FAQ Database Discussion Community
spring,security,spring-security,basic-authentication,postman
I am using postman to send a username and password without value to my server; it's like username=null and password=null. To control the security of my server, I use spring security 3.2. When it receives these credentials spring-security responds with this error. Estado HTTP 500 - Fields must not be...
java,windows,security,malware,integrity
Can you think of a mechanism to guarantee my software (GUI application) is the software that I'm currently running and not an imposter (as a black box). It sounds as a crazy requirement, but this software determines life (it is a medical device) and if someone insists on doing bad,...
java,spring,security,spring-mvc,spring-security
I'm trying to secure my app with spring security. My understanding about spring security is that they check the loaded password from UserDetails against the password user entered. The thing is my login authentication is inputing username and password into a pl/sql function which will return a result code. So...
java,security,spring-mvc,spring-boot
I am attempting to setup security in a new Spring Boot MVC application. I am attempting to do this with no XML configuration, only Java. Currently I have been able to get role based security working using the @Secured annotation on each of my @RequestMapping methods. I also need to...
ruby-on-rails,security,csrf
It seems I am missing something in the CSRF working mechanism, as I understand: If the CSRF token submitted with the form doesn't match the one in the session, the session is destroyed and thus all authentication data is lost and most probably the user wont' be able to complete...
postgresql,security,vbscript
I have postgres 9.3 being installed with my windows desktop app on computers all over the place. I don't want Joe Script-kiddy looking at the pgpass.conf, getting the postgres password a running amuck in my Database. I was able to to make a backup role using this article but I...
security,phantomjs,casperjs
In the documentation for phantomjs, there is an option to turn off web security and allow XHR (cross domain requests). Does this present a security risk to a user if you are filling forms with credentials such as usernames and passwords and then downloading screenshots with casper/phantom?...
php,security,login,token
I wrote a PHP application which requires a login. This application is private so no new users can register. First I used sessions to identify the users but it lead to problems on tablets because they lost their sessions. I think this is because of energy saving operations. Now I...
security,jwt
Say site A has a piece of javascript that does an ajax call to an endpoint on site B. Site A uses a JWT generated from site B to authenticate the requests. Wouldn't a user be able to get the JWT, simply by inspecting (e.g Chrome) the request and it's...
python,security,python-2.7,ssl,python-requests
I am trying to run a python urllib2 script and getting this error: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning. After googling the error the solution, on stack overflow...
python,security,exploit
I am trying to utilize an exploit code available online using python compiler 2.7.10. However I have no clue, what does the 'modload' command does, following is the code: import socket, sys print "\n" print "----------------------------------------------------------------" print "| Windows 7 IIS7.5 FTPSVC UNAUTH'D REMOTE DOS POC |" print "| Matthew...
javascript,angularjs,security,csrf
This is related to this question CSRF Protection for Refresh Token Cookie in SPA I want to use the recommended XSRF-TOKEN cookie mechanism to protect another HttpOnly cookie. For this scenario I need to make the XSRF-TOKEN cookie persitent, because it has to be available at app start up after...
php,android,mysql,security
i searched alot on the internet and didnt find a properly answer. what i need is - a method to secure my application which is using a httprequest to php file which is in my server and it communicate with the mysql and set/get data. i need a way which...
javascript,security
I don't know a lot about security, but I'm trying to figure out how to keep my site as safe as possible. I understand that as much stuff that I can handle on the backend the better, but for instances where I'd like to hold some variables on the client,...
security,ssl,phpmailer
I was told today by a support rep at SMTP.com that regardless of whether we connect via SSL or non-SSL, the data is secure as if it is going via SSL. I'm no genius, but I'm also not a complete idiot. And I have a strong feeling that this guy...
linux,apache,security,ssl,xampp
I'm trying to perform SSL authentication in apache web server, using XAMPP in Linux. After I configure httpd.conf like this, Apache server is failing to start. Can some one help me to fix this ? What is wrong with my configuration ? Alias /bitnami/ "/opt/lampp/apache2/htdocs/" Alias /bitnami "/opt/lampp/apache2/htdocs" <Directory "/opt/lampp/apache2/htdocs">...
