Application security - Specific to securing an application rather than the connection, infrastructure, browser etc
1
vote
0answers
13 views
HIPAA: How am I required to secure PHI database access creds on my web server?
Assuming I have a database of PHI that my web application needs to access, how am I required to secure the credentials on the web server for the database?
Is storing a standard user/pass combo a ...
0
votes
3answers
44 views
CSRF possible if params are not passed through query string?
I was reading up on OWASP's page on CSRF and in their example they use a request where the sensitive parameters are stored in the query string:
...
0
votes
0answers
32 views
Dual Authorization (Social Auth 2.0)
Can you see any obvious challenges to requiring 2+ users to confirm authentication requests using an association such as a friendship type of relationship.
A practical application would be an ...
0
votes
1answer
164 views
If my website does not take any user input, is there any danger in showing my code and folder structure?
First time posting here; apologies for any mistakes I've made, please edit, retag, migrate as appropriate.
I have a simple homepage whose purpose is (essentially) to contain my contact info and some ...
0
votes
1answer
53 views
Are there any risk in serving static assets via compressed SSL protocol from 3rd party domain?
e.g.
curl -v -H 'Accept-Encoding: gzip' 'https://cdnjs.cloudflare.com/ajax/libs/Colors.js/1.2.2/colors.min.js'
As you can see, result is gzipped.
My assumption is since they are serving from 3rd ...
1
vote
2answers
97 views
Signed URL's as a security measure
Would implementing signed URL's be an effective security measure to prevent URL tampering and poisoning on public facing resources accessed via a GET request.
e.g.
...
1
vote
3answers
79 views
Implementing 'Remember Me' for a mobile application
I am developing a mobile application wherein I need to implement the 'Remember Me' functionality. There are certain pages within the application which require you to login. What I need to do is, if ...
-2
votes
1answer
55 views
ESAPI: Input and output validation [closed]
I am new to IT Security and I have been tasked with coming up with input and output validation for ESAPI.
So for input validation, so far I got:
Data Type
Name
Email
...
0
votes
1answer
101 views
Comprehensive & current book on native application exploit research & development
Is there a 'must read', comprenhensive book on native application exploit development?
Covering the process of finding vulnerabilities (fuzzing, reverse engineering, code analysis, etc...) & ...
1
vote
0answers
49 views
Using Apple NSKeyedArchiver class without encryption to save score data locally
first of all I'm sorry for my bad English!
I have a question about the security of NSKeyedArchiver, a subclass of NSCoder of Apple Foundation.framework ...
2
votes
3answers
122 views
Uploading files through an HTTPS web application
We have a client facing web site. A certificate is required to land on the login page, where upon you then need a username and a password to further login. System has Apache servers acting as load ...
2
votes
2answers
73 views
What fraction of software bugs are vulnerabilities?
What fraction of software bugs are security vulnerabilities? Obviously, software bugs can be security vulnerabilities -- but also obviously, many software bugs have little or no security impact. Is ...
-5
votes
1answer
71 views
History of Buffer Overflow attacks and it's countermeasures? [closed]
I want to know the chronology of BoF attacks and it's countermeasures.
We know it's started about 1972, here's a hypothetical of it:
Buffer Overflow Simple (attack)
ASLR (Contermeasure)
ret2reg ...
0
votes
2answers
81 views
Are there any HTTP servers that can detect two cookies with the same name, but issued from different subdomains?
As a follow up to the Related Domain Cookie Attack question, I'd like to see if there are any servers that are able to detect instances where multiple cookies are sent from multiple domains.
In other ...
1
vote
0answers
37 views
Stack smashing protection, reordering variables
so few days ago I started reading a paper about bypassing SSP/ProPolice and after I read it all I tryed that bypasses but they didn't work. The code I used is this:
int f (char ** argv){
int ...