php,mysql,security,pdo,prepared-statement
To clear any confusion, what i'm doing is this: $pdo = new PDO('..'); $sql = 'SELECT id FROM users WHERE username = :username'; $statement = $pdo->prepare($sql); $statement->bindParam(':username', $_POST['username']); Question is, what if $_POST['username'] contains 'SELECT * FROM users' (or any other query) ? This query would return the ids...
Removing the below property made this work. I think for a MD5 hash we need not specify the below property. credentialsMatcher.hashIterations=1024 ...
php,jquery,mysql,security,authentication
The usual php session_start() method is fine to use over HTTPS, and I think it is best solution for you. Let the server handle the session for you. As SilverlightFox has pointed out, it's a good idea to use http only session cookies. Before you start your session use session_set_cookie_params...
Don't do that: String salt = new String(bytes); You are transforming a series of bytes into a string using the default encoding of the machine. You should keep the byte array as a byte array. If you store the data in a database you can store it in a binary...
java,security,spring-mvc,spring-boot
Maybe @PreAuthorize or @PostAuthorize will be enough for you, it depends what exactly u need. You can try sth like this: @PostAuthorize("returnObject.widget.owner.id == principal.id") public Widget getWidgetById(long id) { // ... return widget; } UPDATE: You can use Pre/Post Authroize since Spring Security 3.0 and as you said it provides...
javascript,html,security,iframe
Oops! Turns out my domain provider (seperate to my web host) had enabled forwarding "with cloaking" and this caused my site to be shown in an iframe....
An alternative architecture you might consider is dynamic loading. Instead of 2 processes, you have just the first one; it uses dlopen() to load your newly compiled code. It calls the entry point of this "library", and the code has access to all the space including the persistant variables. On...
security,java-ee,websocket,wildfly
For this you will have to modify the Websocket handshake. You can do this as below: 1) Modify you websocket endpoint to use custom configurator @ServerEndpoint(value = "/someWSEndpoint", configurator = SomeCustomConfigurationClass.class) public class SomeWSService { ... } 2) Modify WS Handshake similar to public class SomeCustomConfigurationClass extends ServerEndpointConfig.Configurator { @Override...
javascript,angularjs,security,csrf
What are risks if I make the cookie persistent and manually set the X-XSRF-TOKEN HTTP header? The risk is that an attacker could eventually brute force the token value. The recommendation is to have a new CSRF token per session. If you make this persistent then a malicious site...
android,security,encryption,encryption-symmetric
The output type of Cipher#doFinal(byte[]) is byte[], but Arrays don't have a default way in which their contents are printed. By calling byte[].toString() on an array, you're simply printing its type and hash code. (More on this here) What you want is decrypted = new String(cipher2.doFinal(decodedBytes), "UTF-8"); which tells the...
AJAX itself will not increase or decrease the security of your site, at least if its implementation is elaborate. The client (browser) will have turned JavaScript on or off. If it is turned on, there may be more insecurities on the client side, bis this won't affect your server and...
javascript,security,spam-prevention,email-spam
It entirely depends on the spambot. This could stop some spambots, but it wouldn't stop a scraper designed specifically to work around this defense. That's how arms races work. It would be pretty straightforward to build a bot that works around this defense you have in mind. You could use...
You may refer to this: modload It looks like that someone is debugging the python code in windbg. And the 'ModLoad' lines, together with others, are just the debugger output.
new String(encriptedSMS,"UTF-8") Your problem is here. encriptedSMS does not contain UTF-8 encoded text, so this is wrong. There is no correct way to "convert" a byte array into a String, unless the byte array contains encoded text (like you would get from someString.getBytes("UTF-8")). However, there are ways to encode a...
php,rest,security,amazon-web-services,token
After you've got token from the client you need to check two things: validity of the token and its timestamp. There are two scenarios: Make timestamp part of the token: function getToken($timestamp) { return $timestamp . encrypt(getPKey(), $timestamp); } $token = genToken(time()); And then validate it: $token = $_POST['token']; function...
