All Questions
Tagged with tls web-application
177
questions
0
votes
0
answers
108
views
TLS session keys [duplicate]
I Have a confusion here.
From what I know, in TLS1.2, the Client sends Client Hello and then the Server Sends a Server Hello, Certificate(with its public key) and Certificate chain, and then a Server ...
0
votes
0
answers
101
views
Trying to generate TLS 1.3 Alert
I am trying to run tests on the TLS 1.3 protocol and I would like to generate alerts (as seen in TLS 1.2) that have a structure of the type ALERT:FATAL UNEXPECTED MESSAGE.
So far, I have tried to use ...
2
votes
1
answer
2k
views
WSS protocol vs HTTPS protocol as an iframe embedded source in a web page
until recently, I've been embedding a chatbot service from a different/external site with an iframe tag.
it's a paid service, not a free one.
today I saw that they changed a few urls, swithing from &...
1
vote
3
answers
308
views
Should deprecated versions of TLS not be used
I'm setting up an server, the default configurations allow for connections with deprecated TLS versions. Should I remove deprecated TLS versions from my server? What is the difference between a ...
0
votes
2
answers
822
views
HTTP with encrypted message vs HTTPS
A bit of background:
I am a web developer and sometimes i integrate some form of external API in my web applications.
It's the second time already that i find something strange: some APIs instead of ...
2
votes
1
answer
1k
views
OWASP Pentest - "Sensitive data sent in clear text" [closed]
We have our web app / REST API getting tested by potential customer. In the report they came up with this issue:
Sensitive data like user credentials on login page, password reset,
change password ...
2
votes
1
answer
234
views
PCI & e-banking sensitive information tokenization/encryption/obfuscation - Which fields require to be secured?
According to PCI standard all businesses that store, process or transmit payment cardholder data must be PCI Compliant.
Taking into account that we are talking about a bank, fields like card number ...
9
votes
2
answers
26k
views
Chrome allow insecure localhost
I have just stumbled upon what is a very helpful flag in chrome (for developers):
chrome://flags/#allow-insecure-localhost
The flag is described as:
Allow invalid certificates for resources loaded ...
6
votes
2
answers
2k
views
How to block requests in web app when certificate is insecure?
I am developing a web app and wanted it to be secure from attacks from the application layer.
Currently, my website is allowing interception from Burpsuite like certificate proxy software. Is there a ...
1
vote
1
answer
4k
views
need an Alternative to ssl pinning for web applications
I am developing a web app and while testing it on burpsuite I found that it is vulnerable to the proxy SSL certificate.
I did some research and found that it was handled by a technique called SSL ...
1
vote
2
answers
359
views
Worst case scenario for compromised private key in server certificate?
Assume that someone gains access to the password used for my key store containing my server certificate and it’s private key.
I guess without direct access to the server running my application the ...
2
votes
2
answers
3k
views
Does content-type header having a blank value in the response body, cause any security problem?
I have one HTTP request which is responding with no content value (No response body).
Is it necessary to have a content-type header specified for these kinds of responses?
5
votes
1
answer
3k
views
Is there a security vulnerability in setting a public DNS entry to a private IP Address?
I recently set up a wireguard server-network configuration with a home server and client devices. I have one main domain that I hope to route everything through via subdomains (in this example, abc....
4
votes
2
answers
4k
views
Burp Proxy vs MITM
I have recently started using Burp as a proxy for hunting bugs on websites and I see many submissions where people have intercepted and modified requests/responses to exploit certain logic flaws in ...
5
votes
2
answers
4k
views
Should I return an HSTS header for 404 error pages?
I setup our .NET web application so that it has HSTS enabled. I verfied this by going to https://gf.dev/hsts-test and put in our URL and it shows that HSTS protection is there.
The result shows:
...