Questions tagged [security]

Topics relating to application security and attacks against software. Please don't use this tag alone, that results in ambiguity. If your question is not about a specific programming problem, please consider instead asking it at Information Security SE: https://security.stackexchange.com

15,187 questions with no upvoted or accepted answers
Filter by
Sorted by
Tagged with
15votes
1answer
7kviews

java - deserialization of untrusted data workaround

Last year we encountered the so-called java object deserialization vulnerability (not a java's problem as it looks), which is deserializing an object which might lead to Remote Code Execution (RCE) or ...
user avatar
  • 415
12votes
1answer
576views

Disable Networking in Electron

electron.js is a user interface toolkit that allows a web application to operate as an arbitrary GUI. However, there are some applications that should be considered sensitive - for instance, a GUI ...
user avatar
  • 3,735
12votes
2answers
1kviews

Escaping Qualtrics piped text for use in javascript (more generally, how to safely escape user-generated text)

In my Qualtrics survey I have a free-response (textbox) question. I'd like to get the response to this question into javascript so I can do some complicated text processing and post the result to an ...
user avatar
  • 4,645
11votes
1answer
3kviews

Must strange site visitor user agent be avoided? If yes how?

I am using shared hosting. My site was showing "ERR_CONNECTION_REFUSED". So i went to see visitors to my (SSL) site. I found that instead of regular names in the "User Agent" list, ...
user avatar
  • 2,280
11votes
0answers
321views

What is the right way to validate a client TLS cert using the tls library in Haskell?

I have a working Yesod/Warp server. I would like to equip this server with the ability to allow admin users to authenticate themselves using client-side certificates. Additionally, I would like to ...
user avatar
11votes
0answers
894views

KeyAttestation in Android Nougat API 24

I read about the new key attestation API in Android N and wanted to test it but I'm missing some classes. The key attestation is described here: https://developer.android.com/preview/features/key-...
user avatar
11votes
0answers
3kviews

SVG>PNG from canvas.toDataURL throws DOM exception 18 security error in Safari 9.x

I'm creating a dynamically-generated SVG from HTML text content. It works fine in Chrome but Safari consistently throws an error when the SVG data is converted to PNG for downloading. What has me ...
user avatar
  • 591
11votes
1answer
642views

Security issue with custom search provider for Windows 7

I built a search provider for Windows 7, running on localhost. (using .osdx file and RSS web site) the element in the returned RSS contains local file path. example: <link>c:\windows\win.ini&...
user avatar
  • 4,172
10votes
0answers
388views

How to zero out user data in memory (RAM) of WKWebView after dealloc

I would like iOS to zero out user sensitive data from memory (specifically username/password entered in HTML pages) of WKWebView once the user is done with it. Below project depicts the difference in ...
user avatar
  • 6,154
10votes
1answer
1kviews

Unable to send cookie with HTTPOnly flag in request header in safari

I created cookies with HTTPOnly flag in Safari browser using java See Response header below. Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer:http://anil....
user avatar
  • 153
10votes
0answers
12kviews

What is the best way to sanitize inputs with Flask and when using MongoDB?

I'm writing my application backend with Python Flask. As part of the registration process, I have a form that sends the new user's information to my backend and then adds it to my MongoDB database. I'...
user avatar
  • 1,041
10votes
1answer
222views

Annotation based security restriction does not work for web socket triggered method calls

I did some research on this, but I couldn't find the solution. I have a class like this @Stateless class ConfigBean { @RequiresRole("administrator") public void reloadConfiguration(){ ........
user avatar
  • 1,016
10votes
3answers
466views

Permissions issue only when fully qualifying exe path. Why not always?

When I try to execute the SQL Server 2012 BCP.exe utility to dump the contents of a table to a file using a fully qualified path to the exe, D:\SQL2012\110\Tools\Binn\bcp.exe DBNAME.DBO.TABLENAME ...
user avatar
  • 22.6k
10votes
2answers
2kviews

CloudFlare JS challenge is breaking my SPA

I have a React based SPA that is hosted via S3 on one subdomain, react.mydomain.com ... It communicates with a PHP REST API that is hosted on a VPS on another subdomain, api.mydomain.com . The api....
user avatar
9votes
0answers
2kviews

Google Analytics and Subresource Integrity

I have Subresource Integrity (SRI) enabled in the Content Security Policy (CSP) headers. How can I integrate google analytics? Using a hash for their script will probably break within a few days when ...
user avatar
  • 1,758
9votes
1answer
3kviews

How to verify old password with Keycloak Admin Java API?

I have application which uses Keycloak 3.1.x, the application is using following dependency to interact with Keycloak remotely: <dependency> <groupId>org.keycloak</groupId> &...
user avatar
  • 1,445
9votes
1answer
1kviews

Is it safe to pass auth token via iOS deep link?