What you probably are looking for is a filter. You set these up in your .gitattributes file to run one substitution upon adding a file to the staging area, and another substitution upon checkout: The image is from the .gitattributes section of the Git book, which has details on how...
security,encryption,sip,voip,rtp
I believe some of your concerns are addressed in the following IETF Spec - https://tools.ietf.org/html/rfc7201 - Options for Securing RTP Sessions But IMO, there is a cost of security w.r.t processing and thats a given for the enhanced layer of protection. I haven't come across any other fancier ways other...
security,unit-testing,cakephp,cakephp-3.0
That is to be expected, as you're not sending the necessary security token, which is what the security component requires. Just look at your generated form, it will contain hidden inputs for the _Token field, with the subkeys fields and unlocked, where fields will contain a hash and possibly the...
java,android,security,android-ndk,digital-signature
I will try to answer your first question here: Signature of your application is stored in the DEX(Dalvik executable) file of your APK. DEX files have following structure: Header Data section(contains strings, code instructions, fields, etc) Arrays of method identifiers, class identifiers, etc So, this is the beginning of the...
c#,security,asp.net-web-api,certificate
If you ONLY wanted to accept requests that originated from the same machine, you could check the IsLocal property of the request context MSDN. HttpRequest.Context.Request.IsLocal You could then build it into a custom authorize attribute and register it globally, enforcing the requirement on all of your Web API controllers. public...
It's not a matter of language. It's a matter of environment. Running Java applets on a web page currently involves using a Java plug-in, which takes a JVM that includes features to do all kinds of things we wouldn't want a web page to be able to do and runs...
security,single-sign-on,saml,pingfederate
From a very high level, yes, your three steps are correct. More specific: 1 will include decoding the base64 encoded response, checking against schema, etc. 2 will be done via signature validation, checking the authority, seeing if it's a response to a sent AuthnRequest and matching it, etc. 3 comes...
Maybe. Allowing cross domain XHR opens up a few attacks. E.g. see http://stackoverflow.com/a/7615287/841830. See also Is CORS a secure way to do cross-domain AJAX requests? But this tends not to come up with the normal use cases for Phantom: whether you are testing your own web site, or screen-scraping, you...
security,user-management,forgot-password,reset-password
I don't see any value in doing this. Just make your key secure. Perhaps a 128-bit (that's 22 base 64 encoded characters) secure random. That seems large enough. Also add a timeout to the token life span. 24 hours seems a fine compromise between security and inconvenience. I like the...
security,authorization,claims-based-identity,abac,role-based-access-control
Actually, you should not attempt to implement a new authorization model. There is already a good model called attribute-based access control (or ABAC - see the SO tag abac and xacml). ABAC is an authorization model that: is defined by NIST, the National Institute of Standards and Technology, the very...
This may be overly simplistic answer, but couldn't you use SSL to encrypt the connection, and POST the keys? This way the POST data would not be visible to a sniffer, and 'outsiders' cannot make meaningful requests that will actually be processed by your script if they did know the...
java,security,encryption,encoding,cryptography
Maintaining a HashMap of Key(the value getting replaced) with a value(the value to be replaced) and just changing the string using a simple function will do. import java.util.HashMap; import java.util.Map.Entry; public class Encrypt { /** * @param args */ static HashMap<String, String> hm = new HashMap(); public static void main(String[]...
You can always wrap the command in a function. Run the function with its definer's privileges. Give execute privileges to someone else. Example: set role roleThatOwnsTable1; /* SECURITY DEFINER tells Postgres to run the function with the privileges of the role that defined the function, as opposed to the privileges...
Security is a big topic in the web development world and it is important for you to determine how secure your web application should be. There are 3 parts for you to notice Frontend (the website) everything here is insecure, whatever shown on you in the browser could be changed...
django,security,django-rest-framework
Keep in mind using a Django form will only allow you to use SessionAuthentication under DRF - more notes here. Short of it is to use the Django LoginViews when creating login pages, and the notes on using CSRF tokens if you do use Session Auth with DRF. http://www.django-rest-framework.org/api-guide/authentication/#sessionauthentication How...
You're on the right track. You can use [^0-9a-f] instead of [^0-9a-z] to prevent someone from passing a non-hexadecimal character. $arg = preg_replace('/[^0-9a-f]/', '', $arg); if (strlen($arg) === 40) { // We have a SHA-1 hash shell_exec("git checkout {$arg}"); } In general cases, escapeshellarg() is what you want to use,...
