Questions tagged [security]

Topics relating to application security and attacks against software. Please don't use this tag alone, that results in ambiguity. If your question is not about a specific programming problem, please consider instead asking it at Information Security SE: https://security.stackexchange.com

15,187 questions with no upvoted or accepted answers
Filter by
Sorted by
Tagged with
5votes
1answer
865views

Class-dump-z extraction of classes & methods

I am using class-dump-z for extracting all the class name & methods for reverse engineering of iOS apps. But I want to know that how this application actually work.How this application managed to ...
user avatar
5votes
0answers
788views

Could not establish secure channel for SSL/TLS with authority 'server name" -ramdomly occuring

We are getting an intermittent error “Could not establish secure channel for SSL/TLS with authority 'server name’” while calling one of our services. Not all the requests are failing but some of the ...
user avatar
  • 51
5votes
0answers
3kviews

How to connect external hdfs to standalone Spark

I am using 3 node Standalone Spark (1.6.0) cluster for my application. Which is getting data from external Hadoop source. without hadoop authentication, application is working fine. but when i am ...
user avatar
  • 3,091
5votes
0answers
1kviews

Secure BLE pairing - is it possible?

I'm trying to make a BLE device that actually pairs securely. As far as I know the transport encryption (using AES) is secure in all versions of BLE, once the 'Long Term Key' has been exchanged. BLE 4....
user avatar
  • 76.3k
5votes
1answer
797views

App authentication and authorization with JWT

I was going through Oauth2 docs and thought it was kind of permissive security wise, so i tried to implement JWT tokens with a special scheme like in the picture for a mobile app communicating with a ...
user avatar
5votes
0answers
2kviews

KeyguardManager.createConfirmDeviceCredentialIntent Before API Level 21 equivalent?

I would like to use the KeyguardManager.createConfirmDeviceCredentialIntent To allow the OS to verify the identity before allowing the user of my app to access secure information. This works very ...
user avatar
  • 2,341
5votes
0answers
337views

Check if path under app-scoped bookmark is writable inside sandboxed app

I have an OS X app, which stores an app-scoped bookmark to persist access to certain directories. I am able to write to those directories without any problems, but there is a part in my code where I ...
user avatar
  • 8,386
5votes
2answers
6kviews

Error in Spring Security Kerberos windows authentication

I'm trying to set-up Spring based security Web application in our environment. As described in http://docs.spring.io/spring-security-kerberos/docs/1.0.1.RELEASE/reference/htmlsingle/#setupwinkerberos ...
user avatar
  • 515
5votes
0answers
963views

Firebase: Using auth.uid as a userId - that's bad right?

Tools: Firebase Issue: Security with completely client-side code and exposing unique Ids I've been really scratching my head on how to create a system to uniquely Id a user for basic user-user ...
user avatar
  • 5,874
5votes
0answers
2kviews

OAuth2 - handle password change in Spring Security

I'm implementing OAuth2 for my REST Service (password grant type) with help of Spring security module. I' using postgreSQL as my Token Store. All works fine, but I need to add the possibility to ...
user avatar
5votes
1answer
2kviews

Facebook mobile login and server-side validation

I am working on a mobile app that has an integrated Facebook login (using the fb android sdk). I also have a server that has some rest endpoints on it that I would like to secure. I have been looking ...
user avatar
  • 3,320
5votes
2answers
1kviews

How to avoid showing consent screen in our own native apps when external authentication?

Background We have developed a web application featuring a rest-api using oauth2/oidc and support for third party apps We have developed our own native apps for android and ios. Currently they ...
user avatar
5votes
1answer
118views

What are Angular Security Risks for Implementing Restful Admin Areas?

I interested in implementing restful admin areas with AngularJS. Since APIs should be stateless, i want to implement the admin area using OAuth and I'm horrible about security risks like MitM. So ...
user avatar
  • 1,608
5votes
0answers
468views

OAuth2 and email authorization for REST API backend

Overview I am building a RESTful API application as mobile\web backend (let's call it MyBackendApp) and I'm looking for a contemporary solution for both Authentication AND Authorization of app users. ...
user avatar
  • 1,455
5votes
2answers
13kviews

Failed to create WebSocket connection when Spring Security is on

Im using Java WebSocket client that subscribe to a Spring-Boot based server application. Everything worked just fine, but after adding support for Spring Security in order to authenticate and ...
user avatar
5votes
0answers
192views

Meteor Site Under attack. Help Using Sikka

My site is currently under attack. I created a users directory that automatically puts the last logged in people on top. Whoever loads the home page gets placed on top. I have one user (at least one ...
user avatar
5votes
1answer
1kviews

hack attempts from IP 127.0.0.1 - is there an exploit to be aware of?

