Questions tagged [security]

Topics relating to application security and attacks against software. Please don't use this tag alone, that results in ambiguity. If your question is not about a specific programming problem, please consider instead asking it at Information Security SE: https://security.stackexchange.com

15,165 questions with no upvoted or accepted answers
Filter by
Sorted by
Tagged with
5votes
1answer
2kviews

I do not understand WCF scaling with security / Why is lsass.exe CPU% so high?

I've got a WCF service with about 500 clients that make a call every 3 minutes. The lsass.exe process is using 95% of my CPU when the service is on. I did a test and every time a client makes a call, ...
user avatar
  • 5,276
5votes
4answers
14kviews

Generate an LTPA token?

We have a need to integrate a server with our WebSphere environment that does not support LTPA. I found Working with Lightweight Third Party Authentication (LTPA) by Cosmin Stejerean and ...
user avatar
  • 9,907
5votes
2answers
2kviews

Mutual SSL - how much authentication is sufficient?

Suppose you have a mutual SSL service, which in addition to the SSL, has application authentication. Thus, clients provide certificates (as well as servers), but the client request (e.g., REST ...
user avatar
  • 4,992
5votes
0answers
442views

How do you restrict access rights to your clickonce web repository?

I've built and successfully deployed a ClickOnce application. The application successfully updates when needed, and everything works fine. However, I don't like the fact than everybody on the ...
user avatar
  • 30.4k
5votes
1answer
2kviews

How to securely store an API key in static website

I have a SPA website that is hosted in AWS s3 and served by cloudfront There are multiple CNAMES that connects to this website, e.g. A.Mysite.com, B.Mysite.com I have an API that the static website ...
user avatar
  • 83
5votes
1answer
1kviews

MSCHAPv2 with RADIUS - How exactly does the encrypting process go?

I'm building a RADIUS Server to work with MS-CHAPv2 in node.js. I have a RADIUS CLient, which is the VPN Server that sends me the following in an Access-Request: User-Name MS-CHAP-Challenge MS-...
user avatar
5votes
1answer
2kviews

Securing oauth bearer token against attacks such as XSS, CSRF in javascript apps

I am a bit unclear about how to secure (or protect) bearer tokens when using pure JavaScript applications. I know when user request token to the server it can come with a validity of 14 days or 24 ...
user avatar
  • 5,602
5votes
3answers
2kviews

Keep a secret key safe in Python

I am aware that these questions has been asked before several times separately, and most of the answers I've found are "Python is not easy to obfuscate, because that's the nature of the language. If ...
user avatar
  • 2,785
5votes
1answer
2kviews

ini_set() always returning false

On my current project I have a security.php which holds up, some functions and some ini_set() statements. ini_set('session.use_trans_sid', 0); ini_set('session.use_only_cookies', 1); ini_set('session....
user avatar
  • 1,047
4votes
0answers
118views

nlohmann json: securely erase the keys (C++)

I'm using nlohmann/json library to represent sensitive information. Once the needed processing has been completed, I'm interested in securely erasing the keys of the json type. Example: json test; ...
user avatar
4votes
0answers
577views

Is it possible to update React context via Cypress?

I am using Cypress for integration testing (not for unit testing / component testing) and working with application that has authentication logic depending on the presence of a security token in the ...
user avatar
  • 2,754
4votes
1answer
726views

Allow developers to create AWS Lambda or SAM without granting Administrator access

It seems to be impossible to allow developers to create Lambdas and create or maintain SAM Applications in AWS without essentially having AdministratorAccess policies attached to their developer's ...
user avatar
4votes
1answer
746views

Accessing `proc` file-system to read `/proc/[pid]/some-file` from a system app

I have a custom A10 repo in which I'm trying to create an app that would be able to read /proc/[pid]/some-file files e.g. stat and status, kind of like ps does. Having read this answer it was clear ...
user avatar
  • 667
4votes
1answer
593views

How to check if a Certificate is installed and trusted on iOS

I've an app which prompts the user to download and install a Configuration Profile. The profile contains a Root CA embedded inside it. I want to check if the Configuration Profile is installed on the ...
user avatar
4votes
0answers
530views

Nested JWT token claims

Just a quick question regarding the JWT spec and common JWT best practices. Can / should I use nested objects as JWT token claims or should I used prefixed claims? It both seems to be valid (at least ...
user avatar
  • 4,619
4votes
0answers
347views

How to restrict Jenkins node by label for a group of users

The situation Say I have a Jenkins installations with multi-branch pipelines which executes on nodes which are implemented as ECS Tasks in AWS. The nodes have specific IAM roles which allow to do ...
user avatar
4votes
0answers
397views

What are recommended / minimum parameters for hashlib.scrypt?