You should opt for a workflow like: Generate a new GUID, save it against the user account, call it PasswordResetToken The email you send should redirect the user to /[email protected]&resetToken=XXXXXXXXXXX You verify that the reset token exists for the user account specified Ask the user to enter a new password...
javascript,php,security,credentials,web-storage
I'm building a web app that uses HTML-local-storage to replace PHP sessions and cookies. Local storage is a solution aimed at replacing neither. Local storage is for storing data client-side. Cookies are for identifying clients at the HTTP level. PHP sessions are meant for storing data server-side, usually keyed...
java,angularjs,security,oauth-2.0,hacking
You've successfully implemented a session hijack. This happens because sessions are based on tokens stored in the web page or cookies rather than IP addresses or something. This makes sense because IP addresses can be spoofed while a cryptographically secure session token is practically impossible to spoof. While you could...
c,security,gcc,gtk,gcc-warning
The answer is quite simple. You have to add "%s" to the arguments of the gtk_message_dialog_new() function like this: static void show_message (gchar *message, GtkMessageType type) { GtkWidget *dialog = gtk_message_dialog_new(NULL, 0, type, GTK_BUTTONS_OK, "%s", message); gtk_dialog_run(GTK_DIALOG(dialog)); gtk_widget_destroy(dialog); } Basically, the lack of "%s" is considered non-secure by gcc. You...
linux,security,docker,workflow,bioinformatics
If users will be able to execute docker run then will be able to control host system just because they could map files from host to container and in container they always could be root if they could use docker run or docker exec. So users should not be able...
linux,security,networking,firewall,iptables
If a packet does not match any rules in your PREROUTING chain, there is nothing to prevent it from hitting your FORWARD chain, unless you set the default PREROUTING policy to DROP. Packets only go to the INPUT chain if their destination address is an address that belongs to a...
javascript,jsp,security,browser,spring-security
On successful login put some value in sessionStorage.setItem('userId',userId) and when ever user open new tab and tries to login check if sessionStorage.getItem('userId') is available if null it means it is a new tab / redirect to login page. Session storage is tab specific and data are not shared between different...
java,security,web,filesystems,system
I think that it is not possible to prevent user from video capturing. You can make it harder but you will never prevent user from capture screen of his computer. Even if you will control process list of computer (which i guess impossible or impossible for most users) You still...
You definitely don't want to put them in HTML using <meta> tags, as JavaScript can just remove them, and (correct) browsers will ignore them. You need to set them as HTTP response headers on the server, and this depends on your server / framework. You also don't want to do...
java,security,encryption,aes,password-encryption
You can decrypt the ciphertext in exercise 3.8 by using the simple ECB mode of AES, which does not use an IV. Since you have the key, there is no need for salt (there is no key derivation). Use AES 256 ECB mode in Java, and pass the key as...
php,mysql,security,laravel,pdo
The question is somewhat unanswerable (atleast not in a way that will not give you a false sense of security) with the amount of resource provided. Since you are using PDO I'll go right ahead and say that you ought to be using prepared statements. Injection on a whole primarily...
c#,security,encryption,cryptography,aes
for symmetric encryption algorithms most often need a binary array as a key. It raises the following questions: how to get the binary data for the key? The key should be random. If it is not random, it is easier to figure out by others. Unfortunately, it is not that...
security,ssl,encryption,server,cl
I'm not sure that you quite have this right. The connection is supposed to be: client <--> server The client knows that it's talking to the server due to the SSL handshake and validation of the server certificate. Your question is what would happen if: client // MiTM <--> server...
asp.net,asp.net-mvc,security,asp.net-identity
Not immediately, it will take 30 minutes by default for old cookies to invalidate in asp.net Identity 2, asp.net identity doesn't check the database on every request for that, it has an interval, use SecurityStamp to change it, you can set it in Startup.Auth.cs, default is 30 minutes, set the...
c,security,pointers,stack-smash
The first, and very important, thing to note: all numbers and offsets are very compiler-dependent. Different compilers, and even the same compiler with different settings, can produce drastically different assemblies. For example, many compilers can (and will) remove buf2 because it's not used. They can also remove x = 0...
No, sorry. If you hand bytes over to a third-party app, that third-party app can do what it wants with those bytes. So only solution is to use some in-app pdf reader right? This will not completely stop people from copying your PDFs. However, it will limit attacks to those...
mysql,node.js,security,access-control,row-level-security
There are three approaches you could take: Do it within the app Do it between the app and the db, inside a db proxy Do it inside the database The first option wouldn't really qualify as row-level access control since the application logic is the one responsible for the filtering...
