FAQ Database Discussion Community


searchable row level encryption using java?

java,database,security,encryption,bouncycastle
I am designing a java app that uses algorithms to import data from other sources into a database. And the app also searches for records in the database. How can I implement row level security in a way that the database does not even know that the data is encrypted,...

shared memory performance and protection from other processes

linux,security,shared-memory
I am trying to implement a JIT compiler (I have very geeky hobbies). I would like to have one main process that keeps some persistent variables, and a second process (that has been compiled just-in-time) that does some computation and can access and write on the persistent variables. The second...

Unsure if website has been hacked with iframe

javascript,html,security,iframe
My website seems to be loading code which doesn't actually exist on my server. I know the problem is server-side because I've tested with other computers... The code seems to load a header and then put's my real website inside an iframe, strangely there are no ads or redirects which...

Django user login through api [duplicate]

django,security,django-rest-framework
This question is an exact duplicate of: django rest framework - understanding authentication and logging in 1 answer I want to create a login form for users to sign into a django site. The site is set up using django rest framework and I am considering having the login...

User process can't see global shared memory created by service

c++,windows,security,winapi,memory-mapped-files
I have a Windows service (running in the system process) and a desktop application that need to share a configuration structure. The data originates in the app, but the user process doesn't have permission to create a global memory object so I create it when the service starts using CreateFileMapping()...

phantomjs --web-security=no

security,phantomjs,casperjs
In the documentation for phantomjs, there is an option to turn off web security and allow XHR (cross domain requests). Does this present a security risk to a user if you are filling forms with credentials such as usernames and passwords and then downloading screenshots with casper/phantom?...

“Invalid use of a side-effecting operator 'OPEN SYMMETRIC KEY' within a function.” error while opening a symmetric key

sql-server,sql-server-2008,security,sql-server-2012,encryption-symmetric
I am trying to open symmetric key inside two functions. Like this: CREATE FUNCTION DECRYPTDATA ( @CipherText NVARCHAR(MAX) ) RETURNS NVARCHAR(MAX) AS BEGIN DECLARE @Result NVARCHAR(MAX) OPEN SYMMETRIC KEY MyKEY DECRYPTION BY CERTIFICATE MyCERT SELECT @Result = CONVERT(VARCHAR(MAX),DECRYPTBYKEY(@CipherText)) RETURN @Result END GO CREATE FUNCTION ENCRYPTDATA ( @Text NVARCHAR(MAX) ) RETURNS...

Client side password hash versus plain text

security,hash,passwords,client,password-hash
I'm putting together an android client (and possibly in the future iOS, web portal, etc) and php mysql server. Server side I am currently using the PHPass library to hash and salt the incoming passwords. Should I make the client send plain text passwords over HTTPS/SSL or should the client...

Run Golang as www-data

security,go
When I run a Node HTTP server app I usually call a custom function function runAsWWW() { try { process.setgid('www-data'); process.setuid('www-data'); } catch (err) { console.error('Cowardly refusal to keep the process alive as root.'); process.exit(1); } } from server.listen(8080,'localhost',null,runAsWWW); so the server is actually running as the www-data user to...

Protect images download theory

javascript,html5,image,security
I am a full-time developer but am building a site for my photography hobby. I dont want people to download my images and besides the usual procedures (disable right click, block hotlinks to my images etc.) i was thinking about a solution which would work 99% of the time. The...

Code fails for decrypting without salt or iv in Java

java,security,encryption,aes,password-encryption
I have a ciphertext and a 256-bit key to decrypt it, using AES. There is no salt or iv. I am using Java. I have implemented many of the solutions online, but they all use salts and input vectors. The following builds fine, but fails at runtime: "Salt not found."...

SELECT within SELECT PDO prepared statement [duplicate]

php,mysql,security,pdo,prepared-statement
This question already has an answer here: Are PDO prepared statements sufficient to prevent SQL injection? 7 answers I'm thinking of an example like this one: The request hits a page at an url (by whichever means), with a parameter. example.com/api/page?name=bob. It's my understanding that you should do a...

