Questions tagged [owasp]

The Open Web Application Security Project (OWASP) is an organization that wants to inform people about application security.

Filter by
Sorted by
Tagged with
376votes
4answers
149kviews

Why is it common to put CSRF prevention tokens in cookies?

I'm trying to understand the whole issue with CSRF and appropriate ways to prevent it. (Resources I've read, understand, and agree with: OWASP CSRF Prevention CHeat Sheet, Questions about CSRF.) As I ...
user avatar
  • 13k
343votes
8answers
449kviews

What is "X-Content-Type-Options=nosniff"?

I am doing some penetration testing on my localhost with OWASP ZAP, and it keeps reporting this message: The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff' This ...
user avatar
  • 3,995
186votes
9answers
470kviews

PHP $_SERVER['HTTP_HOST'] vs. $_SERVER['SERVER_NAME'], am I understanding the man pages correctly?

I did a lot of searching and also read the PHP $_SERVER docs. Do I have this right regarding which to use for my PHP scripts for simple link definitions used throughout my site? $_SERVER['SERVER_NAME'...
user avatar
  • 5,760
55votes
3answers
46kviews

CSRF, XSS and SQL Injection attack prevention in JSF

I have a web application built on JSF with MySQL as DB. I have already implemented the code to prevent CSRF in my application. Now since my underlying framework is JSF, I guess I don't have to handle ...
user avatar
53votes
4answers
81kviews

CSRF (Cross-site request forgery) attack example and prevention in PHP

I have an website where people can place a vote like this: http://mysite.com/vote/25 This will place a vote on item 25. I want to only make this available for registered users, and only if they want ...
user avatar
33votes
3answers
63kviews

Adding authentication in ZAP tool to attack a URL

How to pass authentication details to the ZAP tool to scan the website. Please help me to solve the problem.
user avatar
30votes
2answers
3kviews

playframework owasp top 10

I'm thinking about using Play for a large-scale project, so, has anyone battle-tested Play framework for OWASP Top 10? Are there any security problems you know of in Play framework?
user avatar
  • 3,739
21votes
1answer
16kviews

what is x-Application-Context header?

What is this response header (x-Application-Context) stands for? is it specific to Spring framework? what does the below header means? X-Application-Context airtel-project-service:aws:27094 does ...
user avatar
21votes
2answers
6kviews

Reliable way to detect browser , version and plattfom in php

I have been looking for a reliable way to have (at least the less obscure ones) : the name of the browser the version and the platform (OS) it is on maybe more information but the 3 info above are ...
user avatar
20votes
1answer
51kviews

How can I set the 'secure' flag for cookies in an ASP.NET MVC website?

I have set the following in web.config: <system.web> <httpCookies httpOnlyCookies="true" requireSSL="true" /> </system.web> When I hit the website using an HTTP connection, it ...
user avatar
17votes
5answers
2kviews

Javascript Comments are security risk?

During a recient PCI audit the auditor said that we had major security risks because It was possible to download static resources from our website such as images css and javascript without prior ...
user avatar
  • 6,137
17votes
2answers
10kviews

Filtering upwards path traversal in Java (or Scala) [closed]

Are there any standard library methods that can filter out paths which include special traversal sequences, such as ../ and all other convoluted forms of upwards directory traversal, to safeguard a ...
user avatar
  • 14.5k
17votes
2answers
6kviews

What Response Should Be Sent Back a When Cross-Site Request Forgery (CSRF) is Detected

What response should I send back when a Cross-Site Request Forgery (CSRF) is detected? There is a scanning tool which I cannot get a hold of that is saying one of my pages is not protected against ...
user avatar
  • 3,819
17votes
3answers
68kviews

Where can I find ESAPI.properties?

Am trying to use OWASP ESAPI library in my web app to escape request parameters in JSPs as below ESAPI.encoder().encodeForHTML(request.getParameter()). I have added esapi-2.1.0.jar under WEB-INF/...
user avatar
  • 542
16votes
7answers
35kviews

iOS certificate pinning with Swift and NSURLSession

Howto add certificate pinning to a NSURLSession in Swift? The OWASP website contains only an example for Objective-C and NSURLConnection.
user avatar
  • 13.5k
15votes
2answers
51kviews

HTML-Entity escaping to prevent XSS

I have some user input. Within my code, I ensure that the following symbols are escaped: & -> &amp; < -> &lt; > -> &gt; OWASP states that there are more chars to be ...
user avatar
14votes
4answers
21kviews

how to fix 'Disable XML external entity (XXE) processing' vulnerabilities in java

