So I need to identify all incoming ajax calls and reject unknown requests. In other word, I only want to return a JSON result to: the request comes from my ...

Google App Engine block unauthorized urls

I recently started using Google App engine for hosting a Node.js application. The app is still in development and thus should be dormant most of the time, but I noticed that I am getting a lot of ...

Trying to use spring security with optional x509 client certificate

I have a simple spring boot app with spring security for SSL and x509 client certificate. I want to run it in dev-mode using just http and no client certificate. And prod-mode using https and x509 ...

How can I detect ajax request comes from my own application?

My website returns a JSON string contains database result when you call the URL through ajax. It's actually public. I mean everybody can send an ajax request to my website and simply get the result ...

Same-Site cookie in Spring Security

is it possible to set Same-site Cookie flag in Spring Security? See: https://tools.ietf.org/html/draft-west-first-party-cookies-07 And if not, is it on a roadmap to add support, please? There is ...

Microsoft Word pop up automatically in read only mode with “apu.php (Read-Only)” title

This action is also happens with my internet explorer browser,then I blocked the browser, after while the pop up also happens with MS Word with read only mode. I do not know if there is any viruses or ...

Web Security and Deployment

I need suggestions/guidance on applying Message or Transport level security for intranet,internet and extranet scenarios wherein the deployment structure is something like below- 1) 2 Web Servers 2) 2 ...

how to stop my app in Parallel Space?

I created an app. I want my one app only per mobile but i can create clone of my app using Parallel Space-Multi Accounts. So my question is how to stop to making clone of my app. Is android have any ...

Can a .file (.htpasswd) be accessed via browser?

I was reading this How secure is .htaccess password protection? and reviewing the fact that one of my sites has the .htpasswd file in a web facing directory. But, if the permissions on a .htpasswd ...

Calling service using certificate :Error - “Keyset does not exist”

I am currently trying to access a service provided by a 3rd party. They have issued us a certificate in PKCS format. The certificate is installed in Local computer - Trusted root directory. Our ...

When using external library from GITHUB Or NUGET what are some things to look for to make sure security risks do not exist?

When using packages installed to Visual Studio from NuGET for instances, what are some things I can look for within the javascript file(s) to make sure company or personal information isn't being ...

How to fix “reveal system data or debugging information by calling println()” by Fortify

Our project uses Fortify to scan our codes. After Scanning the codes, there is an Audit problem since HttpServletResponse directly writes the error message. response.getWriter().println(e....

What are those directories in android: arp_tables_names/targets/matches

I just found that under /proc/net, besides the arp table (/proc/net/arp) itself, there are also three other folders: /proc/net/arp_tables_names, /proc/net/arp_tables_targets, and /proc/net/arp_matches ...

Chrome Extension Privilege Escalation Possible?

Suppose I install an extension E that requested privileges A (e.g., tabs). Suppose this extension is malicious. Further suppose that the extension system has a binding-layer bug that E can leverage to ...

Generating MVC Sitemap for not existing sitemap node action affects performance

If there are two actions and one has it's node in mvc.sitemap file and the other hasn't, action (view) without takes like 100x longer (5s vs 60ms) to render. To be clear: both work perfectly fine. It'...

Secure channel with postMessage through IFRAME

We have an application outlined below. The UI is provided from a safe domain https://aaa.com, and hosts script from the same domain. It loads client site https://client.com to an IFRAME. This site ...

How to stop brute force attack (password guessing game)? [on hold]

We have a web application and that's been frequently hit with random username and password to find a successful login attempt. We introduced CAPTCHA, random token generation but that didn't stop the ...

Is .textContent completely secure?

I'm doing element.textContent = unescapedData to put unescaped user input on a website. Is there any way for an attacker to do something bad using this? Also, is there any way for an attacker to ...

Swagger codegen: API key securityDefinitions do not work in generated swagger UI

My swagger definitions are located in this gist. My problem is the security section is present in the swagger editor, but not present when I generate the nodejs-server swagger UI. Can anyone tell me ...

Accessing LinkedIn through a proxy

This is a shot in the dark but... I am attempting to access LinkedIn through a multi-user proxy server. It works fine at first but after a while LinkedIn stops allowing anyone to login saying that ...