Forgotten password reset page: should the user need to enter a username/email as well?

security,user-management,forgot-password,reset-password
I am re-implementing the "reset password" functionality for the next version of my user management system. The way it works currently is: The user enters their username and email address. If this information is correct, a random token is generated and stored in the DB, and a link with the...

Rsa algoritmn generates ? characteres in java

java,android,security,rsa
I'm making an Android app for sending safe sms. I currently have the following code (Iam using 256 for testing) public void generateKey() throws NoSuchAlgorithmException, NoSuchPaddingException, IllegalBlockSizeException,BadPaddingException,InvalidKeyException{ try{ kpg = KeyPairGenerator.getInstance("RSA"); kpg.initialize(256); kp = kpg.genKeyPair(); }catch(Exception e){ e.printStackTrace(); Toast.makeText(getBaseContext(), e.toString(),Toast.LENGTH_LONG).show(); } } public byte[] RSAEncrypt(final String plain) throws...

PHP shell input sanitizing

php,git,shell,security
I want input of alphanumeric string (sha1 - git commit ID). Is sanitizing with regexp /[^a-z0-9]/, using preg_replace with blank string enough to safely pass it to shell?

CakePHP - Controller testing failed because of Security component

security,unit-testing,cakephp,cakephp-3.0
I am trying to test controller methods (add, edit, ...) that use Security component. ContactsController public function initialize() { $this->loadComponent('Security'); } public function add() { $contact = $this->Contacts->newEntity(); if ($this->request->is('post')) { $contact = $this->Contacts->patchEntity($contact, $this->request->data); if ($this->Contacts->save($contact)) { $this->Flash->success(__d('contact_manager', 'The contact has been saved.')); return $this->redirect(['action' =>...

zsh: no matches found: requests[security]

python,security,python-2.7,ssl,python-requests
I am trying to run a python urllib2 script and getting this error: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning. After googling the error the solution, on stack overflow...

how to custom spring-security authentication process with my own mechanism

java,spring,security,spring-mvc,spring-security
I'm trying to secure my app with spring security. My understanding about spring security is that they check the loaded password from UserDetails against the password user entered. The thing is my login authentication is inputing username and password into a pl/sql function which will return a result code. So...

How can I make a postgres role that has limited access, no insert update, but can do maintenance tasks like reindex and backups?

postgresql,security,vbscript
I have postgres 9.3 being installed with my windows desktop app on computers all over the place. I don't want Joe Script-kiddy looking at the pgpass.conf, getting the postgres password a running amuck in my Database. I was able to to make a backup role using this article but I...

Creating My Symmetric Key in C#

c#,security,encryption,cryptography,aes
Have been reviewing some symmetric cryptography approaches I've seen a lot of examples that hard code a private static variable in a class, usually something along the lines of: string key = "THISISYOURENCRYPTIONKEY!" and then somewhere further down, the code uses it for encrypting/decrypting. Putting aside the correct implementation/algorithm/strategy as...

Am I safe?? [trying to prevent sql injection] [duplicate]

php,mysql,security,laravel,pdo
This question already has an answer here: How can I prevent SQL-injection in PHP? 28 answers I was wondering if I'm safe from SQL injection if I have this in a script: < script> //some stuff var item = <?php echo json_oncode($PHPVAR) ?> item.replace(/"/,'&quot').replace(/'/,'&#39'); //do more script stuff with...

Placing secure data in Java web application

java,security,tomcat
The question is about security in tomcat, but first consider the following example: Suppose you have apache web server. Then, under www folder, create folder named dist, and under folder dist create folder named bdf23b1c-ddd3-4d5b-8fdf-948693674011. Under this folder create some file with secure information. For example, some private picture you...

iPhone Memory management for a deallocated password (Malloc Scribble in production?, fill with zeroes deallocated memory?)

ios,objective-c,iphone,c,security
I'm doing some research on how iPhone manage the heap and stack but it's very difficult to find a good source of information about this. I'm trying to trace how a password is kept in memory, even after the NSString is deallocated. As far as I can tell, an iPhone...

Android encryption and decryption of text fails

android,security,encryption,encryption-symmetric
I try to encrypt some text (here it is named code) and decrypt it again. For this i use a 4 digit Pin which is salted. After this the text is encrypted, also again some Base64 decoding, so i can safely output the String again. As i understand i have...

