All Questions

Tagged with
257 questions with no upvoted or accepted answers
Filter by
Sorted by
Tagged with
5votes
2answers
177views

Proxy Security Service for Web Service requiring Uname/Password in the Request

We have a vendor supplied solution that requires a username and password to utilize their APIs exposed as a web service. They are to be included in the actual xml of the call. We obviously don't like ...
user avatar
  • 2,881
5votes
1answer
611views

web services and phonegap : best practices

Hi I am using phonegap for crossed plateform development (I use angularJS as JS framework). I want to use a web service to access to a list of positions from my database (mysql) on my website. The ...
user avatar
  • 267
4votes
1answer
449views

USI Webservice SOAP Format

I am in the process of developing process to communicate with the Unique Student Identifier (USI) Webservice. I have a Vanguard token, courtesy of some nice (SoapClient avoiding) code by Sergey ...
user avatar
4votes
1answer
1kviews

Why doesn't pre-flight CORS block CSRF attacks?

Everyone says CORS doesn't do anything to defend against CSRF attacks. This is because CORS blocks outside domains from accessing (reading) resources on your domain -- but doesn't prevent the request ...
user avatar
4votes
0answers
611views

securing jax-rs with roles

I'm currently looking into securing jax-rs web services. The following URL is very interesting: https://docs.oracle.com/cd/E24329_01/web.1211/e24983/secure.htm#RESTF256. I am especially looking at the ...
user avatar
  • 311
4votes
1answer
991views

Best practices for Azure Key Vault for multiple web services?

We have a project with multiple RESTful web services communicating with each other. So far, each web service has its own Azure Key Vault. They each have a powershell script that accesses information ...
user avatar
4votes
1answer
769views

Android : Security Concern :classes.dex Publically exposed WebService Name is visible in the file

I am not too sure about how secure a apk file is and therefore this question. We have a application which gets the result from a publicly exposed webservice. However, when we tried to open the ...
user avatar
  • 367
4votes
1answer
2kviews

Secure Webservice Client on Glassfish

I have an secure external webservice at URL https://my-webservice-path?wsdl, and i want to connect to use this. This is a 2-way ssl. I create a webservice client in following: Create an java ...
user avatar
3votes
0answers
437views

The billion laughs attack - web service

I would like to test if my web service is vulnerable to the billion laughs attack. I created the project in SoapUI based on wsdl definition file, but I don’t know if this xml attack file <?xml ...
user avatar
3votes
0answers
57views

web server connection closes before completing the execution in javascript

I have 3 servers. One Web server and one Application server and one Database server. The web server contacts the application server and the application server contacts the Database server. The ...
user avatar
3votes
0answers
4kviews

How to call, invoke or test a Web Service that has Wssp Policy attached?

I'm unable to test a web service that has a Security Policy attached. I have been required to develop several Web Services and protect them with simple user and password. There is no further security ...
user avatar
  • 207
3votes
0answers
664views

Mobile App Web Service Security

I am building an android app which consumes a soap web service that I have hosted on my server. I will have client apps for other mobile OS also in the near future. There are a few concerns with the ...
user avatar
3votes
1answer
491views

Internal WCF Service on a public facing server security

I need to host a WCF service that will give its clients access to internal business systems on a public facing web server. Obviously I must secure this so that no one from the outside world even knows ...
user avatar
  • 9,516
2votes
0answers
573views

Security implications of allowing CORS for localhost

I have a server, say at api.myserver.com For testing, we often connect to it (make an xhr request) from http://localhost Now, I can set up CORS on the server to allow requests from localhost, but my ...
user avatar
  • 7,146
2votes
0answers
104views

WCF Protectionlevel, why is there no 'encryptOnly'?

I'm attempting to make a client that uses WCF to communicate with a SOAP endpoint made in Java. The service requires me to send my PKCS10 request inside a encrypted SOAP request, using a X509 ...
user avatar
  • 77
2votes
0answers
924views

How to download a secured wsdl using url using certificate?