This code is vulnerable to sql injection?

I need help please! I need to know if this code is vulnerable to sql injection and how to exploit it: <?php if ( isset($_GET['id']) ) { $user_id = $_GET['id']; $query = "...

OWASP ZAP when using spider showing in Spider tab “OUT OF CONTEXT” with url “weburl/Site.css”

I am new to OWASP ZAP and started manually testing through contexts and using Session Properties. But I cannot able to detect all logged in url's of my huge website with the help of spider. Can ...

Javascript security concern with templates and avatars

I plan to allow users modify their profiles templates (using HTML). Profiles are under subdomains i.e. profile.site.com. The service adds the current logged user avatar on the top corner on each ...

Google Search safety advisor

I want to get a hint in google search results page that every result is a safe website or not safe. I'm using google chrome on fedora 25 operating system Searched alot but didn't succeed to find a ...

Can Websites uses the computing power of visitors?

I'm just asking if the developer of a website can use the computing power of the visitors in somethings like cryptography and bitcoin mining..and if that is efficient for them or not..? I know that ...

What this mean “ Incorrectly Handled Query Assembly ” in SQL injection?

im reading book is about " SQL-injection " so i defaced a title "Incorrectly Handled Query Assembly" what does this mean? and can you give me a example code ? Thanks.

How to sanitize user input for Java-generated code?

Having a function that generates Java code in a textual form (something similar to a template-engine, if you will), how would you sanitize user-provided fields to prevent code injection? For ...

How do I programmatically Trigger Zap(Zed Attack Proxy)?

Does anybody here worked on triggering Zap in Java?

Passing Parameters through JSP Include and JSP Params Security Issue

This is an issue related to: http://michael-coates.blogspot.com/2010/09/danger-of-jsp-includes-and-parameter.html TLDR: For those not familiar to the issue, if you decide to render a subview with ...

Fixing XSS security issue in php

During security testing I am constantly getting Cross site scripting [stored] issue as- URL encoded POST input textsize was set to Largest_935538'():;916159 The input is reflected inside tag between ...

TFS Admin Console authorization error

I installed an application tier just with the default settings. After the creation was finished, I get the TFS Error TF30063 (see pic) when I clicked e.g. "Group Membership". The user has admin rights ...

How to prevent XML External Entity attack with JDK6

My application uses JDK6. I have to fix the XXE vulnerability in my code, able to find solution as below. But the below code works only with JDK7. I have a limitation to fix this without upgrading to ...

How to completely secure wordpress?

First of all thank you for taking time to answer my question. What are the MUST DOs of Securing one's WordPress site? About to install on Cpanel (haven't yet installed, I want to be secure from the ...

Why and how are social logins using OAuth2.0?

I studied workflow with OAuth2.0 and server-side web application. I understand what is going on, with authorization code and with access tokens. While studying, I encountered sentence saying that ...

Password and Login handerling by PHP [MOTION RPI]

For the moment I do a little experiment with motion on the Raspberry Pi so that I can create my own little cheap security system :p. So I add a password on the stream for my case sanderpi:8081 and ...

How to connect android to Oracle database in secure manner?

I need to retrieve some critical data from oracle database.I'm using Tomcat server 7.0. As i have read in internet,it is stated that coonecting to database through a server is unsafe.Is there anyother ...

How to create and assign role of users in spring

I'm starting to get into spring security and I don't understand something, these roles like for example auth.inMemoryAuthentication().withUser("user").password("password").roles("USER"); where are ...

Validating ajax requests

I'm trying to follow this approach: Let you Controller generate access token store in session for later comparison In your View declare the access token as JS variable ...

After set-key-partition-list codesign still prompts for key access

I'm importing a PEM file containing public and private keys for my code signing identity with the following command: security import "${PEM_FILE}" -k ~/Library/Keychains/login.keychain -T /usr/bin/...

Using intranet address for access

I wish to build a HTML page that front-ends an application that only particular clients may access. Only clients on my intranet may connect. My idea is to take the IP address of the client which is ...
Translating... 0%