Spring boot security with 3 fields authentication and custom login form

spring,security,spring-security,spring-boot
I'm using spring boot and i need to implement spring security with 3 fields authentication process username, password and corporate identifier as a hidden input in a form. I implemented a custom usernamepasswordauthenticationfilter but it not seems to be enough to setup the security config. EDIT : Users don't seem...

Authorization Model: Context of Role?

security,authorization,claims-based-identity,abac,role-based-access-control
I am currently attempting to design an Authorization Model that has the following components: Privileges - an action that can either be granted or denied to a user/group Roles - a collection of privileges; roles can be associated with a user or group Security Objects - the entity to which...

Can I use plone.protect 3.0 with Plone 4.3?

forms,security,plone,csrf,plone-4.x
Since version 3, plone.protect provides automatic CSRF protection. Plone 4.3 includes, by default, plone.protect 2.0. Can I just upgrade to start using this feature in Plone 4.3?...

PHP: Secure a Rest Service with a Token mixed with Timestamp

php,rest,security,amazon-web-services,token
I have a rest service that my website calls it and I want to secure it from calling outside of my website as much as possible. I want to create a token mixed with timestamp, so the user can only call the service in 10 minutes (for example) with the...

server listens on 127.0.0.1, do I need firewall?

security,networking,localhost,firewall
I run a "private" service on my computer, which I do not want to be accessible from other computers. I configured it to only listen on 127.0.0.1. Do I still need a restrictive firewall? For example, is it possible to receive a packet on eth1, which would somehow have 127.0.0.1...

What is HTTP Parameter Pollution attack in NodeJS/ExpressJs

javascript,node.js,security,express
I read about it here https://www.npmjs.com/package/hpp It says : "Express populates http request parameters with same name in an array. Attacker can pollute request parameters to exploit this mechanism" I don't understand what mechanism the Attacker can use ?...

Reverse ^ operator for decryption

c,algorithm,security,math,encryption
I'm trying to reverse the following code in order to provide a function which takes the buffer and decrypts it. void crypt_buffer(unsigned char *buffer, size_t size, char *key) { size_t i; int j; j = 0; for(i = 0; i < size; i++) { if(j >= KEY_SIZE) j = 0;...

iptables put all forwarding rules in prerouting

linux,security,networking,firewall,iptables
I have a question about security in iptables. Is it safe to give ACCEPT policy to FORWARD chain? I mean, if packet gets there, it has come through PREROUTING table and in PREROUTING you only change destination ip of packet if you "like it". all packets that get in FORWARD...

Is a site with html and javascript secure

javascript,html,css3,security
IF: I write a site in HTML5, Javascript and CSS3. It has no forms or any input other than mouse clicks on links. No logins. No messaging. No comments. Will this site have vulnerabilities? For the 2nd time in a month, I've been notified by my host there are files...

MYSQL Access Control

mysql,node.js,security,access-control,row-level-security
I want to implement column level and row level access control on data stored in my MySQL database. I am using NodeJS on my server, what's the way to go for this ? I see SAP Hana allows that but want to keep MySQL.

When a security update is applied as a patch, does the product name change?

security,patch
When a security update is applied as a patch, does the product name change? I.e. Windows Server 2008 If this server undergoes a patch and/or security update, does it still appear as Windows Server 2008, or does it have to undergo a name change - I.e Windows Server 2008 version...

salt created by Java SecureRandom has different getBytes() value [duplicate]

java,security,salt
This question already has an answer here: how to convert byte array to string and vice versa 13 answers I use java SecureRandom to create salt to encrypt user. However, when I tried to match user with salt and password, they failed on different machine. The user is created...

Securing RTP packets without encrypting each packets

security,encryption,sip,voip,rtp
In VoIP, I understand encrypting SIP transmission will hide the information about what codec is used. Another way is encrypting the RTP payload, So transmitting SRTP/ZRTP in network. But encrypting each packet will take quiet a lot of processing in both end. I have seen few materials about scrambling RTP...

