Questions tagged [security]

Topics relating to application security and attacks against software. Please don't use this tag alone, that results in ambiguity. If your question is not about a specific programming problem, please consider instead asking it at Information Security SE: https://security.stackexchange.com

15,187 questions with no upvoted or accepted answers
Filter by
Sorted by
Tagged with
15votes
1answer
7kviews

java - deserialization of untrusted data workaround

Last year we encountered the so-called java object deserialization vulnerability (not a java's problem as it looks), which is deserializing an object which might lead to Remote Code Execution (RCE) or ...
user avatar
  • 415
12votes
1answer
576views

Disable Networking in Electron

electron.js is a user interface toolkit that allows a web application to operate as an arbitrary GUI. However, there are some applications that should be considered sensitive - for instance, a GUI ...
user avatar
  • 3,735
12votes
2answers
1kviews

Escaping Qualtrics piped text for use in javascript (more generally, how to safely escape user-generated text)

In my Qualtrics survey I have a free-response (textbox) question. I'd like to get the response to this question into javascript so I can do some complicated text processing and post the result to an ...
user avatar
  • 4,645
11votes
1answer
3kviews

Must strange site visitor user agent be avoided? If yes how?

I am using shared hosting. My site was showing "ERR_CONNECTION_REFUSED". So i went to see visitors to my (SSL) site. I found that instead of regular names in the "User Agent" list, ...
user avatar
  • 2,280
11votes
0answers
321views

What is the right way to validate a client TLS cert using the tls library in Haskell?

I have a working Yesod/Warp server. I would like to equip this server with the ability to allow admin users to authenticate themselves using client-side certificates. Additionally, I would like to ...
user avatar
11votes
0answers
894views

KeyAttestation in Android Nougat API 24

I read about the new key attestation API in Android N and wanted to test it but I'm missing some classes. The key attestation is described here: https://developer.android.com/preview/features/key-...
user avatar
11votes
0answers
3kviews

SVG>PNG from canvas.toDataURL throws DOM exception 18 security error in Safari 9.x

I'm creating a dynamically-generated SVG from HTML text content. It works fine in Chrome but Safari consistently throws an error when the SVG data is converted to PNG for downloading. What has me ...
user avatar
  • 591
11votes
1answer
642views

Security issue with custom search provider for Windows 7

I built a search provider for Windows 7, running on localhost. (using .osdx file and RSS web site) the element in the returned RSS contains local file path. example: <link>c:\windows\win.ini&...
user avatar
  • 4,172
10votes
0answers
388views

How to zero out user data in memory (RAM) of WKWebView after dealloc

I would like iOS to zero out user sensitive data from memory (specifically username/password entered in HTML pages) of WKWebView once the user is done with it. Below project depicts the difference in ...
user avatar
  • 6,154
10votes
1answer
1kviews

Unable to send cookie with HTTPOnly flag in request header in safari

I created cookies with HTTPOnly flag in Safari browser using java See Response header below. Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer:http://anil....
user avatar
  • 153
10votes
0answers
12kviews

What is the best way to sanitize inputs with Flask and when using MongoDB?

I'm writing my application backend with Python Flask. As part of the registration process, I have a form that sends the new user's information to my backend and then adds it to my MongoDB database. I'...
user avatar
  • 1,041
10votes
1answer
222views

Annotation based security restriction does not work for web socket triggered method calls

I did some research on this, but I couldn't find the solution. I have a class like this @Stateless class ConfigBean { @RequiresRole("administrator") public void reloadConfiguration(){ ........
user avatar
  • 1,016
10votes
3answers
466views

Permissions issue only when fully qualifying exe path. Why not always?

When I try to execute the SQL Server 2012 BCP.exe utility to dump the contents of a table to a file using a fully qualified path to the exe, D:\SQL2012\110\Tools\Binn\bcp.exe DBNAME.DBO.TABLENAME ...
user avatar
  • 22.6k
10votes
2answers
2kviews

CloudFlare JS challenge is breaking my SPA

I have a React based SPA that is hosted via S3 on one subdomain, react.mydomain.com ... It communicates with a PHP REST API that is hosted on a VPS on another subdomain, api.mydomain.com . The api....
user avatar
9votes
0answers
2kviews

Google Analytics and Subresource Integrity

I have Subresource Integrity (SRI) enabled in the Content Security Policy (CSP) headers. How can I integrate google analytics? Using a hash for their script will probably break within a few days when ...
user avatar
  • 1,758
9votes
1answer
3kviews

How to verify old password with Keycloak Admin Java API?