I have noticed numerous entries in Tomcat's local_access_log for various resources coming from IP address 127.0.0.1. These are clearly attempts to hack in. For example, here is a request to get access ...
user avatar
5votes
0answers
2kviews

How to validate user's cached credentials against a domain?

When you logon to Windows, your credentials are cached. This allows you to use single sign-on. If you were to then browse to another computer, e.g.: \\hydrogen you would not be prompted for ...
user avatar
  • 232k
5votes
0answers
561views

Get AuthenticodeSignatureInformation of file

The only example I've found for using AuthenticodeSignatureInformation gets the instance from a ManifestSignatureInformation . and the only way I've found to get that is using one of its ...
user avatar
  • 24.8k
5votes
3answers
3kviews

Simultaneously sandbox and add JS/HTML to iFrame

I am trying to create an iframe that has JS fire inside of it but does not have access to the parent document. The goal is to have a simple implementation and not include any special libraries. I ...
user avatar
  • 238
5votes
1answer
244views

Java Security Error

When I run my jnlp file WelcomeApplet.jnlp this security message displays on the screen: Application Blocked by Java Security. I checked on the Internet there are three security levels: very high, ...
user avatar
  • 97
5votes
0answers
352views

How do I create an apparmor profile for an application that runs using Python's twisted library?

I'm trying to create an apparmor profile for a networking application with access to ssh and runs using Python's twisted library. I have tried using aa-genprof to generate a profile. In another bash, ...
user avatar
5votes
2answers
1kviews

How should I restrict load balanced Web traffic to my Elastic Beanstalk environments?

I'm trying to configure access to my EB environments, and would like to restrict HTTP access (through the ELB) to certain IP addresses. I have an out of the box EB app (a bunch, actually, with a few ...
user avatar
  • 39.4k
5votes
0answers
2kviews

Spring OAuth2 restrict user to authenticate via a client

I am implementing a Spring OAuth2 application where I have different clients using a resource. The clients are mobile applications, so I use the Resource Owner Password Flow. There are 2 roles in ...
user avatar
5votes
0answers
2kviews

java.security.SignatureException Signature length not correct: got 128 but was expecting 512

I am using Shiboleth opensaml (http://shibboleth.net/downloads/java-opensaml/) library for SAML and recently, after upgrading the libraries (the reason for upgrade was a NoSuchMethodError), the server ...
user avatar
5votes
0answers
1kviews

Content-Security-Policy not working in Firefox

We are adding a Content Security Policy on our websites to prevent outside sources from using IFrames other than our own. We are using .NET and have the following in our web.config to do this. <...
user avatar
  • 2,237
5votes
0answers
1kviews

How to store client id and secret in html/js clients for OAuth 2.0

I recently implemented OUTH 2.0 (with tastypie) to my APIs. Now I am building an emberjs based JS client. How can I store my client ID and Client Secret securely? Local storage I would assume doesn't ...
user avatar
  • 2,658
5votes
1answer
3kviews

Universal way to authenticate clients and secure a RESTful api

I've been digging through stackoverflow / security.stackexchange threads and getting no definite answers on providing a universal way for clients to securely consume RESTful services I'm am building ...
user avatar
  • 494
5votes
0answers
293views

How Can I Sandbox my Process?

Problem I'm creating a Windows server program that is potentially quite vulnerable to attacks. I'd like to sandbox (jail?) it or at least run my process in very low integrity setting. I probably be ...
user avatar
5votes
1answer
6kviews

Creating a service for user (S4U) token

The Windows Task Scheduler can create tasks that run with the account of a particular user, without storing the user password. They call it "S4U", service for user. This should work something like the ...
user avatar
  • 16.4k
5votes
0answers
1kviews

Can I restrict API access from a javascript widget to a partner site’s domain?

I would like to develop a client side javascript widget that may be included on authorized partner web sites only. The javascript widget will make REST calls back to the main website. Partner web ...
user avatar
  • 153k
5votes
1answer
611views

web services and phonegap : best practices

Hi I am using phonegap for crossed plateform development (I use angularJS as JS framework). I want to use a web service to access to a list of positions from my database (mysql) on my website. The ...
user avatar
  • 267
5votes
4answers
3kviews

ApacheDS and Kerberos Setup

I am tasked with setting up an ApacheDS 2.0.0 LDAP + Kerberos (including KDC) server for use in our testing environment. I followed this guide, but am unable to successfully authenticate with my LDAP ...
user avatar
  • 51
5votes
1answer
2kviews

