Newest security Questions

Q&A for professional and enthusiast programmers

how to implement X-FRAME-OPTIONS in play 2.1.0

I want to prevent the clickjacking attack on one of the play application.I need to set the "X-FRAME-OPTIONS": "DENY" in response header. play version I am using 2.1.0 and I found that these security ...

How to sandbox/limit access for a Google Cloud Dataflow pipeline running in the cloud?

I want to run a pipeline (a previously staged template) in Google Cloud Dataflow (using the GAPI JS lib in a Google Cloud Function, as seen in https://shinesolutions.com/2017/03/23/triggering-dataflow-...

Vba: shell run how to avoid security check

I have a VBA macro in Excel that calls an exe: shell.Run(myFile) the issue is that everytime the macro is called the Windows Security Check arises and asks if I want to execute the software. Is ...

Lock an NFC tag to s specific device?

Is it possible to lock an NFC tag in such a way that only a specific device can read from it?

Google Cloud IAM Role to only start/stop instances?

In Google Cloud IAM, there doesn't seem to be a role that is restricted down to only being able to stop/start existing instances. Is it possible to scope permissions down so a given user can only ...

What is “riffing” on information security terms;

What is "riffing" on information security terms; I found this "riffing on threats" on a paper and i don't know what it exactly means

IP Whitelisting JMX operations

We have large number of JMX operations exposed across different Components (each running in its own JVM process). At the moment, the JMX operations are unsecured. This hasn't been so much of an issue ...

Filter's doFilter not invoked

I have in web.xml <filter id="Filter_1"> <filter-name>LoginFilter</filter-name> <filter-class>Controllers.LoginFilter</filter-class> </filter>...

Secure API with OpenID Connect - RP trust of OP

Getting to grips with OpenID Connect with a third party IdP ( OP ) and securing APIs. I'm comfortable with the client and user agent component and the OAuth2.0 flows and scopes to get an access token ...

Best practise: log collector with email notification to find abnormal user activity

For a rather small windows-network (20 user) we would like to get notification, when a user has a abnormal behaviour. The idea is to: - centrally collect Windows and SQL Server logs (or more) - make ...

Legal considerations for businesses and their website

What should any company with a website, allowing certain employee access to the company database, put into consideration? For example, legal issues of data protection, and just any other relevant ...

NS 2 Installation error : narrowing conversion of 252 from int to char

I am working on VANET. for that, i need to install NS2 on my fedora 24 system. NS 2 version - ns 2.34 . During the installation process, i followed all the steps of ns 2.34 and made changes in the ...

why is this xss not working

I am just trying to exercise on xss and I want the alert box to pop up on echo which should work on echo. I am doing exercises based on concepts and hier I have a wrong usage of htmlspecialchars, ...

allow pdf files to show

I am trying to show PDF files in my application but the .htaccess file does not allow to access it. Here is code for my .htaccess file: Options +FollowSymlinks RewriteEngine On RewriteCond %{...

how to choose prime for implementing Diffie-hellman key exchange

I am currently writing code to implement Diffie-Hellman key exchange based on RFC 2631 and RFC 3526. As you can see in the RFC 3526, there are many groups such as 1536-bit MODP Group // 2048-bit ...

How to detect and revoke compromised credential for Kinesis Firehose?

Our application includes a lot of remote devices which use AWS Kinesis Firehose to upload data from the field. The security concern is that some of these devices can be compromised, and any keys or ...

Shared signature key for JWT in various Microservices

I have various microservices. I have implemented security using JWT. Each service validates the JWT token by the key which is being shared across all the services. Is it fine to share same signature ...

How to prevent website download, so someone can't download my full website

How to prevent website download, so someone can't download my full website from IDM or any other software. is there any possibilities to implement some algorithm or add some security tokens. what ...

FORM based authentication using JDBCRealm

I am implementing FORM authentication. I have edited realm tag in server.xml file. I have also changed web.xml file. But when I run the web application, and try get connect of the sql server, ...

How secure is jasypt?

I have recently made an app that uses jasypt APIs for encryption and decryption of text and Passwords. My question is, if the hacker also uses or knows about jasypt, would it be possible for him to ...

JDBCRealm FORM based authentication not redirecting to login page

I am trying to apply authentication in index.jsp page but when I try to load thispage, instead of getting redirected to login2.xhtml page. I get this on chrome window. This is realm tag added in ...

Suspicious Activity in system.log OSX.

A mac user was having some clock errors, and thought they had seen someone using remote/VNC action on their screen. I went through the system.log and most of this activity is showing at times when the ...

Signed jar file recognized in java 1.7.0_76 but not java 1.7.0_75

I signed a jar file using the signer provided with jdk 1.7.0_71. This also worked previously until we updated from X.509, CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa to X.509, CN=...

Multi algorithm password hash structure for database persistence

I used years ago a java (spring) framework for hashing passwords and store them in a database. But I can't remember the name. The advantage was, that it didn't only stored the hashed value with salt ...

Passing Sensitive Information Via SignalR

Would it ever be wise to pass along more sensitive information using SignalR for your application to process. I've been thinking about this for a while now as part of a concept for a personal project ...