The documentation of hashlib.scrypt is a bit short: hashlib.scrypt(password, *, salt, n, r, p, maxmem=0, dklen=64) The function provides scrypt password-based key derivation function as defined in ...
user avatar
4votes
0answers
837views

ReactJS - Refused to apply inline style because it violates the following Content Security Policy directive

I get the following error in the browser inspector (Chrome, Brave, Safari) when I load my ReactJS project in Production: Refused to apply inline style because it violates the following Content ...
user avatar
4votes
0answers
1kviews

CSP - worker-src blob security

Is it safe using "blob" for "worker-src" in CSP or is there a security drawback? Couldn't anyone start a worker then by passing a blob from any website?
user avatar
  • 550
4votes
1answer
95views

Read OS(Linux and MAC) environment variable to not expose backend IP's and Credentials in angular 9

I'm trying to build and deploy my angular 9 project in production environment. The main goal is to protect my back-end services IP address and credentials as these environments can't be exposed to ...
user avatar
4votes
1answer
488views

Are shiny server's ShinyApps files safe from intruders?

In the case of shiny apps published on a private networks using Shiny Server: are the files in the project folder and subfolders (such as www and/or data) vulnerable to be accesible to an external ...
user avatar
4votes
0answers
974views

Logger configuration safety warning by SonarQube

After implementing logging functionality in a microservice, I sent the code thought a SonarQube code-check. SonarQube keeps warning me about a safety issues regarding loggers. I tried several things ...
user avatar
4votes
0answers
297views

How to setup a secure communication between desktop app with websocket server and a web page?

I am developing a desktop application that starts a websocket server, so that web pages/clients served by other web servers can call the desktop app to perform some actions requiring OS APIs not ...
user avatar
  • 101
4votes
0answers
1kviews

document.cookie and Chrome's SameSite/Secure restrictions

I am attempting to follow the new guidelines for Cross Site Cookies and passing the SameSite=None; Secure attributes with cookies as I attempt to set them in browser Javascript code. We are sending ...
user avatar
  • 41
4votes
0answers
509views

Is there a way to generate a X.509 Certificate in Swift programatically?

I know this is an old topic, since the very few answers found on the internet are 5 - 8 years old. My requirement is straightforward: I have generated an asymmetric key pair, and I want to send the ...
user avatar
4votes
1answer
152views

Why ASP.Identy encodes SecurityStamp using Base32 (internal implementation)

I'm considering Base64 to store SecurityStamp within my user aggregate. Before entering a pitfall I'm trying to understand reasons why ASP team chosen to use Base32 instead of simply using Base64. ...
user avatar
  • 603
4votes
0answers
268views

How vulnerable is running untrusted code with limiting references using AssemblyLoadContext in C# .NET Core

I am trying to run untrusted codes uploaded by user in my server. My users want to write simple functions to be executed on server like this: public class HelloWorldPlugin { public string ...
user avatar
4votes
0answers
92views

Truly reproducible Docker containers?

There is a security trend called reproducible builds, which aims for having a way to create bit-exact copies of output binaries so that the user can verify whether the version found on the internet is ...
user avatar
  • 9,515
4votes
0answers
674views

VUEJS send passwords in axios to API

How can I secure this code ? Because on the inspector of network, we can see the newPassword et acutalPassword. The user write this actual password and this new password for change password, in a vue ...
user avatar
  • 153
4votes
0answers
2kviews

Flask Talisman Content Security Policy

I want to use Flask-talisman to secure my app SELF = '\'self\'' talisman = Talisman( app, content_security_policy={ 'default-src': [ 'https://fonts.googleapis.com', ...
user avatar
  • 557
4votes
0answers
638views

How to scan particular URL or page alone in owasp zap

I have installed OWASP ZAP 2.8.0 and scan our site fully. In result we got some SQL injection URL's or pages. So We have fixed that SQL injection issues in development which is mentioned OWASP tool. ...
user avatar
4votes
0answers
1kviews

How can I enable client certificate ios 12 so that chrome uses it

On iOS 12, safari presents the client certificate and I am able to choose it and proceed to website because the client certificate was authenticated successfully. Chrome doesn’t ask and therefore ...
user avatar
  • 661
4votes
0answers
233views

Single Sign On with Rails Server and React client

I have a Rails API and a client written in React that is embedded to website A. I want to use single sign-on so that users logging in to website A and going to my React app are automatically logged in ...
user avatar
4votes
0answers
472views

BrowserSync: Refused to execute inline script, Anchor Tags not working

When I click on the anchor tags it takes me to /null and displays this error: Refused to execute inline script because it violates the following Content Security Policy directive: "default-src '...
user avatar
  • 117
4votes
1answer
757views

ITIs there a C# equivalent of `Memset` or `SecureZeroMemory`

I'm creating a Unity game, so I need some security for my save files and other sensitive data. To do so, I created some functions that use the built-in AES and RSA encryption methods. However, they ...
user avatar
  • 117
4votes
0answers
300views

Is SMTP plain authentication secure when using STARTTLS?