I ran my java code against sonarqube and I got 'Disable XML external entity (XXE) processing' as vulnerability. I spend some time on google to resolve the issue. I have been trying alot of approach ...
user avatar
  • 141
14votes
3answers
19kviews

OWASP ESAPI simpleTest in a Maven Java EE project

i have a litte JavaEE project, and i have to secure it with the OWASP ESAPI i integrated the ESAPI like this in Maven: <!-- ESAPI Version 2.0.1 --> <dependency> <groupId>org....
user avatar
  • 1,603
13votes
3answers
13kviews

OWASP top ten attacks and Spring Security

I am evaluating security for my web application. As I am using Spring in my web application I would like to leverage the Spring Security framework. I searched for more info about web security and come ...
user avatar
  • 373
13votes
1answer
10kviews

Why Url.IsLocalUrl is false for local URLs in ASP.NET MVC?

Mission: To prevent open redirection in an ASP.NET MVC 5 application The story: The user is on some webpage of website /, say overview page /Home/Overview and clicks login After login, the server ...
user avatar
  • 25.1k
12votes
1answer
8kviews

Java: Owasp AntiSamy vs Owasp-java-html-sanitize

I am looking for html purifier library now. And I've found that there are two "owasp" library. First is https://code.google.com/p/owasp-java-html-sanitizer/ and the second is https://www.owasp.org/...
user avatar
12votes
3answers
3kviews

Common vulnerabilities for WinForms applications

I'm not sure if this is on-topic or not here, but it's so specific to .NET WinForms that I believe it makes more sense here than at the Security stackexchange site. (Also, it's related strictly to ...
user avatar
  • 70.5k
12votes
4answers
11kviews

How to allow specific characters with OWASP HTML Sanitizer?

I am using the OWASP Html Sanitizer to prevent XSS attacks on my web app. For many fields that should be plain text the Sanitizer is doing more than I expect. For example: HtmlPolicyBuilder ...
user avatar
  • 55.6k
11votes
1answer
33kviews

Howto sanitize inputs

I am willing to use "OWASP ESAPI for Java" to sanitize users inputs when they submits forms in a Tomcat Webapp. I used to use org.apache.commons.lang.StringEscapeUtils like this: public static ...
user avatar
  • 1,776
11votes
1answer
2kviews

Avoid clickjacking for Java web application when opened in same session

I am trying to handle clickjacking for a java web application. I got a solution from Clickjacking Defense Cheat Sheet I have added a filter in web.xml <?xml version="1.0" encoding="UTF-8"?> &...
user avatar
10votes
1answer
11kviews

Sanitizing response JSON from Spring MVC Controller using JSON Sanitizer?

I want to intercept the JSON sent back from a Spring MVC Rest Controller and run it through a sanitizer that ensures it's valid and HTML escapes any dodgy characters. (Possibly the OWASP JSON ...
user avatar
  • 52.6k
10votes
3answers
5kviews

Running jasperserver behind nginx: Potential CSRF attack

We are using nginx for https traffic offloading, proxying to a locally installed jasperserver (5.2) running on port 8080. internet ---(https/443)---> nginx ---(http/8080)---> tomcat/...
user avatar
9votes
1answer
2kviews

Is there any OWASP checking tool for scala project?

I found there is an OWASP dependency checking tool for Java projects: https://www.owasp.org/index.php/OWASP_Dependency_Check I tried the tool on Scala projects, but it can find no dependencies. Is ...
user avatar
  • 184k
8votes
2answers
7kviews

Magento CSRF protection

I am looking at custom forms in Magento. I saw these tutorials http://fastdivision.com/2012/03/29/diy-magento-create-ajax-login-registration-forms-for-your-magento-theme/ http://inchoo.net/ecommerce/...
user avatar
  • 1,381
8votes
1answer
2kviews

Apache Shiro & Java Security for Novices

I know next-to-nothing about Java's security model, including XML configuration, policy-setting, any security framework components, tools (such as keystore, etc.) and everything in between. Although ...
user avatar
  • 52.6k
8votes
1answer
730views

& JavaScript includes

OWASP's XSS Filter Evasion Cheat Sheet mentions "& JavaScript includes": https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#.26_JavaScript_includes The example it provides is as ...
user avatar
  • 14.9k
8votes
2answers
3kviews

Apache2 mod_evasive vs mod_security with OWASP crs when protecting against DDOS?

Good day, I'm running an Apache2 server in front of a Tomcat and I need to implement a DDOS protection mechanism on the Apache2 layer. I have two candidates: mod_evasive and mod_security2 with the ...
user avatar
8votes
3answers
17kviews

Why/How is `value="javascript:alert(1)"` considered as a XSS vulnerability in OWASP's ZAP tool?

