Application security - Specific to securing an application rather than the connection, infrastructure, browser etc

learn more… | top users | synonyms

1
vote
0answers
13 views

HIPAA: How am I required to secure PHI database access creds on my web server?

Assuming I have a database of PHI that my web application needs to access, how am I required to secure the credentials on the web server for the database? Is storing a standard user/pass combo a ...
0
votes
3answers
44 views

CSRF possible if params are not passed through query string?

I was reading up on OWASP's page on CSRF and in their example they use a request where the sensitive parameters are stored in the query string: ...
0
votes
0answers
32 views

Dual Authorization (Social Auth 2.0)

Can you see any obvious challenges to requiring 2+ users to confirm authentication requests using an association such as a friendship type of relationship. A practical application would be an ...
0
votes
1answer
164 views

If my website does not take any user input, is there any danger in showing my code and folder structure?

First time posting here; apologies for any mistakes I've made, please edit, retag, migrate as appropriate. I have a simple homepage whose purpose is (essentially) to contain my contact info and some ...
0
votes
1answer
53 views

Are there any risk in serving static assets via compressed SSL protocol from 3rd party domain?

e.g. curl -v -H 'Accept-Encoding: gzip' 'https://cdnjs.cloudflare.com/ajax/libs/Colors.js/1.2.2/colors.min.js' As you can see, result is gzipped. My assumption is since they are serving from 3rd ...
1
vote
2answers
97 views

Signed URL's as a security measure

Would implementing signed URL's be an effective security measure to prevent URL tampering and poisoning on public facing resources accessed via a GET request. e.g. ...
1
vote
3answers
79 views

Implementing 'Remember Me' for a mobile application

I am developing a mobile application wherein I need to implement the 'Remember Me' functionality. There are certain pages within the application which require you to login. What I need to do is, if ...
-2
votes
1answer
55 views

ESAPI: Input and output validation [closed]

I am new to IT Security and I have been tasked with coming up with input and output validation for ESAPI. So for input validation, so far I got: Data Type Name Email ...
0
votes
1answer
101 views

Comprehensive & current book on native application exploit research & development

Is there a 'must read', comprenhensive book on native application exploit development? Covering the process of finding vulnerabilities (fuzzing, reverse engineering, code analysis, etc...) & ...
1
vote
0answers
49 views

Using Apple NSKeyedArchiver class without encryption to save score data locally

first of all I'm sorry for my bad English! I have a question about the security of NSKeyedArchiver, a subclass of NSCoder of Apple Foundation.framework ...
2
votes
3answers
122 views

Uploading files through an HTTPS web application

We have a client facing web site. A certificate is required to land on the login page, where upon you then need a username and a password to further login. System has Apache servers acting as load ...
2
votes
2answers
73 views

What fraction of software bugs are vulnerabilities?

What fraction of software bugs are security vulnerabilities? Obviously, software bugs can be security vulnerabilities -- but also obviously, many software bugs have little or no security impact. Is ...
-5
votes
1answer
71 views

History of Buffer Overflow attacks and it's countermeasures? [closed]

I want to know the chronology of BoF attacks and it's countermeasures. We know it's started about 1972, here's a hypothetical of it: Buffer Overflow Simple (attack) ASLR (Contermeasure) ret2reg ...
0
votes
2answers
81 views

Are there any HTTP servers that can detect two cookies with the same name, but issued from different subdomains?

As a follow up to the Related Domain Cookie Attack question, I'd like to see if there are any servers that are able to detect instances where multiple cookies are sent from multiple domains. In other ...
1
vote
0answers
37 views

Stack smashing protection, reordering variables

so few days ago I started reading a paper about bypassing SSP/ProPolice and after I read it all I tryed that bypasses but they didn't work. The code I used is this: int f (char ** argv){ int ...

1 2 3 4 5 31
15 30 50 per page