X509Certificate: what is the difference between getIssuerDN() and getSubjectDN() methods

java,security,authentication,x509
I'm using X509Certificate class in java, and when I want to get the subject name I try: x509certificate.getIssuerDN().getName(); and x509certificate.getSubjectDN().getName(); both methods have the same result. So what is the difference between them ??...

What does “ModLoad” does in python code?

python,security,exploit
I am trying to utilize an exploit code available online using python compiler 2.7.10. However I have no clue, what does the 'modload' command does, following is the code: import socket, sys print "\n" print "----------------------------------------------------------------" print "| Windows 7 IIS7.5 FTPSVC UNAUTH'D REMOTE DOS POC |" print "| Matthew...

ensure I'm working with my software and not an imposter. Windows, Java, Hardware

java,windows,security,malware,integrity
Can you think of a mechanism to guarantee my software (GUI application) is the software that I'm currently running and not an imposter (as a black box). It sounds as a crazy requirement, but this software determines life (it is a medical device) and if someone insists on doing bad,...

How can we create our own string encoding-decoding or encryption-decryption script in java without using any given library i.e. Base64, AES, etc?

java,security,encryption,encoding,cryptography
How can we create our own string encoding-decoding or encryption-decryption script in java without using any given library i.e. Base64, AES, etc? As per my client requirements, he want something where a user can decide a particular letter/number to be replaced by a letter/number which is again choosed by the...

Hashing passwords even when password is server-generated?

php,mysql,security,hash
Shall I hash users of my portal when password is generated by server and user cannot change it? Logically: User can't use this passwords anywhere else as it is server-generated. Even when somebody access database illegally, they can change password and see it, but it is useless for them as...

Hide sensitive information from git changes

git,security
Is there a way to instruct git to hide my sensitive information. E.g. credentials.php (in local repository). Line1: $dbname = 'xyz'; Line2: $dbpassword = 'password'; credentials.php (in github repository and history). Line1: $dbname = 'xyz'; Line2: $dbpassword = 'xxxxxxxx'; So git automatically hides the information with 'x'. If not via...

ClickOnce, reflection and security

.net,security,clickonce,appdomain
I have developed a .net desktop application which is distribuited to my clients as a clickonce application. This applications need to download a dll from my server and after that load it by reflection. The dll is downloaded correctly, but when i try to load it using: Dim dom As...

SAML service provider signature verification

security,single-sign-on,saml,pingfederate
This is a basic question about SAML protocol and how it specifies verification of a SAML token. Looking an different diagrams and resources, it looks like the service provider doesn't need to make calls to the Identity Provider (IdP) in order to verify a SAML token. I am interested in...

Is it possible for a user to modify site javascript in browser?

javascript,security
I don't know a lot about security, but I'm trying to figure out how to keep my site as safe as possible. I understand that as much stuff that I can handle on the backend the better, but for instances where I'd like to hold some variables on the client,...

Is secure to let access to ip-based blocked website to 127.0.0.1?

security,ip,localhost
I have a website that should not be visible for people outside some countries. I do a ip-blocking, but for testing purposes I need to let 127.0.0.1 access to the website. I know that ip blocking isn't totally safe, but, letting 127.0.0.1 access, can create troubles?...

Our OAuth2 implemention has security flaws

java,angularjs,security,oauth-2.0,hacking
I logged in as Scott who only has read permission. The oauth2 server(JAVA based) gave me a token. Then I asked my teammate to send me his non-expired token. I updated my Angular application and hardcoded the token that was given to me. I tried to make changes to the...

how to secure android-php-mysql connection

php,android,mysql,security
i searched alot on the internet and didnt find a properly answer. what i need is - a method to secure my application which is using a httprequest to php file which is in my server and it communicate with the mysql and set/get data. i need a way which...

NDK application Signature Check

java,android,security,android-ndk,digital-signature
I have some security key in an application. I want to store it securly. I like to store it in a native shared library (maybe generated from some code). After that I want it to be returned by a method that will check the signature of the original APK. So...

Configure Apache web server to perform SSL authentication

linux,apache,security,ssl,xampp
I'm trying to perform SSL authentication in apache web server, using XAMPP in Linux. After I configure httpd.conf like this, Apache server is failing to start. Can some one help me to fix this ? What is wrong with my configuration ? Alias /bitnami/ "/opt/lampp/apache2/htdocs/" Alias /bitnami "/opt/lampp/apache2/htdocs" <Directory "/opt/lampp/apache2/htdocs">...