Groups is the key role in Odoo (formally OpenERP) Security based on the user security group is the major role for implement any module for specifically user access. How to create the Group and update with the existing group in OpenERP : I am just updating the existing security Group...
security,hash,passwords,client,password-hash
Most websites will send the password plain-text over an encrypted connection SSL/HTTPS. Hashing the password client-side can be done, but the advantage is small and often client-side languages (JavaScrypt) are slow so you can calculate less rounds in the same time, what weakens the hash. In every case the server...
javascript,node.js,security,express
What they say is that the mechanism of transforming a simple value parameter into an array parameter can be exploited. If you expect name to be a string: ?name=hello They can transform it into an array like this: ?name=hello1&name=hello2 You will not get a string but an array: [ "hello1",...
c#,asp.net,asp.net-mvc,security,asp.net-identity
Is it okay to set the Thread.CurrentPrincipal in the PostAuthenticationRequest method? Yes it is ok to assign Principal object (HttpContext.Current.User) to current thread. Is it okay to reference the using Microsoft.AspNet.Identity in my service layer? It is not a good practice, although you can access it. The reasons are...
spring,security,spring-security,spring-boot
Actually i manage to find a solution to my issue. I added successHandler on successfulAuthentication was missing ! And a failureHandler too on unsuccessfulAuthentication methods. Here is my new Authentication filter : public class TwoFactorAuthenticationFilter extends UsernamePasswordAuthenticationFilter { private static final String LOGIN_SUCCESS_URL = "{0}/bleamcards/{1}/home"; private static final String LOGIN_ERROR_URL...
java,android,security,encryption,rsa
It looks like you've been undone by relying on defaults. Never do that if you hope for interoperability. Here are the two examples of mistakenly relying on defaults in your code that I've found. final Cipher cipher = Cipher.getInstance("RSA"); The tranformation string is supposed to be of the form "algorithm/mode/padding"...
security,hyperlink,amazon-s3,download
AWS Security Credentials are used when making API calls to AWS. They consist of two components: Access Key (eg AKIAISEMTXNOG4ABPC6Q): This is similar to a username. It is okay for people to see it. Secret Key: This is a long string of random characters that is a shared secret between...
java,security,authentication,x509
This methods reads from two different fields in certificate. It may returns the same result in your case but not in common. Please refer to getIssuerDN() and getSubjectDN()....
After several hours of trying to fix this problem, I found a great youtube video. "Fix WordPress Site URL: General Settings Change, Cant Login" I will say how to fix this though in case anyone ever does what I did. You login to you CPanel>Databases>phpMyAdmin. Go to the database for...
No, the installed OS name will not change as the result of a patch. Only an OS upgrade/reinstall does that (and service packs change the service pack level).
Not sure on the ettiquette here but I just wanted to mark this as solved with the help of PM77-1's comment here Basically the SLEEP(5) happens for every record since the conditional must be evaluated for each. In my test table, I only had one record, so I could not...
java,web-services,rest,security
That's because the basic authentication scheme is an implicit authentication scheme. Once authenticated, the browser will automatically include the credential on subsequent requests. The only way to prevent this is to open an anonymous session or close the browser. These authentication schemes are vulnerable to CSRF attacks. There are other...
php,html,wordpress,security,html-sanitizing
From the comments, it sounds like you are concerned about two separate issues (and possibly unaware of a third one that I will mention in a minute) and looking for one solution for both: SQL Injection and Cross-Site Scripting. You have to treat each one separately. I implore you to...
This is because you have just copied a function from somewhere for a different filetype and not every filetype has any notion of a "subheader". You only need to check the main header in the case of RAR. I also suggest modifying the naming of the variables, it is quite...
Please how do I prevent this from happening? I wear tin-foil hats on a professional basis (besides, I think they look spiffy...), and this is beyond what I normally worry about. I'd worry about making your HTTPS code won't be the victim of a Martian-in-the-middle (MITM) attack, as that's...
java,windows,security,malware,integrity
Your best bet is to follow a standard procedure for this. In a nutshell, here's what you can do. On your machine: Place your code into a jar file Digitally sign jar file with a private key Distribute your public key to the code runner machine On code runner machine...
ruby-on-rails,security,ruby-on-rails-4,mass-assignment
First and foremost, this line num_users = A.where(:name => "NEW").count works fine with or without using mass-assignment. This is because where method do not assign data to a model record. On the other hand, it is rare to see a question with ruby-on-rails-4 and mass-assignment tags (there are only 7...