security,openerp-7,groups
There are several groups for view interface of Open ERP. (groups="base.group_user", "stock.group_stock_user" etc). It seems I can create own custom one. But, where can I create and modify manage them? How can I configure which ERP users belong to this group?...
php,rest,security,amazon-web-services,token
I have a rest service that my website calls it and I want to secure it from calling outside of my website as much as possible. I want to create a token mixed with timestamp, so the user can only call the service in 10 minutes (for example) with the...
security,web
Now and then I (accidentally) come across websites that my anti-virus warns me about. Out of curiosity, what kind of damage can a website do? I've been working in web development for around 4 years now and can't think of any 'genuine' damage worth warning the user about. Maybe I'm...
javascript,html,security,iframe
My website seems to be loading code which doesn't actually exist on my server. I know the problem is server-side because I've tested with other computers... The code seems to load a header and then put's my real website inside an iframe, strangely there are no ads or redirects which...
ios,objective-c,iphone,c,security
I'm doing some research on how iPhone manage the heap and stack but it's very difficult to find a good source of information about this. I'm trying to trace how a password is kept in memory, even after the NSString is deallocated. As far as I can tell, an iPhone...
security,encryption,sip,voip,rtp
In VoIP, I understand encrypting SIP transmission will hide the information about what codec is used. Another way is encrypting the RTP payload, So transmitting SRTP/ZRTP in network. But encrypting each packet will take quiet a lot of processing in both end. I have seen few materials about scrambling RTP...
django,security,django-rest-framework
This question is an exact duplicate of: django rest framework - understanding authentication and logging in 1 answer I want to create a login form for users to sign into a django site. The site is set up using django rest framework and I am considering having the login...
java,security,tomcat
The question is about security in tomcat, but first consider the following example: Suppose you have apache web server. Then, under www folder, create folder named dist, and under folder dist create folder named bdf23b1c-ddd3-4d5b-8fdf-948693674011. Under this folder create some file with secure information. For example, some private picture you...
security,authorization,claims-based-identity,abac,role-based-access-control
I am currently attempting to design an Authorization Model that has the following components: Privileges - an action that can either be granted or denied to a user/group Roles - a collection of privileges; roles can be associated with a user or group Security Objects - the entity to which...
php,git,shell,security
I want input of alphanumeric string (sha1 - git commit ID). Is sanitizing with regexp /[^a-z0-9]/, using preg_replace with blank string enough to safely pass it to shell?
php,security
Issue In order to connect my PHP code with MySQL database I use PDO way, creating variable, assigning it with new PDO object where arguments contain settings such as server, database, login and password. So in resulting code it could look like this: $DAcess=new PDO("mysql:host=server;dbname=database","login","password"); I don't feel comfortable having...
security,http,header
I've been reading articles about the protection of your website and they say to place these 3 headers: X-Frame-Options: DENY X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff In my website to protect it from Website attacks, but I dont know how to declare it in my header, can someone help me with...
ruby-on-rails,security,amazon-s3,privacy
We develop a rails-based healthcare application. What is the best way to configure our s3 implementation so that only the authenticated user has access to the image?
forms,security,plone,csrf,plone-4.x
Since version 3, plone.protect provides automatic CSRF protection. Plone 4.3 includes, by default, plone.protect 2.0. Can I just upgrade to start using this feature in Plone 4.3?...
javascript,security,spam-prevention,email-spam
Assuming I need a public web page that displays the email information from a user of my site. In addition to obfuscation, would javascript like this be helpful? setTimeout(function(){ document.getElementById(id).innerHTML = "<span>" + username + "@" + hostname + "</span>"; },50) ...
java,file,security,encryption
i'm new to java world.I have a idea about file secure system.When i add a file to the application it will encrypt and store a folder in the installation path.If i need to see the file ,i need to login with my username and password and the file will automatically...
security,patch
When a security update is applied as a patch, does the product name change? I.e. Windows Server 2008 If this server undergoes a patch and/or security update, does it still appear as Windows Server 2008, or does it have to undergo a name change - I.e Windows Server 2008 version...