HTTP Basic authentication (Java / Jersey)

java,web-services,rest,security
I created REST webservice and secured it using HTTP Basic authentication. It working fine, and asking for the username/password. But on second run (if browser still open) the webservice does not ask for username/password. If I close and reopen browser, it work as I wanted - asking to authentication. I...

Checking if the file is rar through its bytes

c#,security,byte
I am trying to verify that the file is a .rar file through its bytes for security purposes. Th following code is my code the only problem is that the sub-header is not matching with the one generated from the file. I noticed that is different for different file. Could...

Risk of using a persitent XSRF-TOKEN cookie in Angular

javascript,angularjs,security,csrf
This is related to this question CSRF Protection for Refresh Token Cookie in SPA I want to use the recommended XSRF-TOKEN cookie mechanism to protect another HttpOnly cookie. For this scenario I need to make the XSRF-TOKEN cookie persitent, because it has to be available at app start up after...

Android NullPointer Exception in method kpg.initializate

java,android,security,rsa
I'm a newbie in android and I'm trying to make a "simple" tutorial about a cypher/decypher application. I've the following code public class MainActivity extends AppCompatActivity { KeyPairGenerator kpg; KeyPair kp; PublicKey publicKey; PrivateKey privateKey; byte[] encryptedBytes, decryptedBytes; Cipher cipher, cipher1; String encrypted, decrypted; @Override protected void onCreate(Bundle savedInstanceState) {...

File security System in java? [on hold]

java,file,security,encryption
i'm new to java world.I have a idea about file secure system.When i add a file to the application it will encrypt and store a folder in the installation path.If i need to see the file ,i need to login with my username and password and the file will automatically...

Smashing the stack example3 ala Aleph One

c,security,pointers,stack-smash
I've reproduced Example 3 from Smashing the Stack for Fun and Profit on Linux x86_64. However I'm having trouble understanding what is the correct number of bytes that should be incremented to the return address in order to skip past the instruction: 0x0000000000400595 <+35>: movl $0x1,-0x4(%rbp) which is where I...

What damage can a website do?

security,web
Now and then I (accidentally) come across websites that my anti-virus warns me about. Out of curiosity, what kind of damage can a website do? I've been working in web development for around 4 years now and can't think of any 'genuine' damage worth warning the user about. Maybe I'm...

What are all the methods to delete local-storage data?

javascript,php,security,credentials,web-storage
My core question is what are the possible methods to delete window.localStorage data (not window.sessionStorage) from the client's browser. One way that I know is by going to the client's console and type localStorage.clear(). I'm building a web app that uses HTML-local-storage to replace PHP sessions and cookies. I have...

Websocket (java ee) how to get role of current user

security,java-ee,websocket,wildfly
I just added a Websocket endpoint to my java ee jax-rs application. Within Jax-Rs endpoints i can access the role of the user via SecurityContext. But within websocket i can't inject context stuff. So how to know the role of the user that tries to open a websocket session?...

Docker for a one shot CLI application

linux,security,docker,workflow,bioinformatics
Since I first knew of Docker, I thought it might be the solution for several problems we are usually facing at the lab. I work as a Data Analyst for a small Biology research group. I am using Snakemake for defining the -usually big and quite complex- workflows for our...

Protect video from video from capturing

java,security,web,filesystems,system
I have a webpage with a video. I have to protect this video from capturing it from browser with video capturing programms. I think that for this task i need to check process list or something like this, but to do this i have to use Java. Could anyone give...

How sanitize and store user input, that contains HTML regex pattern in WordPress

php,html,wordpress,security,html-sanitizing
I working on some WordPress plugin that one of its features is ability to store HTML regex pattern, entered by user, to DB and then display it on settings page. My method is actually work but I wonder if that code is secure enough: That's the user entered pattern: <div(.+?)class='sharedaddy...