The problem is calling findViewById(R.id.tViewPUK) before setContentView(R.layout.activity_main);.
security,networking,localhost,firewall
127.0.0.1 is only for local computer "loopback". They are required to be dropped if they come from outside the local computer. So no firewall is required if the app is only listening on 127.0.0.1.
javascript,html5,security,iframe,web-worker
Google has done most of that heavy lifting for you with Caja. They use this to create a safe 'sandbox' for adverts to run on the page while isolating them from doing too much damage....
c,security,firewall,virus,trojan
Avira : AMES is using the Avira engine for virus detection. If the Avira engine is not able to detect a virus, then the most likely cause could be that this virus is brand new and cannot be detected yet. We would greatly appreciate if you submit the suspicious file...
Security is something done in layers and each layer is designed to raise the cost of doing something you don't want them to. Do security guards prevent robberies? No, but they raise the cost of committing one to where most people won't bother. Hashes don't prevent people from hacking your...
It may be possible to encrypt all traffic with SASL as they say, but the distinction is academic because PHPMailer doesn't support SASL for either authentication or any subsequent traffic, but does support SSL and TLS. So if you're using PHPMailer to send to them and you're not using SSL...
java,spring,security,spring-mvc,spring-security
First of all. Taking password from database from server side application is not vulnerable. Because if you can access the table data then there is no use of it. Wrong concepts - Spring security is not about returning result code from database. Its about authentication and authorization. You can enable...
java,database,security,encryption,bouncycastle
One of the most important properties of good encryption is that similar plaintexts are encrypted into vastly different ciphertexts. Roughly half of the bits of two ciphertexts will match. This property makes it hard (impossible) to formulate any kind of query that looks for substrings through LIKE or determines whether...
ruby-on-rails,security,amazon-s3,privacy
From the Documentation,you should use one of Amazon's "canned" ACLs. Amazon accepts the following canned ACLs: :private :public_read :public_read_write :authenticated_read :bucket_owner_read :bucket_owner_full_control You can specify a the ACL at bucket creation or later update a bucket. # at create time, defaults to :private when not specified bucket = s3.buckets.create('name', :acl...
Using a servlet does not make anything secure by itself. You dont need a Java tool to connect, you can even use Telnet, any scripting language or create your own socket. Just use a download servlet from somewhere and at least Basic authentication ("information hiding" is no security aspect ;)....
linux,apache,security,ssl,xampp
Bitnami developer here, In XAMPP the SSL configuration is located at /opt/lampp/etc/extras/httpd-ssl.conf file, where there is a default VirtualHost already configured in port 443, and you are trying to bind again the same port. Please, try to modify this file instead. You can check if there is any other process...
Expanding on @JimB's answer: Use a process supervisor to run your application as a specific user (and handle restarts/crashes, log re-direction, etc). setuid and setgid are universally bad ideas for multi-threaded applications. Either use your OS' process manager (Upstart, systemd, sysvinit) or a standalone process manager (Supervisor, runit, monit, etc)....
Let's say you want to hack your friends paypal account and make him buy you something. You can make an email that will tell him click on this button to get a free cookie. Your friend being fooled by the email will click the button. If you make this button...
forms,security,plone,csrf,plone-4.x
I have only a little experience with it and played around with plone.protect 3.x and Plone 4.3.2, but nothing serious. I had also a lot of addons installed, so I cannot say if there were problems with Plone itself, or an addon. Here are my notes: Yes you can enable...
sql-server,sql-server-2008,security,sql-server-2012,encryption-symmetric
There are several things you can do inside a procedure but can't do inside a function. Based on Ben Cull's blog, you can get around this limitation by creating a procedure that handles opening the keys and call that before using the function. The procedure: CREATE PROCEDURE OpenKeys AS BEGIN...
My team just tackled this exact same problem and, given how ultimately simple our solution was, it was a long road to get there. There are so many factors that need to be taken into consideration here, most of which you have already covered. Luckily for us, all the DDoS/DoS...