Generally to download a wsdl file I would do it by displaying the wsdl in the browser. e.g.: to download the wsdl endpoint - http://wsf.cdyne.com/WeatherWS/Weather.asmx step 1: append the endpoint ...
user avatar
2votes
1answer
847views

Signing SOAP Messages in WSO2 ESB using sha-256 digest Algorithm

I have an issue using rampart in wso2 ESB to sign my soap messages, i use an XML policy attached to the outgoing endpoint, this policy specifies sha-256 as the algorithm to use for the digest (...
user avatar
2votes
1answer
15kviews

The SSL certificate for this service cannot be trusted

We scanned our website acbd.com with Serverscan and reports show that “The SSL certificate for this service cannot be trusted”. We are using a Comodo Premium SSL Wildcard Certificate and it's working ...
user avatar
2votes
0answers
239views

How to achieve WS-Security in Android over SOAP Service

We' re trying to call the SOAP Web Service securely from Android. Have utilized KSoap2 library to consume the Web Service. However achieving the message level security with the utilization of ...
user avatar
2votes
0answers
368views

PHP symfony 2.x: How to authenticate against a web-service by providing username and password?

I have a very big problem with symfony 2.x. I need to authenticate against a web-service by passing the username and the password to this web-service. The standard way and any other implementation of ...
user avatar
2votes
1answer
30views

Security - is recommended to regenerate authorization codes for each request?

Suppose you have a cookie "code" containing a string of 80 characters, it is your access code for an application. It is recommended to regenerate this code every request to your application or is the ...
user avatar
2votes
1answer
254views

MVC 4 Web Api Security from C.S.R.F. Attacks

I am using asp.net mvc4 web api. I am using Form Authentication for security. I have asp form pages(.aspx) at client side. Is there any way to implement Antiforgery in this scenario. please describe i ...
user avatar
  • 69
2votes
2answers
3kviews

REST api authentication mechanism

I'm using a custom protocol to secure my REST API - Hash a bunch of unique data together (including the user's token) and sending it as an Authorization header (very similar to AWS rest api). ...
user avatar
  • 1,474
2votes
0answers
256views

JavaFX code cannot connect to jersey web service

I'm building a JavaFX GUI which I want to run in a browser. The GUI connects to a Jersey Webservice, and runs fine if I run the JavaFX code as standalone, however, if I run in a browser I get the ...
user avatar
2votes
1answer
2kviews

java.lang.NoSuchMethodError: org.apache.ws.security.WSSConfig.setHandleCustomPasswordTypes(Z)VI am

I am getting following error. I am using WSS4j1.5.8 i.e. Rampart 1.5 and AXIS2-1.4: java.lang.NoSuchMethodError: org.apache.ws.security.WSSConfig.setHandleCustomPasswordTypes(Z)V When I used ...
user avatar
  • 143
2votes
0answers
2kviews

org.apache.axis2.AxisFault: Missing wsse:Security header in request

I am working in axis2-1.6.2, rampart-1.6.2 & apache Tomcat 7. Based on this link http://thilinamb.wordpress.com/2009/10/20/saml-2-0-token-profile-support-in-rampart-1-5/#comment-118, I have ...
user avatar
  • 155
2votes
0answers
129views

Howto secure a webservice using ONLY Facebook for authentication/authorizastion?

Setup 1. A LAMP web application that uses SOLELYFacebook for authent./author (i.e. NO credentials set/asked by the web app) 2. A smartphone app that uses ONLY Facebook for authent./author. 3. A web ...
user avatar
  • 9,119
2votes
0answers
355views

Can I use a hashed password as the secret for generating a hmac?

I think it would be very comfortable to use the user's password hash as the secret for generating a hmac. Why is OAuth and others using tokens and nonces? I think of something like this: Client ...
user avatar
  • 1,100
2votes
1answer
463views

usernametoken-auth rampart/axis2 1.6.2

I just upgraded to the latest axis2/rampart version and encounter a strange behavior when providing a webservice which requires username-passwort authentification. up to now, I implemented my own ...
user avatar
2votes
1answer
2kviews

Servlet Filter as Security Proxy for Web Services

Good time. Suppose there are 8 web-services in the one application. 5 of them require authorization (a client must to provide a JSESSIONID cookie and a corresponding session must not be invalidated), ...
user avatar
  • 2,968
2votes
1answer
1kviews

Securing Mobile app access to a WebService (home-grown approache)

I have an HTTPS WebService that need to be accessed from a Mobile (iPhone) application. both are developed by our-side. We need to secure the Mobile access to this Service. So we used a username/...
user avatar
2votes
5answers
518views

How to post data to another website without using any browser related component?

I have a page where user is asked only for the payment amount, then user will be redirected to another website where the payment will be processed, I want the amount to be set on the redirected page ...
user avatar
  • 89
2votes
0answers
497views

Security in Webservice without login credentials

I'm development a SOAP web service version 1.1 in Java. I have the following situation: there's a secured channel with ssh; customers don't have login credentials (they don't have username and ...
user avatar
  • 21
2votes
1answer
1kviews

Do you know of a NGiNX module that performs something similar to verification of Amazon Web Service request signatures?

