For questions relating to cryptography and computer security.
3
votes
1answer
133 views
What are the best practices to secure a web API?
I need to build a web service API for our mobile app to interact with our server & database (in ASP.Net MVC 4, but that's hardly relevant). Wile most actions do not need users to be registered ...
6
votes
0answers
160 views
Is this solution RESTful and secure?
Our product registers new players on our service, and we've chosen to host it on Azure (we're using .NET) and we wanted it to be stateless (for scalability) and relatively secure.
Since this is the ...
4
votes
4answers
126 views
How can we track how well we're preventing and avoiding security vulnerabilities?
It's pretty easy to track when we fix security vulnerabilities in existing code. But to make sure the whole team is staying on their toes about writing secure code, I'd like to also track how well we ...
0
votes
2answers
153 views
How does Facebook strip html/apostrophes for XSS but also display it?
I'm not quite sure if this is a question for programmers.se rather than stackoverflow, but here goes. So Facebook [or any other large company] when given something like an apostrophe or html, can ...
34
votes
6answers
1k views
Logging failed login attempts exposes passwords
I started logging failed logins attempts on my website with a message like
Failed login attempt by qntmfred
I've noticed some of these logs look like
Failed login attempt by qntmfredmypassword
I'm ...
4
votes
3answers
302 views
How to implement better security in Linux?
I'm just investigating the security and control of the Linux platform in comparison to Android.
In Android there seems to be a huge development around security - Applications are required to ask for ...
0
votes
1answer
61 views
Security comparison between xmlHttpRequest and HttpRequest
Is there a difference between HttpRequest and xmlHttpRequest in terms of security? Is one more secure than the other?
Is it more secure to send important data such as passwords via HttpRequest than ...
0
votes
1answer
80 views
MVP Pattern - Ways to restrict the user action based on security privilleges
In an MVP application, what should be the most appropriate way to implement restriction to some UI actions based on the current user's privileges?
For example, in a role-based security, different ...
1
vote
1answer
131 views
Security in Authentication in single page apps
What's the most secure method of performing authentication in a single paged apps? I'm not talking about any specific client-side or server-side frameworks, but just general guidelines or best ...
0
votes
0answers
15 views
Do we need to use spring security if we are using tivoli/webseal to route all requests
In my application, the architecture goes like this: There is web server. The web server runs Tivoli/Webseal. It creates junctions to the portal server and then portal server dispatches requests to a ...
0
votes
3answers
197 views
Securely storing secret data in a client-side web application
I have this web application that is going to be all client-side technology (HTML, CSS, JavaScript/AngularJS, etc...). This web application is going to be interacting with REST API in order to access ...
5
votes
0answers
59 views
How does LSA authentication on Windows work? [migrated]
I'm trying to understand the security protocols on Windows from a high level as part of legal research into cybercrime, and I'm having difficulty figuring out where to focus my research.
I've already ...
1
vote
1answer
78 views
Creating an account to receive sensitive information on a mobile device
I am developing an Android application for my final year project which allows the holder of a mobile device to receive a text notification containing potentially sensitive information from a server.
...
0
votes
2answers
210 views
Best practices for execution of untrusted code
I have a project where I need to allow users to run arbitrary, untrusted python code (a bit like this) against my server. I'm fairly new to python and I'd like to avoid making any mistakes that ...
0
votes
0answers
68 views
Authenticating two separate users on one site against the same user on another with single sign on
I am building a single sign on mechanism between two sites for a client. For one, a Drupal site (and the client's main site), I control the code. The other is a proprietary membership database and ...
0
votes
1answer
904 views
Why are Wordpress sites so easily hacked? [closed]
I have found that hacker can easily hack wordpress site.
I have found this posts related to wordpress site hacking.
1) http://wordpress.org/support/topic/website-hacked-3
2) ...
3
votes
3answers
79 views
Is a predefined key enough security when performing HTTP requests between two secure servers?