There is no vulnerability inherent to using GET instead of, for example, POST from a network perspective. The only caveat you should keep in mind is that a GET request is more likely to be stored on the client (e.g. browser history) in a way you might not intend. For...
.net,security,clickonce,appdomain
I found the problem. This is the solution for anyone on my situation: I missed to set the domain permision: Dim permissions As New Security.PermissionSet(Security.Permissions.PermissionState.Unrestricted) Dim adSetup As New AppDomainSetup() adSetup.ApplicationBase = AppDomain.CurrentDomain.BaseDirectory Dim dom As AppDomain = AppDomain.CreateDomain(Guid.NewGuid.ToString, AppDomain.CurrentDomain.Evidence, adSetup, permissions) ...
c++,windows,security,winapi,memory-mapped-files
Your service is closing its handle to the file mapping immediately after creating it, thus the mapping is being destroyed before the app has a chance to open its handle to the mapping. Your service needs to leave its handle to the mapping open, at least until after the app...
I would strongly suggest against implementing your own logic. Just search around in SO for many failed attempts. There are plenty of frameworks that let you do just the right level of access control you are looking for. Some are even mentioned in the comments. Have a look at: Spring...
security,business-logic,n-tier-architecture
I think the answer to this question is complex and worth a bit of thought early on. Here are some guidelines. The service layer is a good place for: Is a page public or only open to registered users? Does this page require a user of a specific role? Authentication...
127.0.0.1 is simply your localhost. Allowing this IP simply says that you allow this machine (and only this if 127.0.0.1 is the only IP you whitelisted) to access the Network so no, there wouldn't be any issue with allowing access to your localhost so long as that machine itself isn't...
So to encrypt an aspect of the file you may want to gather it's bytes in an array*, That can either be done using the class Files from java or a stream to do it manually. For now lets say you got the byte array obtained using Files.readAllBytes(Path file); So...
spring,security,spring-security,basic-authentication,postman
Use the standard exception of spring security, it will handle by itself if you already have an exception handler to transform the messages into Json response. catch (Exception exception) { throw new AuthenticationCredentialsNotFoundException("Fields must not be empty", exception); } ...
Both the regex in the question and answer look for variable assignment expressions; if you are only looking for the first assignment, this will complicate matters and you better - as @mario says - use the PHP_Parser. There are a lot of weird aspects with this regex. First of all...
It will most likely be safe as far as your files, but it can still be hacked if the server exposes some kind of scripts that you're not aware of and don't have any control over, or if it runs unpatched versions of OS/Web server/etc. If another hack happens and...
How SQL queries are parsed is dependent on the connection character set. If you did this query: $value = chr(0xE0) . chr(0x5C); mysql_query("SELECT '$value'"); then if the connection character set was Latin-1 MySQL would see the invalid: SELECT 'à\' whereas if the character set were Shift-JIS, the byte sequence 0xE0,0x5C...
javascript,html5,image,security
If a picture is displayed on someone's screen, there is no way you can avoid them to save it on their computer (even if you disable everything). Trying to obfuscate the images will only result in a loss of time, performance, and could make your website much less user-friendly....
c,algorithm,security,math,encryption
This is not a power operator. It is the XOR operator. The thing that you notice for the XOR operator is that x ^ k ^ k == x. That means that your encryption function is already the decryption function when called with the same key and the ciphertext instead...
java,security,hash,md5,message-digest
NOTE: The MD5 Hashing Algorithm should never be used for password storage, as it's hashes are easily cracked. However, I will use it for simplicity. The quick/easy/UNSECURE fix would be to convert the char array to a string. However, this is unsecure because strings are immutable and can't be cleared...
Yes, user may access JWT token on his browser - this is no different as with cookies. For the scenarios where user of B authorizes your application A to access the B on his behalf, there is no need to protect JWT token from the user himself - just from...
The main risk is encountering a drive-by download. A drive-by download isn't necessarily a file download in the usual sense, it could be a browser exploit that allows executable code to download and execute on your system (known as the payload). One example is the Microsoft Internet Explorer colspan Element...
As @Darkbee stated, the simplest way is to have the file outside your website root. This would be accessible on the server, but not to the public under any circumstances. The alternative is to set the permissions to 400 on the file. .htaccess could block access, but not blocking access...