java,security,web,filesystems,system
I have a webpage with a video. I have to protect this video from capturing it from browser with video capturing programms. I think that for this task i need to check process list or something like this, but to do this i have to use Java. Could anyone give...
c,security,gcc,gtk,gcc-warning
I am getting an error like this: warning: format not a string literal and no format arguments [-Wformat-security] GTK_BUTTONS_OK, (const gchar*)message); ^ because of this function: static void show_message (gchar *message, GtkMessageType type) { GtkWidget *dialog = gtk_message_dialog_new(NULL, 0, type, GTK_BUTTONS_OK, message); gtk_dialog_run(GTK_DIALOG(dialog)); gtk_widget_destroy(dialog); } How can I fix it?...
security,networking,localhost,firewall
I run a "private" service on my computer, which I do not want to be accessible from other computers. I configured it to only listen on 127.0.0.1. Do I still need a restrictive firewall? For example, is it possible to receive a packet on eth1, which would somehow have 127.0.0.1...
java,android,security,rsa
I'm making an Android app for sending safe sms. I currently have the following code (Iam using 256 for testing) public void generateKey() throws NoSuchAlgorithmException, NoSuchPaddingException, IllegalBlockSizeException,BadPaddingException,InvalidKeyException{ try{ kpg = KeyPairGenerator.getInstance("RSA"); kpg.initialize(256); kp = kpg.genKeyPair(); }catch(Exception e){ e.printStackTrace(); Toast.makeText(getBaseContext(), e.toString(),Toast.LENGTH_LONG).show(); } } public byte[] RSAEncrypt(final String plain) throws...
java,security,hash,md5,message-digest
How would one go about converting a char[] password obtained using this method: char[] password = passwordInputField.getPassword(); To an MD5 Hash? Normally I would use the method below, but getBytes is only compatible with Strings: MessageDigest md = MessageDigest.getInstance("MD5"); md.update(password.getBytes()); String hashedPass = new BigInteger(1, md.digest()).toString(16); ...
git,security
Is there a way to instruct git to hide my sensitive information. E.g. credentials.php (in local repository). Line1: $dbname = 'xyz'; Line2: $dbpassword = 'password'; credentials.php (in github repository and history). Line1: $dbname = 'xyz'; Line2: $dbpassword = 'xxxxxxxx'; So git automatically hides the information with 'x'. If not via...
php,mysql,security,hash
Shall I hash users of my portal when password is generated by server and user cannot change it? Logically: User can't use this passwords anywhere else as it is server-generated. Even when somebody access database illegally, they can change password and see it, but it is useless for them as...
php,security,mysqli
In PHP documentation for mysqli_real_escape_string(), it is written that Caution Security: the default character set The character set must be set either at the server level, or with the API function mysqli_set_charset() for it to affect mysqli_real_escape_string(). Source mysqli_real_escape_string In a further link about character set, it is mentioned that...
java,android,security,encryption,rsa
I would like to encrypt a String with RSA encryption. My public/private keys were generated and stored in DB. In android, I use this code: public static String encryptRSAToString(String text, String strPublicKey) { byte[] cipherText = null; String strEncryInfoData=""; try { KeyFactory keyFac = KeyFactory.getInstance("RSA"); KeySpec keySpec = new X509EncodedKeySpec(Base64.decode(strPublicKey.trim().getBytes(),...
security,java-ee,websocket,wildfly
I just added a Websocket endpoint to my java ee jax-rs application. Within Jax-Rs endpoints i can access the role of the user via SecurityContext. But within websocket i can't inject context stuff. So how to know the role of the user that tries to open a websocket session?...
java,android,security,rsa
I'm a newbie in android and I'm trying to make a "simple" tutorial about a cypher/decypher application. I've the following code public class MainActivity extends AppCompatActivity { KeyPairGenerator kpg; KeyPair kp; PublicKey publicKey; PrivateKey privateKey; byte[] encryptedBytes, decryptedBytes; Cipher cipher, cipher1; String encrypted, decrypted; @Override protected void onCreate(Bundle savedInstanceState) {...