I have application which uses Keycloak 3.1.x, the application is using following dependency to interact with Keycloak remotely: <dependency> <groupId>org.keycloak</groupId> &...
user avatar
  • 1,445
9votes
1answer
1kviews

Is it safe to pass auth token via iOS deep link?

I'm designing a webapp/mobileapp security flow where there are no passwords, only an auth token sent to the phone via sms. Flaws in this? The plan: Phone receives sms link with embedded invite token ...
user avatar
  • 1,508
9votes
0answers
7kviews

Windows Firewall has blocked some features of IntelliJ IDEA

I installed IntelliJ IDEA 2016.3 Community Edition and I created a simple Java class containing a main method that just prints a message. When I run that "program", the following window appears: ...
user avatar
9votes
0answers
3kviews

Java - Security - Retrieve CRL data from a Certificate

Goal: Retrieve the Certificate Revocation List information for a given Certificate. Reason: When a java.security.cert.PKIXParameters object is set to enable checking of certificate revocation status ...
user avatar
9votes
0answers
971views

CSP style-src failing to recognize SHA?

Here is the direct error message I am getting from the Chrome dev tools: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'sha256-...
user avatar
  • 3,484
9votes
0answers
354views

All Site Permissions for jnlp web start file for Mac Yosemite

I am using a WebStart file, launched with a jnlp file. Actually downloaded it locally. I used the same jnlp file on a windows machine, I changed the permissions through the java.policy file. The ...
user avatar
  • 11.2k
9votes
1answer
883views

Is my hack to store users' private data on Cloudant secure?

I want to store users' private information on a CouchDB in Cloudant - i.e. each user should be able to read and update only his own document. Usually such information is saved in the _users db, but I ...
user avatar
  • 2,697
9votes
2answers
2kviews

How I protect against XSS attacks in attributes such as src?

So I've been building a C# html sanitizer using html agility with a white list. It works fine, except for cases like these: <img src="javascript:alert('BadStuff');" /> <img src="jav&#x09;...
user avatar
9votes
2answers
6kviews

How to verify (and require) self-signed certificate in iOS

I'd like to create an SSL connection to my server using self-signed certificates that are shipped with the code in iOS. That way I don't have to worry about more sophisticated man-in-the-middle ...
user avatar
  • 2,646
8votes
0answers
857views

Keystore getEntry returns NULL on Android 9

cI have encrypted and decrypted a login password which is stored in the Android Keystore. On Android 9, I observed that the app crashes when trying to decrypt the password(I am not able to reproduce ...
user avatar
  • 1,262
8votes
1answer
623views

NPM 6 - Should I audit fix all package vulnerabilities?

After installing NPM 6 almost every NPM package that I install on an Angular 6 project has vulnerabilities. Should I "npm audit fix" every package each time? Should I reinstall NPM 5? Other solution? ...
user avatar
  • 91
8votes
1answer
82views

Why authentication URL is not needed in other Oauth 2.0 grant type than authorization code?

I have good knowledge of all Oauth grant type including use case but i have a question, i have seen many examples of authorization code so if i talk part step of authorization code grant type where ...
user avatar
8votes
1answer
3kviews

Android M - Keychain like storage for username/password

Here's the workflow from iOS that I'm trying to achieve on Android: User starts app for the first time and Logs in successfully with credentials (sent to API for validation). Prompt shows asking to ...
user avatar
  • 3,131
8votes
1answer
271views

Make one IAP valid for different applications

Until now, I distributed my app on the Play Store with an in-app purchase to disable ads. I am redesigning the whole app and I'd like to split it into two applications: one for mobile devices (like ...
user avatar
  • 4,628
8votes
1answer
2kviews

CSRF Protection for Refresh Token Cookie in SPA

I am using the Resource Owner Password Credentials OAuth 2.0 flow in a AngularJS SPA. There are several articles (here, here..) and the answer to this question that explain that we should not store ...
user avatar
  • 17.4k

15 30 50 per page
1
2 3 4 5
507