Questions tagged [security]

Topics relating to application security and attacks against software. Please don't use this tag alone, that results in ambiguity. If your question is not about a specific programming problem, please consider instead asking it at Information Security SE: https://security.stackexchange.com

15,187 questions with no upvoted or accepted answers
Filter by
Sorted by
Tagged with
7votes
0answers
4kviews

Crash on launch because app is taking too long - deadlock - keychain

I have a little puzzle to solve... Our app is crashing on launch (the dreaded badf00d error, it's taking more than 5 seconds to launch) but we are not able to reproduce the issue. I was able to get ...
user avatar
  • 3,508
7votes
1answer
6kviews

Detect screenshot attempts on Android 4.0+

I am developing an Android application that places a high priority on protecting the user's data, to the point of storing nothing in persistent memory on the local device. To further protect user ...
user avatar
7votes
0answers
1kviews

How to view exe's SmartScreen reputation score?

Users who download my freeware application from codeplex get SmartScreen alert in Win 8: "Windows SmartScreen prevented an unrecgnised application from starting. Running this application might put ...
user avatar
  • 2,877
7votes
1answer
1kviews

Securely storing API credentials which need to be used as plain text

I have created an app which serves as a bridge between 2 different APIs - WebEx & Exchange Web Services - and Email. A user sends a calendar invitation to a special email address, the app parses ...
user avatar
7votes
1answer
2kviews

String-based queries like [executeQuery] are currently not supported in this implementation of GORM

I'm trying to persist spring-security-acl domain objects in mongodb using grails mongo plugin. While executing following line of code aclUtilService.addPermission Phone.class, phoneInstance.id, new ...
user avatar
  • 103
7votes
0answers
560views

System.Security.VerificationException when running ANTS profiler in .net 4.0

I've been using RedGate's ANTS Performance Profiler for a while now. We recently updated our 3rd party dlls (Telerik) to their .net 4.0 version. When we did this, I no longer can profile our code ...
user avatar
  • 974
7votes
1answer
866views

On Google App Engine, can I relate a Google OAuth 2 Token and a SACSID token I got using Android's AccountManager?

I am writing a Google App Engine application along with a CLI client, an Android client and a Javascript client. The purpose of this application is to allow one to control an Android phone on which ...
user avatar
  • 359
7votes
1answer
2kviews

How can I manage in-app billing transactions on an external server securely?

I'm attempting to implement a system for upgrading/unlocking various features of my app using "managed" purchases with in-app billing, and I'm getting bogged down by the lack of in-depth documentation ...
user avatar
  • 506
7votes
2answers
1kviews

Authorized Flash Client to Java Server connection

I'm building a Flash-based Facebook game with a Java backend, and I'm planning to use a RESTful approach to connect the two of them (not a persistent socket connection). I'm using the AS3 library to ...
user avatar
  • 2,626
7votes
2answers
1kviews

How to ask Permission in OPPO again if user deny permision in Oppo lollipop version?

I am facing problem in Oppo mobile - Lollipop version. I need write contact permission in my app. but in oppo lollipop it ask oppo's own security permission. If I deny that permission than application ...
user avatar
7votes
2answers
1kviews

Is it possible to do a TLS handshake event in Tomcat?

I'm running an application (web service) in tomcat with TLS enabled (with certificates both for the client and the server). I want that my application will be able to send audit message (logging) ...
user avatar
7votes
2answers
20kviews

How to add http Headers in react js app's response

I have a react js application. I want to add some http headers in the every response that's being returned from the app. Could you please suggest how to implement this ! NOTE : I am not trying to ...
user avatar
  • 540
6votes
0answers
925views

Request from unknown party, Sogou

I am hosting a simple prototype on Amazon Lightsail and I saw some strange requests on my Django server. Is it anything to be concerned about? Invalid HTTP_HOST header: 'fuwu.sogou.com'. You may need ...
user avatar
  • 1,281
6votes
1answer
624views

Why does using JWT refresh tokens protect against CSRF during authentication?

I have read a few articles regarding JWT refresh tokens, and how/why they are used. One thing i have seen mentioned here: https://hasura.io/blog/best-practices-of-using-jwt-with-graphql/#persistance ...
user avatar
  • 485
6votes
0answers
497views

Using the private key generated by DCAppAttestService

Apple released a way to attest generated key pairs on the iOS 14 beta, named Device Check App Attestation Service (DCAppAttestService). I've already successfully generated a key pair like it is ...
user avatar
  • 61
6votes
0answers
298views

EncryptedSharedPreferences without MasterKeys.getOrCreate()

I found out that the default way of using EncryptedSharedPreferences is to create the key with MasterKeys for it. However, when I replace val masterKeyAlias = MasterKeys.getOrCreate() with a sample ...
user avatar
  • 73
6votes
1answer
169views

Can I prevent node_modules bundled with webpack from using window.postMessage?