security,business-logic,n-tier-architecture
Since the most similar questions are related to ASP MVC I want to know some common right choice strategies. Lets try to decide, will it go into the business layer or sit on the service layer. Considering service layer to have a classical remote facade interface it seems to be...
android,security
Is it possible to forbid making copies of files for third party applications (like adobe reader), that I am using to open pdf files stored in internal memory of my application?
javascript,php,security,credentials,web-storage
My core question is what are the possible methods to delete window.localStorage data (not window.sessionStorage) from the client's browser. One way that I know is by going to the client's console and type localStorage.clear(). I'm building a web app that uses HTML-local-storage to replace PHP sessions and cookies. I have...
linux,security,shared-memory
I am trying to implement a JIT compiler (I have very geeky hobbies). I would like to have one main process that keeps some persistent variables, and a second process (that has been compiled just-in-time) that does some computation and can access and write on the persistent variables. The second...
java,security,shiro
Here is the my shiro.ini. [main] ds = org.apache.shiro.jndi.JndiObjectFactory ds.requiredType = javax.sql.DataSource ds.resourceName = java:/comp/env/jdbc/at credentialsMatcher=org.apache.shiro.authc.credential.HashedCredentialsMatcher credentialsMatcher.hashAlgorithmName=MD5 credentialsMatcher.hashIterations=1024 credentialsMatcher.storedCredentialsHexEncoded=true jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm jdbcRealm.permissionsLookupEnabled = true jdbcRealm.dataSource = $ds jdbcRealm.authenticationQuery = SELECT...
mysql,security,sql-injection
Today, while administering a client's server, our monitoring identified some slow page load times / other issues. I noticed while troubleshooting this, that the following query was in the process list and never seemed to finish: SELECT * FROM motorcycles LEFT JOIN motorcycle_year ON motorcycle_year.year_id = motorcycles.motorcycle_vyear LEFT JOIN motorcycle_make...
java,android,security,android-ndk,digital-signature
I have some security key in an application. I want to store it securly. I like to store it in a native shared library (maybe generated from some code). After that I want it to be returned by a method that will check the signature of the original APK. So...
c++,windows,security,winapi,memory-mapped-files
I have a Windows service (running in the system process) and a desktop application that need to share a configuration structure. The data originates in the app, but the user process doesn't have permission to create a global memory object so I create it when the service starts using CreateFileMapping()...
php,html,wordpress,security,html-sanitizing
I working on some WordPress plugin that one of its features is ability to store HTML regex pattern, entered by user, to DB and then display it on settings page. My method is actually work but I wonder if that code is secure enough: That's the user entered pattern: <div(.+?)class='sharedaddy...
.net,security,clickonce,appdomain
I have developed a .net desktop application which is distribuited to my clients as a clickonce application. This applications need to download a dll from my server and after that load it by reflection. The dll is downloaded correctly, but when i try to load it using: Dim dom As...
c#,asp.net,asp.net-mvc,security,asp.net-identity
In my MVC application I am currently setting the Thread.CurrentPrincipal = HttpContext.Current.User in the Application_PostAuthenticateRequest() method e.g. protected void Application_PostAuthenticateRequest() { Thread.CurrentPrincipal = HttpContext.Current.User; } This allows me to use the Thread.CurrentPrincipal in other assemblies i.e. the service layer. For example: using System.Security; using System.Security.Permissions; using System.Threading; using Microsoft.AspNet.Identity; namespace...
c,algorithm,security,math,encryption
I'm trying to reverse the following code in order to provide a function which takes the buffer and decrypts it. void crypt_buffer(unsigned char *buffer, size_t size, char *key) { size_t i; int j; j = 0; for(i = 0; i < size; i++) { if(j >= KEY_SIZE) j = 0;...
c#,security,byte
I am trying to verify that the file is a .rar file through its bytes for security purposes. Th following code is my code the only problem is that the sub-header is not matching with the one generated from the file. I noticed that is different for different file. Could...