I'm designing a webapp/mobileapp security flow where there are no passwords, only an auth token sent to the phone via sms. Flaws in this? The plan: Phone receives sms link with embedded invite token ...
user avatar
  • 1,508
9votes
0answers
7kviews

Windows Firewall has blocked some features of IntelliJ IDEA

I installed IntelliJ IDEA 2016.3 Community Edition and I created a simple Java class containing a main method that just prints a message. When I run that "program", the following window appears: ...
user avatar
9votes
0answers
3kviews

Java - Security - Retrieve CRL data from a Certificate

Goal: Retrieve the Certificate Revocation List information for a given Certificate. Reason: When a java.security.cert.PKIXParameters object is set to enable checking of certificate revocation status ...
user avatar
9votes
0answers
971views

CSP style-src failing to recognize SHA?

Here is the direct error message I am getting from the Chrome dev tools: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'sha256-...
user avatar
  • 3,484
9votes
0answers
354views

All Site Permissions for jnlp web start file for Mac Yosemite

I am using a WebStart file, launched with a jnlp file. Actually downloaded it locally. I used the same jnlp file on a windows machine, I changed the permissions through the java.policy file. The ...
user avatar
  • 11.2k
9votes
1answer
883views

Is my hack to store users' private data on Cloudant secure?

I want to store users' private information on a CouchDB in Cloudant - i.e. each user should be able to read and update only his own document. Usually such information is saved in the _users db, but I ...
user avatar
  • 2,697
9votes
2answers
2kviews

How I protect against XSS attacks in attributes such as src?

So I've been building a C# html sanitizer using html agility with a white list. It works fine, except for cases like these: <img src="javascript:alert('BadStuff');" /> <img src="jav&#x09;...
user avatar
9votes
2answers
6kviews

How to verify (and require) self-signed certificate in iOS

I'd like to create an SSL connection to my server using self-signed certificates that are shipped with the code in iOS. That way I don't have to worry about more sophisticated man-in-the-middle ...
user avatar
  • 2,646
8votes
0answers
857views

Keystore getEntry returns NULL on Android 9

cI have encrypted and decrypted a login password which is stored in the Android Keystore. On Android 9, I observed that the app crashes when trying to decrypt the password(I am not able to reproduce ...
user avatar
  • 1,262
8votes
1answer
623views

NPM 6 - Should I audit fix all package vulnerabilities?

After installing NPM 6 almost every NPM package that I install on an Angular 6 project has vulnerabilities. Should I "npm audit fix" every package each time? Should I reinstall NPM 5? Other solution? ...
user avatar
  • 91
8votes
1answer
82views

Why authentication URL is not needed in other Oauth 2.0 grant type than authorization code?

I have good knowledge of all Oauth grant type including use case but i have a question, i have seen many examples of authorization code so if i talk part step of authorization code grant type where ...
user avatar
8votes
1answer
3kviews

Android M - Keychain like storage for username/password

Here's the workflow from iOS that I'm trying to achieve on Android: User starts app for the first time and Logs in successfully with credentials (sent to API for validation). Prompt shows asking to ...
user avatar
  • 3,131
8votes
1answer
271views

Make one IAP valid for different applications

Until now, I distributed my app on the Play Store with an in-app purchase to disable ads. I am redesigning the whole app and I'd like to split it into two applications: one for mobile devices (like ...
user avatar
  • 4,628
8votes
1answer
2kviews

CSRF Protection for Refresh Token Cookie in SPA

I am using the Resource Owner Password Credentials OAuth 2.0 flow in a AngularJS SPA. There are several articles (here, here..) and the answer to this question that explain that we should not store ...
user avatar
  • 17.4k
8votes
0answers
3kviews

What is Google Chrome's "Uncommon Download" warning based on?

I understand that Chrome's "Uncommon Download" warning is broadly based on how common a download is, but what are the specific conditions? Is "commonness" measured, or is it a heuristic? (eg. "zip ...
user avatar
  • 973
8votes
0answers
2kviews

iOS App Security Best Practices (API Keys, Constants, WS URLs, Credentials)

What are the best practices to add the extra security in iOS App so Attackers/Hackers can not easily find the Secure Private Keys, Constants strings inside the code. P.S: I found some other related ...
user avatar
  • 931
8votes
1answer
1kviews

Validate Live.com (Microsoft account) JWT token

Fellow programmers, I'm currently struggling with Microsoft account JWT token validation in Web Api 2. I've found OWIN middleware for that (NuGet package Microsoft.Owin.Security.Jwt) and here is the ...
user avatar
7votes
0answers
83views

Is OTP less authentication possible in Android?