RSA encryption in Android and Java

java,android,security,encryption,rsa
I would like to encrypt a String with RSA encryption. My public/private keys were generated and stored in DB. In android, I use this code: public static String encryptRSAToString(String text, String strPublicKey) { byte[] cipherText = null; String strEncryInfoData=""; try { KeyFactory keyFac = KeyFactory.getInstance("RSA"); KeySpec keySpec = new X509EncodedKeySpec(Base64.decode(strPublicKey.trim().getBytes(),...

How can we improve SSL handshake to increase the security?

security,ssl,encryption,server,cl
During SSL handshake, the server send the client its(server's) public key and then client creates a session key and encrypt it with the server's public key and send it to the server. The server then decrypt the message with its private key and retrive the session key. The further communication...

How create a custom response when spring-security receives null credentials (username and password)?

spring,security,spring-security,basic-authentication,postman
I am using postman to send a username and password without value to my server; it's like username=null and password=null. To control the security of my server, I use spring security 3.2. When it receives these credentials spring-security responds with this error. Estado HTTP 500 - Fields must not be...

Android how to handle sensitive data in memory

android,security,passwords
Please I have the following scenario: the app uses a password to access to some remote webservice over HTTPS; to do so, the app asks the user the password, does NOT store it on the device (and use it in a safe manner to access the webservice). My concern is...

What stops someone from forging a password reset link?

php,security,passwords,md5
I'm creating a profile system for a website, and I'm at the point where I'm coding the password reset function in PHP. Basically, I'm asking the user for their email address, then setting a random md5 password and emailing this to them and it comes in a link formatted like...

SMTP ports - SSL vs non-SSL

security,ssl,phpmailer
I was told today by a support rep at SMTP.com that regardless of whether we connect via SSL or non-SSL, the data is secure as if it is going via SSL. I'm no genius, but I'm also not a complete idiot. And I have a strong feeling that this guy...

What does the security implications for default character set in mysqli_real_escape_string() means?

php,security,mysqli
In PHP documentation for mysqli_real_escape_string(), it is written that Caution Security: the default character set The character set must be set either at the server level, or with the API function mysqli_set_charset() for it to affect mysqli_real_escape_string(). Source mysqli_real_escape_string In a further link about character set, it is mentioned that...

Why is this SQL injection 'sleep' attack an effective denial of service?

mysql,security,sql-injection
Today, while administering a client's server, our monitoring identified some slow page load times / other issues. I noticed while troubleshooting this, that the following query was in the process list and never seemed to finish: SELECT * FROM motorcycles LEFT JOIN motorcycle_year ON motorcycle_year.year_id = motorcycles.motorcycle_vyear LEFT JOIN motorcycle_make...

Authenticating plain text passwords against md5 hash in DB using Apache Shiro

java,security,shiro
Here is the my shiro.ini. [main] ds = org.apache.shiro.jndi.JndiObjectFactory ds.requiredType = javax.sql.DataSource ds.resourceName = java:/comp/env/jdbc/at credentialsMatcher=org.apache.shiro.authc.credential.HashedCredentialsMatcher credentialsMatcher.hashAlgorithmName=MD5 credentialsMatcher.hashIterations=1024 credentialsMatcher.storedCredentialsHexEncoded=true jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm jdbcRealm.permissionsLookupEnabled = true jdbcRealm.dataSource = $ds jdbcRealm.authenticationQuery = SELECT...

Limiting a Web Worker's resources and permissions

javascript,html5,security,iframe,web-worker
I am creating a web platform that will host third party applications. In order to make that secure, I need foreign scripts to run in isolated environments. In HTML5, that came down to 2 options: Iframes Web Workers They can both prevent access to the main thread* and DOM, but...

Is it considered bad practice to reference the Microsoft.AspNet.Identity in the service layer of a multi layered web application?

c#,asp.net,asp.net-mvc,security,asp.net-identity
In my MVC application I am currently setting the Thread.CurrentPrincipal = HttpContext.Current.User in the Application_PostAuthenticateRequest() method e.g. protected void Application_PostAuthenticateRequest() { Thread.CurrentPrincipal = HttpContext.Current.User; } This allows me to use the Thread.CurrentPrincipal in other assemblies i.e. the service layer. For example: using System.Security; using System.Security.Permissions; using System.Threading; using Microsoft.AspNet.Identity; namespace...