php,regex,security
For personal use and work I have written various regular expressions to find all variables in PHP. The purpose of my regex is for security reasons and in particular to VET scripts and plugins. The expression is as follows: \${1,1}[\w]+[" +"]{0,}=[" +"]{0,}['"][a-zA-Z0-9" "]+['"]+[;]{0,} The above regular expression will find all...
asp.net,asp.net-mvc,security,asp.net-identity
I have an Asp.net MVC website. When the users change their password, do the logins from all of the browsers invalidate? I mean will the user require to login on all browsers with the new password? If not, is there a way to do this?
security,ssl,encryption,server,cl
During SSL handshake, the server send the client its(server's) public key and then client creates a session key and encrypt it with the server's public key and send it to the server. The server then decrypt the message with its private key and retrive the session key. The further communication...
java,security,encryption,aes,password-encryption
I have a ciphertext and a 256-bit key to decrypt it, using AES. There is no salt or iv. I am using Java. I have implemented many of the solutions online, but they all use salts and input vectors. The following builds fine, but fails at runtime: "Salt not found."...
spring,security,spring-security,spring-boot
I'm using spring boot and i need to implement spring security with 3 fields authentication process username, password and corporate identifier as a hidden input in a form. I implemented a custom usernamepasswordauthenticationfilter but it not seems to be enough to setup the security config. EDIT : Users don't seem...
javascript,html5,security,iframe,web-worker
I am creating a web platform that will host third party applications. In order to make that secure, I need foreign scripts to run in isolated environments. In HTML5, that came down to 2 options: Iframes Web Workers They can both prevent access to the main thread* and DOM, but...
java,angularjs,security,oauth-2.0,hacking
I logged in as Scott who only has read permission. The oauth2 server(JAVA based) gave me a token. Then I asked my teammate to send me his non-expired token. I updated my Angular application and hardcoded the token that was given to me. I tried to make changes to the...
security,single-sign-on,saml,pingfederate
This is a basic question about SAML protocol and how it specifies verification of a SAML token. Looking an different diagrams and resources, it looks like the service provider doesn't need to make calls to the Identity Provider (IdP) in order to verify a SAML token. I am interested in...
java,security,authorization
I'm writing the following public interface SecurityService{ public Error tryLogin(String usr, String psw); public String getRoleCurrentUser(); //Attention here } and of course, there will be a couple implementations. For instance, now I have public SpringSecurityService{ @Autowired AuthenticationManager authenticationManager; public Error tryLogin(String usr, String psw){ //Implementation here } public String getRoleCurrentUser(){...
security,server,accounts
I want to prevent hackers to break into my users' accounts. It is often said that: The best approach it to lockout an account temporarily after x failed login attempts. I understand this and it seems like a good idea. Using IP for example is a very bad idea -...
java,security,authentication,x509
I'm using X509Certificate class in java, and when I want to get the subject name I try: x509certificate.getIssuerDN().getName(); and x509certificate.getSubjectDN().getName(); both methods have the same result. So what is the difference between them ??...
security,go
When I run a Node HTTP server app I usually call a custom function function runAsWWW() { try { process.setgid('www-data'); process.setuid('www-data'); } catch (err) { console.error('Cowardly refusal to keep the process alive as root.'); process.exit(1); } } from server.listen(8080,'localhost',null,runAsWWW); so the server is actually running as the www-data user to...
security,ip,localhost
I have a website that should not be visible for people outside some countries. I do a ip-blocking, but for testing purposes I need to let 127.0.0.1 access to the website. I know that ip blocking isn't totally safe, but, letting 127.0.0.1 access, can create troubles?...
php,jquery,mysql,security,authentication
I am making a mobile game with JQuery Mobile, a multipage template (so all pages in 1 html file, which makes it usable with PhoneGap). Since it is HTML I am using JQuerys $.post function to send data to php scripts such as login.php, register.php, which add/update/delete data from the...
linux,security,networking,firewall,iptables
I have a question about security in iptables. Is it safe to give ACCEPT policy to FORWARD chain? I mean, if packet gets there, it has come through PREROUTING table and in PREROUTING you only change destination ip of packet if you "like it". all packets that get in FORWARD...