I have an AdWords script that regularly transfers sensitive data to my server using a POST HTTP request. For security I have a predefined 32 character randomized string that is verified by my server ...
-2
votes
1answer
38 views
Methodology for software facing internet connections? [closed]
Is there a known methodology stronger than TDD to prevent accepting invalid input and performing undesired behaviour for software that is going to be open to the internet at large (e.g., HTTP ...
3
votes
1answer
152 views
Using a public username as a login username
It has just dawned on me, that a system I am developing exposes a users username in the URI. This is a problem, since some of the users pages are public. Therefore people will know their username.
I ...
53
votes
5answers
3k views
How can robots beat CAPTCHAs?
I have a website e-mail form. I use a custom CAPTCHA to prevent spam from robots. Despite this, I still get spam.
Why? How do robots beat the CAPTCHA? Do they use some kind of advanced OCR or just ...
93
votes
6answers
5k views
You're hired to fix a small bug for a security-intensive site. Looking at the code, it's filled with security holes. What do you do?
I've been hired by someone to do some small work on a site. It's a site for a large company. It contains very sensitive data, so security is very important. Upon analyzing the code, I've noticed it's ...
1
vote
1answer
79 views
j2ee implementing security and using a framwork pros and cons
I'm a newbie to j2ee security, and i'm not j2ee expert either, though i'm really willing to put some effort and learn I've an application that i'm about to develop on Google App Engine (GAE) --with ...
1
vote
4answers
218 views
Why do web sites require certain characters in their credentials? [closed]
It seems like when web site lists requirements as to what characters MUST be in the password they're only providing a password map for someone who wants to hack their system.
For instance, fsd.gov ...
-5
votes
3answers
283 views
Is sending password to user email secure? [closed]
How secure is sending passwords through email to a user, since email isn't secured by HTTPS.
What is the best way to secure it? Should I use encryption?
3
votes
2answers
278 views
I need advice developing a sensitive data transfer/storage/encryption system
I got closed on SO and told to post this here as it's about general application design as opposed to specific code.
Intro
I'm currently working on a project which involves the daily extraction of ...
0
votes
0answers
148 views
Connecting with OAuth, dealing with logout and browser sessions
I work on a open-source web application (Moodle) which connects to a number of external services such as Google Drive, Dropbox etc. to allow users to exchange files with these services.
Primarily we ...
0
votes
1answer
59 views
Ria service security
I have a silverlight app that connects to a entity framework over WCF ria service.
These calls have to be secure. What can I do so only valid users can call the ria service, and to make the call ...
2
votes
2answers
140 views
Committing https certificates to Github…is there ever a good reason for this?
If a server certificate is published to Github, a la:
-----BEGIN CERTIFICATE-----
is that necessarily a bad thing? Is there ever a legitimate reason to do this?
I ask because of a recent wave of ...
4
votes
1answer
74 views
Is it wise to include something like OpenSSL or GnuTLS with a project in a repository?
I am currently working on a project that makes use of the OpenSSL library for secure communications. Since this library is a requirement for building the project, I am considering including it in the ...
5
votes
1answer
104 views
Hardware key removal on a test system
One of my company's applications still requires a hardware key to run, but we're currently in the process of removing that requirement and replacing it with an online check. The issue we are having ...
1
vote
1answer
130 views
Appropriate selection of security framework
I have a web application to be developed using RESTeasy API and for this I have to implement security (Form based authentication). So i am not sure about the most appropriate fit for this. As I ...
3
votes
1answer
314 views
Online compilers and repls - not one big security hole?
There are plenty of compilers and REPL services on the web. For example: Fay ide.
I find that implementing some similar technology would be very interesting. But it seems like a major security hole. ...
0
votes
4answers
193 views
Are security exploits a fatality? [closed]
I'm asking this here and not on the security related site because this one is a question about "software architecture" and "development methodologies", which are both covered by the FAQ.
EDIT: I'm ...
3
votes
1answer
75 views
Reveal detailed license-errors?