Where can I configure groups like “stock.group_stock_user” with Open ERP?

security,openerp-7,groups
There are several groups for view interface of Open ERP. (groups="base.group_user", "stock.group_stock_user" etc). It seems I can create own custom one. But, where can I create and modify manage them? How can I configure which ERP users belong to this group?...

Does ajax increase or decrease security?

javascript,php,ajax,security
I am creating a website which until now is pure PHP. I was thinking that since very few people do not have JavaScript enabled (which I wonder why!) maybe I should create my website as a fully PHP site without any AJAX. Am I thinking wrong? Just to be sure,...

Using s3 in a healthcare application, private links

ruby-on-rails,security,amazon-s3,privacy
We develop a rails-based healthcare application. What is the best way to configure our s3 implementation so that only the authenticated user has access to the image?

How to STOP browsers from sharing session amongst tabs?

javascript,jsp,security,browser,spring-security
How to NOT share session between multiple browser tabs ? I am using Spring Security in JSP/Servlet application and I want to know "How can we achieve the behavior with Spring Security where user is forced to login again whenever he changes the browser tab ?". Disclaimer Question is similar...

Mass Assignment Vulnerability

ruby-on-rails,security,ruby-on-rails-4,mass-assignment
I have a model A such as : class A < ActiveRecord::Base validates_uniqueness_of :name attr_accessible :name end I want to remove mass assignment vulnerability on attribute :name. So I deleted the line attr_accessible :name from this model. This model has no controller, so I didn't write any strong parameters. This...

Spring Boot MVC non-role based security

java,security,spring-mvc,spring-boot
I am attempting to setup security in a new Spring Boot MVC application. I am attempting to do this with no XML configuration, only Java. Currently I have been able to get role based security working using the @Secured annotation on each of my @RequestMapping methods. I also need to...

AWS S3 The security of a signed URL as a hyperlink

security,hyperlink,amazon-s3,download
Is this safe? Maintaining security using a pre-signed url with AWS S3 Bucket object? <a href="https://mywebsite.s3.amazonaws.com/40.pdf?AWSAccessKeyId=[my access key]&Expires=1433297453&Signature=[this random set of numbers]">my link</a> Another words - part 1... say I'm storing a bunch of separate individual's files in a bucket. I want to provide a link to a file for...

Headers for security

security,http,header
I've been reading articles about the protection of your website and they say to place these 3 headers: X-Frame-Options: DENY X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff In my website to protect it from Website attacks, but I dont know how to declare it in my header, can someone help me with...

JQuery Add expiration to authentication token stored with HTML5 localStorage?

php,jquery,mysql,security,authentication
I am making a mobile game with JQuery Mobile, a multipage template (so all pages in 1 html file, which makes it usable with PhoneGap). Since it is HTML I am using JQuerys $.post function to send data to php scripts such as login.php, register.php, which add/update/delete data from the...

Preventing brute-force login attempts [closed]

security,server,accounts
I want to prevent hackers to break into my users' accounts. It is often said that: The best approach it to lockout an account temporarily after x failed login attempts. I understand this and it seems like a good idea. Using IP for example is a very bad idea -...

Securing JWT tokens in a AJAX call

security,jwt
Say site A has a piece of javascript that does an ajax call to an endpoint on site B. Site A uses a JWT generated from site B to authenticate the requests. Wouldn't a user be able to get the JWT, simply by inspecting (e.g Chrome) the request and it's...

Would delayed display of an email address be useful against email scrapers?

javascript,security,spam-prevention,email-spam
Assuming I need a public web page that displays the email information from a user of my site. In addition to obfuscation, would javascript like this be helpful? setTimeout(function(){ document.getElementById(id).innerHTML = "<span>" + username + "@" + hostname + "</span>"; },50) ...

Better regex for security and auditing?

php,regex,security
For personal use and work I have written various regular expressions to find all variables in PHP. The purpose of my regex is for security reasons and in particular to VET scripts and plugins. The expression is as follows: \${1,1}[\w]+[" +"]{0,}=[" +"]{0,}['"][a-zA-Z0-9" "]+['"]+[;]{0,} The above regular expression will find all...