Federated authentication and session management

When you login to Identityserver the authentication cookie idsrv is stored in the browser. When the user logs out, the cookie is deleted. However, an attacker can steal the cookie and essentially use ...

ZAP-CLI: Alert results are different when run using zap-cli and ZAP UI. ZAP UI gives issues found whereas ZAP-cli shows no issues found

ZAP-CLI: Trying to use ZAP-CLI so that can control OWASP ZAP tool through command line and integrate with Bamboo pipeline. I can see 'alert' results are different when run from commandline using zap-...

GET STIX data from TAXII server based on indicators (IP and Hash)

I am working on a project where I need to retrieve the STIX data from TAXII server(HailaTaxii in my case) and parse the data for indicators and TTP's. I am facing the below problem. 1) Unable to ...

RDTSCP has a very unstable timing measurement for timing attack

(I know there are a lot of discussion about RDTSCP in this website, but they didn't solve my problem here) I've read some papers about attacking RSA by measuring the time of RSA decryption and ...

How to run Node.js server on https on own server

I have developed a web console made in Angular JS and running it on Node.js server. Similarly I have deployed Angular Web Console on our own server(Linux) but its running on HTTP. I want to run it ...

Is a compromised SQL Server sa account without a domain login enough to access database?

If a SQL Server account with system administrator rights is compromised but there is no access to a domain account, port 1433 is not exposed externally and SQL injection is not possible, is a ...

Firebase API Key Hiding [duplicate]

I am new to Firebase. I have a little concern over its Information that might get Publically opened. Can Firebase be used as a Server? How to hide apiKey, authDomain, databaseURL and so on details? ...

Would posting my code to github affect the security of my application?

background I am writing a simple blog application in Django (data passed through templating language). The owner of the blog will have access to the admin page where they will update the db. Now I ...

I want to move to data security field. From where i can start? [on hold]

I am currently working as a PHP developer and want to switch to data security, but don't know where to start. I have basic understanding Linux environment and c,c++ programming Strong Database ...

How to perform the security testing using selenium?

I already develop a Selenium code to perform the web application testing. But i need to perform the security testing for the same application. So Please suggest me how to perform the security testing ...

My mail account upload some files without my persmission

recently , i have received a message from my friend that contains some images and i download it . But now every time , i want to reply a mail , i saw that some images are uploaded to my reply message ...

Is it safe to store my 'next' url in a signed cookie and redirect to it carefree?

I'm using Flask and it's occurred to me it could be a rather elegant solution to redirect back to the user's last page after login/logout by simply placing a session['next'] = request.url at each ...

psad service Linux

i am trying to set up psad (port scan detection system) but it doesn't work. I think that something is wrong with my iptables, because psad always send [-] You may just need to add a default ...

Is it possible to prevent RedHat/CentOS Docker host root access from within a container?

I want to provide a minimal CentOS/RedHat VM to a staff member to log into using a non-root user account. I made the docker socket available to the user to run docker 1.12 cli commands via chgrping ...

What safety precaution measures should be taken if I want to embed my web app to a third party native app(android ios)?

We have a web app(register/login、bind credit card、buy financial product...). Is it safe to embed this web app to a third party native apps(ios/android webview) for promotion? If not what precaution ...

How can I stop my hidden system files from being seen?

I'm working on a program that is hiding files. I use the File.SetAttributes() command to set the file attributes to hidden and system. However they are still being seen because the Show hidden files,...

REST API CURL - NOT SSL Encrypted - Security?

I am hosting a script on my site, it will call the site from the domain name, using Curl and REST API, I can't get the REST API working with the SSL Cert, I am not sure why. But if I don't use the ...

How to proxy re-encryption in C# or Java?

How can I implement Proxy Re-encryption in C#.NET or Java. I'm confused, is there need to decrypt data first and then encryption for other person. is it called proxy-re-encryption. Am I right? Are ...

Protect Android App from reverse engineering

This question has already been asked, but my question is bit different so before giving negative vote or duplicating please read my question. I want to secure my app 100% and don't want hackers to ...

md5-hashes computer security

Im a student in software engineering, and my professor won't give us enough help in this assignment. I searched the entered and still could not figure out how to solve this question if anyone could ...

Is it safe using AndroidKeyStore to generate a password of a database?

My app have a database, and I need a password to encrypt it. If I store the hardcode password in java or in JNI, it is easy to hack. Is it safer using AndroidKeyStore to generate a password? (I will ...

How to clear default rule in Fortify SCA

When fortify SCA analyzing our .net framework project , it views a Value Shadowing defect when codes written like HttpContext.Request["controlID"]. But actually we have performed some input ...

Security using Django 1.10 + AJAX without any HTML form

I make a POST request via AJAX without HTML form. Are there any security issues? Why is there no csrf error? Because I do not send any csrf data and csrf is enabled in django? toggle-status.js ...

Strange code in a GET request PHP

I need some help with a strange code that I found in my database. It looks like somebody was trying to submit a GET request. The code I found is: /news/html/?0'union/**/select/**/1/**/from/**/(select/...

Secure WebSocket (WSS) in Java server and client in javascript

WebSocket connection to wss://localhost:8025/websockets/server failed: WebSocket opening handshake timed out Please help what I'm doing wrong ! Server side code: To start server Server server = ...
Translating... 0%