Problem Statement: User X wants to Log In or Signup to App A and App B. Considering:- OS Environment: Android User X, Device D, App A and App B(App A and App B are two different organizations) App A ...
user avatar
7votes
1answer
1kviews

How to associate registry with scope in Yarn 2 without breaking auth?

This article suggests adding configuration to .npmrc in your project to associate a scope with a private registry to reduce the risk of a npm substitution attack (where someone might deliberately ...
user avatar
7votes
0answers
2kviews

Feature Policy: Skipping unsupported feature name “picture-in-picture” / “autoplay” / “encrypted-media”

I get this warning in Firefox using YouTube iframe js API How to deal with this?
user avatar
  • 318
7votes
0answers
2kviews

sameSite=None; Secure still facing issue on Safari versions above 13

Even after adding sameSite=None; Secure , latest safari version 13 on MacOS 10.15 , still seeing an issue of session timed out with third party cookies, and chrome works really well with this ...
user avatar
  • 71
7votes
0answers
503views

AWS CodeBuild - Security Implications of Enabling Docker Layer Cache

When creating a Codebuild project it's possible to configure a cache in the Artifacts section to speed up subsequent builds. Docker layer cache is one of the options there. AWS documentation says: ...
user avatar
  • 3,645
7votes
0answers
532views

Bypass restrictions of enabled Folder Access Control of Windows Defender

I've got an application written with C# which is installed via InnoSetup. With enabled Controlled Folder Access of Windows 10's Defender, the setup fails to create a desktop icon (showing the message ...
user avatar
  • 341
7votes
0answers
287views

Double-Edged Approach to API-based web app authentication with Spring

I am creating a web application that will be handling sensitive data. The application is implemented as a Spring Boot RESTful API, so that different flexible clients can be created around it. Right ...
user avatar
  • 5,563
7votes
0answers
1kviews

Azure Web app vulnerable to HTTP Slow Post attack

We have a web app that is being hosted on Azure and have run Qualys security scans against it that tell us that it is vulnerable to an HTTP Slow Post attack. The analysis from Qualys tells us that it ...
user avatar
  • 71
7votes
1answer
4kviews

Microsoft EDGE - Security certificate required to access this resource is invalid

We are getting following error in Microsoft EDGE in our Dev environment when we run our ASP.NET Application Hosted in IIS 8 in Windows 2012 R2 Server. Error: XMLHttpRequest: Network Error 0x800c0019, ...
user avatar
7votes
0answers
1kviews

How to use JGit https authentication using Kerberos

I am trying to clone a git repository over https from a windows server. This server uses single-sign-on and therefore relates to kerberos5. Having little knowledge with that my simple code: ...
user avatar
  • 447
7votes
0answers
1kviews

Passing a custom java security policy file to surefire maven test fails, results in access control error for everything

I'm trying to pass a custom security policy file to surefire to run some tests. (Specifically, I'm adding classes in java.lang to test a profiler and I want permission to define classes in there.) I'...
user avatar
  • 1,330
7votes
0answers
883views

Storing secret key in KeyStore without the ProtectionParameter

Until now I have used to store my application secrets into the KeyStore with the following code: // creating a instance KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); // ...
user avatar
  • 171
7votes
0answers
629views

What causes an interface (or assembly?) to become marked security critical?

Background I have a class - MobileLogging - that implements MvvmCross' IMvxTrace interface (from reference Cirrious.MvvmCross.Droid, packages\MvvmCross.HotTuna.CrossCore.3.5.0\lib\MonoAndroid\...
user avatar
  • 24.3k
7votes
1answer
986views

Mitigate BREACH attacks without saying goodbye to compression

Everywhere I look for solutions to mitigate this vulnerability, I find something like: Just disable http compression. Well, that's a pain, because compression save a lot of bandwidth and also make ...
user avatar
  • 1,306
7votes
0answers
2kviews

Using "Microsoft Windows Security Auditing" provider in real-time consumer with ETW (Event Tracing for Windows)

My task is to make an ETW real-time consumer with events provided by 'Microsoft Windows Security Auditing'. I made a simple controller and consumer application, basing on this example http://msdn....
user avatar
7votes
0answers
1kviews

Handing android app code to another developer: keystore management

I'm a freelance android developer. I have my own keystore file I use to sign the apk files I build for my customers. I give full source code to my customers along with the signed apk files. Most of ...
user avatar
  • 1,250
7votes
0answers
1kviews

Asp.Net webresource.axd open redirection security flaw?

Running WebResource.axd through Burpe Suite’s active scan gave indication of a possible open redirection flaw in the function WebForm_DoCallback. This function does a post based upon a generated url. ...
user avatar
  • 316

15 30 50 per page
1
2 3 4 5
304