security,hash,passwords,client,password-hash
I'm putting together an android client (and possibly in the future iOS, web portal, etc) and php mysql server. Server side I am currently using the PHPass library to hash and salt the incoming passwords. Should I make the client send plain text passwords over HTTPS/SSL or should the client...
java,security,encryption,encoding,cryptography
How can we create our own string encoding-decoding or encryption-decryption script in java without using any given library i.e. Base64, AES, etc? As per my client requirements, he want something where a user can decide a particular letter/number to be replaced by a letter/number which is again choosed by the...
security,hyperlink,amazon-s3,download
Is this safe? Maintaining security using a pre-signed url with AWS S3 Bucket object? <a href="https://mywebsite.s3.amazonaws.com/40.pdf?AWSAccessKeyId=[my access key]&Expires=1433297453&Signature=[this random set of numbers]">my link</a> Another words - part 1... say I'm storing a bunch of separate individual's files in a bucket. I want to provide a link to a file for...
java,javascript,security
Much has been made of a series of bugs and exploits on client side java, leading to the blacklisting of various versions by apple, mozilla, etc. Yet javascript is an even less controlled language without static typing. Today javascript allows for many of the same potential problems: local storage, accessing...
android,security,encryption,encryption-symmetric
I try to encrypt some text (here it is named code) and decrypt it again. For this i use a 4 digit Pin which is salted. After this the text is encrypted, also again some Base64 decoding, so i can safely output the String again. As i understand i have...
javascript,jsp,security,browser,spring-security
How to NOT share session between multiple browser tabs ? I am using Spring Security in JSP/Servlet application and I want to know "How can we achieve the behavior with Spring Security where user is forced to login again whenever he changes the browser tab ?". Disclaimer Question is similar...
c,security,pointers,stack-smash
I've reproduced Example 3 from Smashing the Stack for Fun and Profit on Linux x86_64. However I'm having trouble understanding what is the correct number of bytes that should be incremented to the return address in order to skip past the instruction: 0x0000000000400595 <+35>: movl $0x1,-0x4(%rbp) which is where I...
c,security,firewall,virus,trojan
So I started network programming a few days ago, and I created a very simple trojan (Victims execute a client that create a connection to the hackers PC's and then Hackers can execute function of CMD by a simple system() command). Basically my trojan works but I don't understand why...
sql-server,sql-server-2008,security,sql-server-2012,encryption-symmetric
I am trying to open symmetric key inside two functions. Like this: CREATE FUNCTION DECRYPTDATA ( @CipherText NVARCHAR(MAX) ) RETURNS NVARCHAR(MAX) AS BEGIN DECLARE @Result NVARCHAR(MAX) OPEN SYMMETRIC KEY MyKEY DECRYPTION BY CERTIFICATE MyCERT SELECT @Result = CONVERT(VARCHAR(MAX),DECRYPTBYKEY(@CipherText)) RETURN @Result END GO CREATE FUNCTION ENCRYPTDATA ( @Text NVARCHAR(MAX) ) RETURNS...
linux,security,docker,workflow,bioinformatics
Since I first knew of Docker, I thought it might be the solution for several problems we are usually facing at the lab. I work as a Data Analyst for a small Biology research group. I am using Snakemake for defining the -usually big and quite complex- workflows for our...
javascript,html,css3,security
IF: I write a site in HTML5, Javascript and CSS3. It has no forms or any input other than mouse clicks on links. No logins. No messaging. No comments. Will this site have vulnerabilities? For the 2nd time in a month, I've been notified by my host there are files...
wordpress,security,https
I was trying to secure my website and found a blog on wordpress which shows how to change HTTP to HTTPS from the wordpress settings. I did what it said and now my website won't let me navigate further than the home page. I tried logging into the admin page,...
java,database,security,encryption,bouncycastle
I am designing a java app that uses algorithms to import data from other sources into a database. And the app also searches for records in the database. How can I implement row level security in a way that the database does not even know that the data is encrypted,...
android,security,passwords
Please I have the following scenario: the app uses a password to access to some remote webservice over HTTPS; to do so, the app asks the user the password, does NOT store it on the device (and use it in a safe manner to access the webservice). My concern is...