I am writing some linux code which requires sending emails. My question is: when I do use STARTTLS (starttls on in msmtprc) is it secure to use plain authentication (auth plain)? Is the connection a)...
user avatar
  • 101
4votes
0answers
680views

Snyk.io how do I target it to run on a specific branch and not the default branch?

I am using snyk.io to run security scan on GitHub Repos. When I run the report it only picks up the default branch from the repo and run the test against it. I want to know how I can target this test ...
user avatar
  • 290
4votes
1answer
139views

When (and when not) to run the `sanitize` method?

I would like to definitively know when to run (and when not e.g. because it's automatically run) the sanitize method throughout my Rails 5 application. For example, in my view files, embedded inside &...
user avatar
  • 17.1k
4votes
1answer
2kviews

How can I get basic auth information from browser

My backend needs basic auth Authorization header. 'Authorization': 'Basic dXNlcm5hbWU6cGFzc3dvcmQ' The problem I have is, that I need to use the native basic auth prompt from the browser and I don't ...
user avatar
4votes
0answers
109views

Supplement for Vm2 js which can securely run untrusted code in languages other than Javascript

I am trying to implement a Node js web app, a simpler version of which is that users submit code files in multiple programming languages like C++, Python, Java, Js etc and the output produced,is shown ...
user avatar
4votes
0answers
306views

Port Knocking using javascript works well on Linux but not in Windows

I'm securing a web application and I'm implementing the port knocking technique. The server side implementation is running and i'm making a small desktop application to make the "knocking" on the ...
user avatar
  • 126
4votes
0answers
294views

How can I sandbox the youtube iframes_api

I'm trying to <iframe sandbox> the youtube iframe_api to prevent it from accessing sensitive data in the main window. I have a sandboxed iframe that contains the js to invoke the api, but in ...
user avatar
  • 611
4votes
1answer
103views

Securing HTML contents from servers of same origin

It's not a common question, but I wonder if any tricks or upcoming standards exist. Belows are a flow and what I want to implement. Web application loaded from server-side Client-side script loads ...
user avatar
  • 1,747
4votes
0answers
1kviews

securely passing a password to subprocess.Popen via environment

I would like to securely ask a password to a user and then pass it to subprocess.Popen to run a command that requires it. I have seen this question and that one, but I wonder if I can securely pass ...
user avatar
  • 4,973
4votes
3answers
5kviews

Disabling IIS Server Response Headers in Case of 404 and 302 Files

I use the following custom headers and rewrite rules to remove server response headers IIS 8.5 but when open the network monitor on Firefox or Chrome and point to any file with status 404 (as well as ...
user avatar
  • 1,453
4votes
0answers
247views

Google Maps prevent attack to force multiple requests

Recently Google Maps has updated its prices and it makes me wonder what happen if a malicious user decides to visit a website with a Google Map, open the developer console of the browser and write a ...
user avatar
  • 5,377
4votes
0answers
3kviews

How to detect a screen overlay on android

Is there any way to detect if a screen overlay is present over my app on android? Or at least if there is a way to prevent screen overlays over my app? I found an open source app that is designed to ...
user avatar
4votes
0answers
1kviews

Kafka SASL handshake takes too long

Description: authentication using SASL/SCRAM or SASL/PLAINTEXT takes around 9 seconds to complete. Is this normal? How to reproduce: One Kafka broker instance (v1.1.0) One C# producer (Confluent ...
user avatar
  • 174
4votes
0answers
738views

File upload security in Django-2.x

The documentation on secure file upload (https://docs.djangoproject.com/en/2.0/ref/models/fields/#file-upload-security) doesn't quite answer my concerns. Consider the following use case : a (...
user avatar
  • 1,394
4votes
2answers
2kviews

How to securely use concourse with github-private-key stored in vault

We are trying to run concourse with Vault. Reason for using vault is to store secrets in a a secure way. Some of the parameters we want to store in vault are github private key, to get access to the ...
user avatar
  • 41

15 30 50 per page
1
3 4
5
6 7
304