The results for OWASP's ZAP has been very useful for eliminating vulnerable parts of my website. However, I've found a lot of results that I simply cannot fix. For example, one of the get parameters ...
user avatar
8votes
2answers
836views

OWASP HTML Sanitizer cleans comments

I have application where customer can store following html lines in order to load different styles for actual browser: <!--[if IE 6]><link rel="stylesheet" type="text/css" media="all" href="...
user avatar
  • 2,060
7votes
2answers
4kviews

Why should I put a CSRF token in a JWT token?

I want to bring a doubt about JWT tokens and CSRF from the Stormpath post that explain the advantages and disadvantages of storing the JWT either in localStorage or cookies. [...] if you are reading ...
user avatar
7votes
1answer
5kviews

How do you escape HTML attribute values in Java without the Owasp Library?

I've been using Apache's StringEscapeUtils for HTML entities, but if you want to escape HTML attribute values, is there a standard way to do this? I guess that using the escapeHtml function won't cut ...
user avatar
  • 9,645
7votes
1answer
3kviews

Options for token storage and refresh in SPAs

I've been reading Aaron Parecki's draft of browser-based apps' (meaning SPAs like those developed with React or Angular) authentication best practices with OAuth 2 as well as OWASP security guidelines,...
user avatar
  • 475
7votes
2answers
3kviews

Is preventing open redirects attack in nodejs secure?

I'm trying to prevent open redirect attack. Please look at the code below and check for security: var = require('url'); // http://example.com/login?redirect=http://example.com/dashboard app.route('/...
user avatar
  • 12.7k
7votes
1answer
3kviews

Tool to check known vulnerabilities in php project using composer

I am working on a php project that uses composer but some of the dependencies are very old, including the php version. We are trying to convince the client to upgrade the version of php and ...
user avatar
7votes
1answer
2kviews

GWT & XSRF Protection

I'm looking at possible solutions to protect my GWT app against XSRF. If I understand GWT's solution correctly - it makes available a Servlet which you use to both generate the token on the client-...
user avatar
7votes
1answer
3kviews

Sonatype scan shows Spring-Web is vulnerable

My company's Sonatype scan shows Spring-Web is vulnerable even for the latest version (currently 5.2.3.RELEASE). It says "Found security vulnerability CVE-2016-1000027 with severity 9.8". I noticed ...
user avatar
  • 71
7votes
4answers
2kviews

Why doesn't OWASP recommend to bcrypt the password both on the client and the server?

Since the recent problems with GitHub and Twitter: GitHub Accidentally Recorded Some Plaintext Passwords in Its Internal Logs Twitter Admits Recording Plaintext Passwords in Internal Logs, Just Like ...
user avatar
  • 4,726
7votes
2answers
434views

"SecCollectionTimeout is not yet supported" in WAF owasp modsecurity crs with NGINX

I install nginx with WAF (Using Docker) mkdir -p /usr/src \ && cd /usr/src/ \ && git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/...
user avatar
  • 483
6votes
10answers
2kviews

What is the best way to send web form authentication data over HTTP?

A company I know is in discussions to firm up its password security policy across all its web application products. Right now they are sending username / password authentication in POST forms over ...
user avatar
  • 7,336
6votes
5answers
2kviews

SQL injection vulnerable code even when we are sanitizing the input mysql_real_escape_string

We have been attacked; the hackers entered the system from a page <login> that's in the code shown below, but we couldn't figure out the actual problem in this code. Could you point out the ...
user avatar
  • 77
6votes
2answers
7kviews

Privacy Violation Checkmarx

On scanning code using checkmarx for security vulnerabilities, a privacy violation issue was reported pointing to a variable name. public const string Authentication = "authentication"; I am using ...
user avatar
6votes
6answers
8kviews

Java Security Testing

Is there such a thing as automated security testing in Java? If so, how is it implemented? Is it just JUnit tests written to try and exploit known server vulnerabilities, or are their security-centric ...
user avatar
  • 52.6k
6votes
3answers
3kviews

What is OWASP exactly?

Open Web Application Security Project Promotes secure software development Oriented to the delivery of web oriented services Focused primarily on the “back-end” than web-design issues An open ...
user avatar
  • 1,735
6votes
3answers
18kviews

How to use JSON Sanitizer at Server Side?

I want to implement the 'JSON Sanitizer' validation as mentioned by OWASP. My understanding is that this needs to be done in two places: JSON data (in Request) received from Client or Other Systems -...
user avatar
  • 4,959
6votes
1answer
2kviews

Session Fixation VS XSRF/CSRF

What defines the two respectively? Session fixation is described as: Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way ...
user avatar
  • 4,266

15 30 50 per page
1
2 3 4 5
20