Secure browser-side cache in Local Storage

To make the question clear: is the proposal below considered 'secure'? (i.e. doesn't introduce any significant security risks). I haven't seen any clear reason why the following proposal would be ...
user avatar
  • 3,226
5votes
1answer
1kviews

Securely Storing Password Hashes in Cache

I am making a back-end server as a personal project. Currently, when someone registers, their password is hashed with Bcrypt, and saved in the database. However, querying the database every-time I ...
user avatar
  • 2,971
5votes
0answers
1kviews

Java enable MD2 algorithm programmatically

Java 1.7 has disabled the use of the MD2 algorithm due to its weak nature. It is automatically set in the JAVAHOME/lib/security/java.security file as follows: jdk.certpath.disabledAlgorithms=MD2 I'm ...
user avatar
  • 307
5votes
0answers
580views

WCF: Include BinarySecurityToken in logs

I need to include the BinarySecurityToken to a third party for an error report but WCF removes it from the logs: <wsse:BinarySecurityToken> <!-- Removed--> </wsse:BinarySecurityToken&...
user avatar
  • 1,178
5votes
2answers
2kviews

Symfony 2.3 Bad Credentials Custom provider

I'm completely lost at the moment, two days that I try to figure why I always obtain a "Bad Credential" response on my login form. I've used the How to load Security Users from the Database tutorial. ...
user avatar
5votes
2answers
2kviews

antisamy parser force closing tag

I use Antisamy for validating HTML. My policy allow iframes, like youtube videos. Problem is - if tag is empty(like this): <iframe src="//www.youtube.com/embed/uswzriFIf_k?feature=...
user avatar
  • 9,312
5votes
1answer
2kviews

What's the alternative for kSecTrustResultConfirm in iOS 7?

Our old app uses MKNetworkKit and MKNetworkOperation. Now under iOS 7 kSecTrustResultConfirm is deprecated. In MKNetworkOperation, there is this code: else if(result == kSecTrustResultConfirm) { // ...
user avatar
  • 38.9k
5votes
3answers
4kviews

How to implement a permission roles/groups system for my symfony2 website

[QUESTION] This is really more of a brainstorm for anyone who can participate and provide ideas. I would like to start by explaining what I am looking to do, some of my thoughts and hopefully get some ...
user avatar
  • 173
5votes
0answers
909views

Insert smart card issue while initializing keystore in java

I' working around eToken using Applet. I'm initializing key store using below code. KeyStore keyStore = null; try { keyStore = KeyStore.getInstance("Windows-MY", "SunMSCAPI"); ...
user avatar
  • 3,607
5votes
0answers
801views

Linux user permissions for Django deployment

Let's say a Django site lives on a production server in /var/virtualenvs/sitename with a directory structure like this: /var/virtualenvs/sitename/ logs/ access.log error.log ...
user avatar
  • 8,185
5votes
2answers
310views

Java latest update security pop up

How should I remove the security pop up from developer side? I don't want the user to keep clicking "don't block". I have all my *.jar file signed. Any help? and if I have click more information ...
user avatar
  • 3,905
5votes
2answers
5kviews

Integrate oauth2 with native (iOS/Android) mobile application

I need to integrate OAuth2 in a iOS and Android native application. I have been researching on OAuth2 and mobile applications and found this documentation - Google APIs - Using OAuth 2.0 for Installed ...
user avatar
  • 2,365
5votes
2answers
455views

Azure - IP filter depending on the database

I have a Azure application that use different databases of different servers. This databases are independent, and each sector of my application uses only one database. I try make a IP filter. This ...
user avatar
  • 51
5votes
1answer
327views

IE9 security error when reading from canvas (non cross-domain)

I'm playing a video in a video tag. The video file is in the same directory as the index.php. I am then putting the video pixels on a canvas, doing some logic on them, reading them and putting on ...
user avatar
  • 591
5votes
2answers
2kviews

How can Active Directory compare a users previous passwords when setting a new one?

This is for a college assignment. At our College they use Microsofts's Active Directory to run their network. Every month we get asked to change our passwords and when we do so it won't accept any of ...
user avatar
  • 1,373
5votes
2answers
182views

Google authentication and authorization among their apps

Google provides a bunch of apps like Plus, Gmail, Docs, Reader, etc. Internally, these apps can talk to each other securely somehow to query information/data. I am wondering conceptually how Google ...
user avatar
5votes
1answer
2kviews

Connect to web server via Phonegap with SSL and Certificate

That's all about Phonegap Android and iOS application build on JS. We have a server with method: - Authorize(login,pass) which return certificate.p12 file (PKCS#12). Also server has methods, which ...
user avatar

15 30 50 per page