I'd like to restrict access to my web service to registered clients. The first thing I thought of was to mimic that of AWS which, in a nutshell, issues clients a non-secret and secret key pair, and ...
user avatar
  • 3,695
2votes
1answer
426views

Authentication and Authorization scheme for an application exposed as WCF Service Layer?

I know this question must have been discussed million times in your organization. One more go. Designing a LOB application which has its business operations exposed as services. These services ...
user avatar
  • 746
2votes
1answer
792views

Getting website is being blocked when trying to access my web service in .net

I have asmx file with GetData webmethod on my test server. When I login to test server (I am Administrator) and run my method, everything works fine: http://localhost/app/Services.asmx?op=GetData ...
user avatar
  • 4,790
1vote
0answers
77views

Web Cache Deception vulnerability (flagged by NetSparker)

Our application was flagged by Netsparker as having a Web Cache Deception vulnerability. the attacker uses the acquired link, for example https://example.com/settings.php and appends a path with a ...
user avatar
  • 8,326
1vote
0answers
15views

How to give workers individual access to resources

I'm currently having one design problem that is: I have a distributed system where I have a main "data service", that receives requests and handout the data, and some workers that are ...
user avatar
1vote
0answers
70views

How to reliably identify device on web service?

Scenario : The desktop computer is being authenticated on web service I provide the .exe on the desktop I control the web service The desktop has a TPM chip installed Is this reliable method : On ...
user avatar
1vote
0answers
112views

How to create secure (TLS/SSL) browser-trusted certificate for offline network

Trying to create a secure certificate for the local network, but I can't get the green tick from the browser without accepting the certificate manually. In order to ensure security while keeping it ...
user avatar
1vote
1answer
30views

To provide security layer on top of loading Web Application

To provide security layer on top of loading Web Application. Scenario: Implement a .exe file (client side) which will ask for a password - 1) If the password is correct - it will grant the access ...
user avatar
  • 11
1vote
0answers
385views

Scanning a rest api web service using acunetix

I have a request post the send in acunetix scanner , but don't know how to send it and how to specify the post method , because when i added the headers in the "custom headers" option in acunetix ...
user avatar
1vote
0answers
29views

Identify URL of webpage when I can only receive API calls from the websites backend server

So I have a tricky problem of trying to somehow identify the url of a webpage, but I only have info on it's backend server that makes API calls to my server. I have a server that receives API calls ...
user avatar
  • 11
1vote
0answers
29views

Allow Access to files in different server but not directly

My question is somewhat similar to htaccess block access to directory but allow access to files but different. I have a server X which serves my file contents www.x.com/allfiles/file1.jpg. I have ...
user avatar
1vote
0answers
150views

Connecting Amazon Alexa to web_lirc, best practice?

I have successfully created demo project where i can control an infrared transmitter using the Amazon Echo Alexa. Moving forward with my project I'm not sure what the best practices would be in ...
user avatar
  • 103
1vote
0answers
292views

Securing publicly accessible REST endpoints

We have a REST endpoint that provides some back end services to our publicly available Web site. The web site does not require any user authentication to access its content. Anyone can access it ...
user avatar
  • 41
1vote
0answers
647views

Sharing user credentials between deployed applications in JBoss using Keycloak

I have following scenario: Logged user is accessing secured part of web application which displays data obtained from secured web service. Problem: How to propagate user credentials to web service? ...
user avatar
1vote
0answers
114views

Can Json Web Token (JWE) be used to encrypt whole JSON?

We are going to have stateless web services which accept JSON as parameter. Wev'e read JWE's RFC but one thing I can't understand is how can a token (which is a fixed part of each request) be ...
user avatar
  • 3,570
1vote
1answer
239views

My approach for JWT - REST API

My question is specifically regarding my approach of JWT with REST implementation. I am using AngularJS on the client side and PHP on server side. As soon as page loads for the first time, I fire ...
user avatar
1vote
0answers
324views

Securing WebService using @RoleAllowed annotation

I have a plain webservice deployed on a weblogic server which is working as expected. Now I want to secure it and I tried using @RolesAllowed but it's not restricting access to the webservice - all ...
user avatar

15 30 50 per page
1
2 3 4 5 6