For security reasons, I need to disallow 3rd party modules which are included in my bundle by webpack from using window.postMessage to communicate with other processes in my Electron app. Is that ...
user avatar
  • 6,209
6votes
0answers
2kviews

Securing data at rest in Kafka

We are preparing for our first deployment of Kafka to production, and I'm wondering about the best way to implement data-at-rest security. I've seen a few articles talking about end to end security/...
user avatar
  • 486
6votes
1answer
2kviews

Is it acceptable to commit API Keys and .env files to a private business repo?

I did a search and surprisingly found no answer. Right now we don't commit our API Keys/.env file on a repo that a growing team of 4 is working on. Whenever we change something, like say, a DB ...
user avatar
  • 2,573
6votes
0answers
406views

How to avoid java Security Information popup?

Problem - Java security information popup appears when applet based application loads in the browser. When I check "Always trust content from the publisher" and click run, the application runs and ...
user avatar
  • 1,125
6votes
0answers
3kviews

How can I implement JWT(JSON Web token) for SOAP web service?

I want to implement JWT for my SOAP webservice. Basically , what I want to achieve is to having basic JWT security across SOAP webservice request HTTP header. My project is built as EAR and contains ...
user avatar
6votes
1answer
506views

Bypass security of HTML import

I am importing an HTML snippet from a third party and embedding it into some placeholder outside my Angular 7 application. There's one link starting with javascript: inside the snippet that will be ...
user avatar
  • 5,073
6votes
0answers
3kviews

Node.js: How do I protect against malicious image file uploads? I.e., how do I implement an image sanitizer in Node?

I am creating a web app using hapi.js that allows users to upload images. I am validating the uploaded images in both the client and server to only allow .jpg/.jpeg, .png, and .gif files. However, I ...
user avatar
6votes
0answers
909views

Protect source code for auth-only routes in SSR Nuxt.js (or plain Vue.js)

I use an Express backend with the nuxt.render middleware to consolidate my API, front-end and development environment. So far, everything is going great, but I had some concerns about security ...
user avatar
6votes
0answers
1kviews

Is it possible to get Google Adsense working without adding 'unsafe-inline' in content security policy (CSP)?

I tried adding nonce to SCRIPT_SRC, but CSP complains about adsbygoogle.js: refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src '...
user avatar
  • 95
6votes
1answer
856views

Unable to find the controller for path "/api/login_check". The route is wrongly configured

I have a problem with "login_check" and i use Symfony 3 and LexikJWTAuthenticationBundle. The problem : The security.yml : firewalls: login: pattern: ^/api/login stateless: ...
user avatar
  • 109
6votes
1answer
1kviews

How can I search into Linkedin by PHP?

I have a PHP script which opens http requests by using CURL: (it also accepts header if it is needed) $c = curl_init(); curl_setopt($c, CURLOPT_URL, $url); curl_setopt($c, ...
user avatar
  • 5,617
6votes
1answer
547views

Security implications for setting document.domain in iframed content

I have two sub domains content and www under the domain example.com. Content from content.example.com is being presented in www.example.com via an iframe. Because the content on content.example.com ...
user avatar
  • 6,649
6votes
0answers
1kviews

Android: Detect whether device can be unlocked with fingerprint

I have an app that uses fingerprint-authentication. As an extra security-measure I'd like to detect whether the fingerprint is used to unlock the device. I tried retrieving the lock-mode in the ...
user avatar
  • 3,965
6votes
0answers
223views

how to prevent brut force attack on couchdb?

I have a couchdb server open to all IP sources. Each client make a request this way : http://username:password@couchdb/database How can I prevent a brut force attack ? Is there a way to ban a source ...
user avatar
  • 1,515
6votes
0answers
2kviews

Is it safe to use find params[:id] in Rails?