So after one has programmed and integrated a licensing solution into his or her application, how should one deal with licensing errors?
My understanding is:
Show whether a license is valid or invalid ...
-2
votes
2answers
90 views
should F12's request headers show session id as cookie?
I'm trying to educate myself on potential web attacks. I just found a site (which will rename anonymous) where it shows me what looks to be like the php session id inside the cookies section of the ...
9
votes
7answers
294 views
Is the use of security conditionals in a view a violation of MVC?
Often what's displayed to a user (e.g. on a web page) will be based partly on security checks. I usually consider user-level / ACL security to be part of the business logic of a system. If a view ...
2
votes
0answers
302 views
Has the latest takedown notice (from Department of Homeland Security) on Java impacted your work already? [closed]
Source: http://venturebeat.com/2013/01/11/homeland-security-java/
...“We estimate that about 100 million computer users are now in immediate danger of getting exploited. Given the current ...
4
votes
3answers
182 views
Name for sanitizing at the right time?
Recently we had an issue on our site where someone attempted SQL injection via a cookie (we'll call it lastID). NOC was in a frenzy and angry about how the cookie as an attack vector could be ...
3
votes
1answer
154 views
Building dedicated codepad in PHP
I am author of growing framework, which is focused around User Interface building in PHP. Essential requirements for the up-coming website redesign is ability to run code examples. I am willing to ...
2
votes
1answer
100 views
How to verify data from localStorage on a server
On my mobile app, I am storing the username of a logged in person, and downloading some data for the given/stored username. When the user checks for updates to his data content on the server, the ...
1
vote
1answer
60 views
Securely changing system configuration from a web application
I need to write a web application that acts as a configuration interface for some system services. Meaning it will probably change some kind of configuration file and has to restart (linux) system ...
14
votes
4answers
2k views
Is it possible to read memory from another program by allocating all the empty space on a system?
Theoretically, if I were to build a program that allocated all the unused memory on a system, and continued to request more and more memory as other applications released memory that they no longer ...
1
vote
3answers
230 views
Verifying a debit card online - What information is checked?
I am eager to know what information is checked by the online companies to confirm that the card is yours?
If a programmer has to implement this functionality, how can he access information like ...
1
vote
2answers
220 views
typical way to share database connection for open-source project, without revealing too much
I have an open source project for mydomain.com which requires connections to a database (...as is tradition). What is the standard practice for allowing others to work on the site, without giving them ...
13
votes
7answers
802 views
Are all security threats triggered by software bugs?
Most security threats that I've heard of have arisen due to a bug in the software (e.g. all input is not properly sanity checked, stack overflows, etc.). So if we exclude all social hacking, are all ...
35
votes
11answers
2k views
Is there any reason not to go directly from client-side Javascript to a database? [duplicate]
Possible Duplicate:
Writing Web “server less” applications
So, let's say I'm going to build a Stack Exchange clone and I decide to use something like CouchDB as my backend store. If I use ...
2
votes
2answers
229 views
Is having sensitive data in a PHP script secure?
I've heard that PHP is somewhat secure because Apache won't allow the download of raw PHP. Is this reliable, though? For example, if you wanted to password protect something, but didn't want to create ...
2
votes
4answers
346 views
What are the downsides of leaving automation tags in production code?
I've been setting up debug tags for automated testing of a GWT-based web application. This involves turning on custom debug id tags/attributes for elements in the source of the app. It's a non-trivial ...
2
votes
5answers
113 views
Is it reasonable to require passwords when users sign into my application through social media accounts?
I've built an application that requires users to authenticate with one or more social media accounts from either Facebook, Twitter, or LinkedIn.
Edit
Once the user has signed in, an 'identity' for ...
0
votes
1answer
191 views
Can HTML injection be a security issue?
I recently came across a website that generates a random adjective, surrounded by a prefix and suffix entered by the user. For example, if the user enters "123" for prefix, and "789" for suffix, it ...