Generating an MD5 Hash with a char[]

java,security,hash,md5,message-digest
How would one go about converting a char[] password obtained using this method: char[] password = passwordInputField.getPassword(); To an MD5 Hash? Normally I would use the method below, but getBytes is only compatible with Strings: MessageDigest md = MessageDigest.getInstance("MD5"); md.update(password.getBytes()); String hashedPass = new BigInteger(1, md.digest()).toString(16); ...

Is client-side java intrinsically less secure than javascript?

java,javascript,security
Much has been made of a series of bugs and exploits on client side java, leading to the blacklisting of various versions by apple, mozilla, etc. Yet javascript is an even less controlled language without static typing. Today javascript allows for many of the same potential problems: local storage, accessing...

Invalidate user credentials when password changes

asp.net,asp.net-mvc,security,asp.net-identity
I have an Asp.net MVC website. When the users change their password, do the logins from all of the browsers invalidate? I mean will the user require to login on all browsers with the new password? If not, is there a way to do this?

How to restrict file copying shared using Content Provider in Android?

android,security
Is it possible to forbid making copies of files for third party applications (like adobe reader), that I am using to open pdf files stored in internal memory of my application?

Role concept in the authorization

java,security,authorization
I'm writing the following public interface SecurityService{ public Error tryLogin(String usr, String psw); public String getRoleCurrentUser(); //Attention here } and of course, there will be a couple implementations. For instance, now I have public SpringSecurityService{ @Autowired AuthenticationManager authenticationManager; public Error tryLogin(String usr, String psw){ //Implementation here } public String getRoleCurrentUser(){...

Which layer of an application should keep security logic (permissions, authorization)?

security,business-logic,n-tier-architecture
Since the most similar questions are related to ASP MVC I want to know some common right choice strategies. Lets try to decide, will it go into the business layer or sit on the service layer. Considering service layer to have a classical remote facade interface it seems to be...

How is rails CSRF generated token useful?

ruby-on-rails,security,csrf
It seems I am missing something in the CSRF working mechanism, as I understand: If the CSRF token submitted with the form doesn't match the one in the session, the session is destroyed and thus all authentication data is lost and most probably the user wont' be able to complete...

How to secure configuration file containing database username and password

php,security
Issue In order to connect my PHP code with MySQL database I use PDO way, creating variable, assigning it with new PDO object where arguments contain settings such as server, database, login and password. So in resulting code it could look like this: $DAcess=new PDO("mysql:host=server;dbname=database","login","password"); I don't feel comfortable having...

Trojan(Simple Client-Server in C)

c,security,firewall,virus,trojan
So I started network programming a few days ago, and I created a very simple trojan (Victims execute a client that create a connection to the hackers PC's and then Hackers can execute function of CMD by a simple system() command). Basically my trojan works but I don't understand why...

How to secure a controller on WebAPI for use by only the local machine

c#,security,asp.net-web-api,certificate
I have an ASP.NET MVC website that makes use of WebAPI, SignalR. I wish for my server (the same server that hosts the website) to make HTTP requests to a WebAPI controller - I wish to do this so that I can hook into my website's SignalR functionality. I want...

Wordpress: Changed HTTP to HTTPS, now security certificate error

wordpress,security,https
I was trying to secure my website and found a blog on wordpress which shows how to change HTTP to HTTPS from the wordpress settings. I did what it said and now my website won't let me navigate further than the home page. I tried logging into the admin page,...

Getting “format not a string literal and no format arguments” warning while using GTK+2

c,security,gcc,gtk,gcc-warning
I am getting an error like this: warning: format not a string literal and no format arguments [-Wformat-security] GTK_BUTTONS_OK, (const gchar*)message); ^ because of this function: static void show_message (gchar *message, GtkMessageType type) { GtkWidget *dialog = gtk_message_dialog_new(NULL, 0, type, GTK_BUTTONS_OK, message); gtk_dialog_run(GTK_DIALOG(dialog)); gtk_widget_destroy(dialog); } How can I fix it?...

PHP token security

php,security,login,token
I wrote a PHP application which requires a login. This application is private so no new users can register. First I used sessions to identify the users but it lead to problems on tablets because they lost their sessions. I think this is because of energy saving operations. Now I...