c#,security,encryption,cryptography,aes
Have been reviewing some symmetric cryptography approaches I've seen a lot of examples that hard code a private static variable in a class, usually something along the lines of: string key = "THISISYOURENCRYPTIONKEY!" and then somewhere further down, the code uses it for encrypting/decrypting. Putting aside the correct implementation/algorithm/strategy as...
java,security,salt
This question already has an answer here: how to convert byte array to string and vice versa 13 answers I use java SecureRandom to create salt to encrypt user. However, when I tried to match user with salt and password, they failed on different machine. The user is created...
javascript,php,ajax,security
I am creating a website which until now is pure PHP. I was thinking that since very few people do not have JavaScript enabled (which I wonder why!) maybe I should create my website as a fully PHP site without any AJAX. Am I thinking wrong? Just to be sure,...
php,mysql,security,laravel,pdo
This question already has an answer here: How can I prevent SQL-injection in PHP? 28 answers I was wondering if I'm safe from SQL injection if I have this in a script: < script> //some stuff var item = <?php echo json_oncode($PHPVAR) ?> item.replace(/"/,'"').replace(/'/,'''); //do more script stuff with...
security,user-management,forgot-password,reset-password
I am re-implementing the "reset password" functionality for the next version of my user management system. The way it works currently is: The user enters their username and email address. If this information is correct, a random token is generated and stored in the DB, and a link with the...
java,web-services,rest,security
I created REST webservice and secured it using HTTP Basic authentication. It working fine, and asking for the username/password. But on second run (if browser still open) the webservice does not ask for username/password. If I close and reopen browser, it work as I wanted - asking to authentication. I...
mysql,node.js,security,access-control,row-level-security
I want to implement column level and row level access control on data stored in my MySQL database. I am using NodeJS on my server, what's the way to go for this ? I see SAP Hana allows that but want to keep MySQL.
javascript,node.js,security,express
I read about it here https://www.npmjs.com/package/hpp It says : "Express populates http request parameters with same name in an array. Attacker can pollute request parameters to exploit this mechanism" I don't understand what mechanism the Attacker can use ?...
javascript,html5,image,security
I am a full-time developer but am building a site for my photography hobby. I dont want people to download my images and besides the usual procedures (disable right click, block hotlinks to my images etc.) i was thinking about a solution which would work 99% of the time. The...
php,security,passwords,md5
I'm creating a profile system for a website, and I'm at the point where I'm coding the password reset function in PHP. Basically, I'm asking the user for their email address, then setting a random md5 password and emailing this to them and it comes in a link formatted like...
php,mysql,security,pdo,prepared-statement
This question already has an answer here: Are PDO prepared statements sufficient to prevent SQL injection? 7 answers I'm thinking of an example like this one: The request hits a page at an url (by whichever means), with a parameter. example.com/api/page?name=bob. It's my understanding that you should do a...
c#,security,asp.net-web-api,certificate
I have an ASP.NET MVC website that makes use of WebAPI, SignalR. I wish for my server (the same server that hosts the website) to make HTTP requests to a WebAPI controller - I wish to do this so that I can hook into my website's SignalR functionality. I want...
ruby-on-rails,security,ruby-on-rails-4,mass-assignment
I have a model A such as : class A < ActiveRecord::Base validates_uniqueness_of :name attr_accessible :name end I want to remove mass assignment vulnerability on attribute :name. So I deleted the line attr_accessible :name from this model. This model has no controller, so I didn't write any strong parameters. This...
security,unit-testing,cakephp,cakephp-3.0
I am trying to test controller methods (add, edit, ...) that use Security component. ContactsController public function initialize() { $this->loadComponent('Security'); } public function add() { $contact = $this->Contacts->newEntity(); if ($this->request->is('post')) { $contact = $this->Contacts->patchEntity($contact, $this->request->data); if ($this->Contacts->save($contact)) { $this->Flash->success(__d('contact_manager', 'The contact has been saved.')); return $this->redirect(['action' =>...