Expressions like the following are common in Rails: @project = Project.find params[:id] # example 1 @project = current_user.projects.find params[:project_id] # example 2 However I realize that find ...
user avatar
  • 31.8k
6votes
1answer
994views

Where do I store the OAuth refresh token in a browser based application

I'm storing both the access token and refresh token in local storage. Is this correct? Detail: I have an angular 2 application. The user loads my application, and then authenticates (username, ...
user avatar
6votes
0answers
138views

child application cannot read parent web.config

In IIS I have an important application (named treasure), with a child application (named blog). From security point of view, I decided to run both applications under their own application pools, and ...
user avatar
  • 11.5k
6votes
0answers
2kviews

Android RSA key length

I would like to generate and store securely a 4096 bit RSA key pair on an Android device running API 18+ (4.3). The documentation states the AndroidKeyStore supports 4096 bit keys on API 18. However ...
user avatar
6votes
0answers
473views

Web Start security level j2ee-application-client-permissions still possible?

According to the JNLP file syntax there are three security levels: sandbox (default if no level is explicitly specified) j2ee-application-client-permissions all-permissions In recent Java versions ...
user avatar
  • 125
6votes
0answers
2kviews

Android APK tamper detection from NDK/JNI

Problem I have some keys which I want to keep it safe. At present, a native shared library generates them on demand. This shared library is used by my apk to get keys. The problem with the current ...
user avatar
  • 1,250
6votes
1answer
9kviews

How to disable DefaultSecurityFilterChain in a Spring Boot app?

In my Spring Boot application, I have: @Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { ... @Override protected void configure(...
user avatar
6votes
0answers
1kviews

HTTPS TSL Certificate Chain Validation Using Python Requests

I'm running a windows service using python 2.7.9. As part of it i'm trying to connect to a server using HTTPS. I'm using requests model (2.7.0) to do it. I'm also using wincertstore (0.2) model to ...
user avatar
  • 854
6votes
1answer
966views

Exploiting jQuery HTML decoding using textarea

Following up on my last question... This code can be exploited if an attacker has access to encodedText: return $('<div/>').html(encodedText).text(); e.g. $("<div/>").html('<img src="...
user avatar
  • 5,799
6votes
1answer
680views

Design for Mobile Authentication with NodeJS server

I recently struggled with the problem of security and user authentication for an iOS app I'm making, the main problem problem being how does one allow users to sign up with any 3rd party service (or a ...
user avatar
  • 6,560
6votes
2answers
99views

Security implications of a socket race when tunnelling a sub-command

I want to tunnel a sub-command through a connection by listening to a port, running the sub-command (to connect to that port), and then forwarding the data through the connection: package main ...
user avatar
6votes
3answers
10kviews

Writing custom Shiro realm

I am constructing my own AuthorizingRealm subclass, and am having a tough time wiring it up to my SecurityManager. The essence of my realm: public class MyRealm extends AuthorizingRealm { ...
user avatar
  • 24.9k
6votes
0answers
1kviews

Stripe payment form to be embedded in iframe any security concerns?

I've a project which connects different businesses who can sell their own products on my app and the payment gateway I used is Stripe. They connect their stripe account to my app through Stripe ...
user avatar
  • 809
6votes
0answers
8kviews

How to use cookies to login to website?

I have logged into a website and saved the respective cookies in a text file. Now I want to login to the same website using :- Command Line utility like wget/curl without user name and password using ...
user avatar
  • 1,906
6votes
1answer
3kviews

Can site users change cookie or session data?

In some of my posts, when I have stored user information in cookies, all the comments and answers have said something like, "... answer to problem ... but DON'T USE COOKIES TO STORE USER INFORMATION. ...
user avatar
6votes
0answers
1kviews

The frame requesting access has a protocol of "http", the frame being accessed has a protocol of "swappedout". Protocols must match

I'm getting this strange error in the console on a locally hosted website (hosted in IIS). The browser is Google Chrome. Does anyone have a clue as to what's going on here and how to get rid of this ...
user avatar
  • 7,068
6votes
4answers
2kviews

Saving a crypted private key in a cookie

I am currently working on a project with a lot of security and I am having a bit of a problem choosing a technical solution to satisfy my customer need. First things first, let me explain you the ...
user avatar
  • 61
6votes
0answers
592views

shiro configuration [urls] section dynamically

I am new to Shiro, I want to use this for securing my web application. I have tested it's various features. I have also tested [urls] /login.xhtml = authc /logout = logout /admin/** = user, roles[...
user avatar
6votes
0answers
375views

Can you disable a web document's Content Security Policy? (connect-src)

I have a browser bookmarklet that invokes an HTTP request using javascript. It works for every single website I've tried it on except Facebook. Facebook has some kind of content security policy that ...
user avatar
6votes
0answers
621views

how to debug apache's allow/deny rules?

I tried adding LogLevel Debug but all i get is client denied by server configuration: /somedir/html/file.html I have a complex allow/deny rule for one location, that can be reduced to this to ...
user avatar
  • 13k

15 30 50 per page