Search Results
Search type | Search syntax |
---|---|
Tags | [tag] |
Exact | "words here" |
Author |
user:1234 user:me (yours) |
Score |
score:3 (3+) score:0 (none) |
Answers |
answers:3 (3+) answers:0 (none) isaccepted:yes hasaccepted:no inquestion:1234 |
Views | views:250 |
Code | code:"if (foo != bar)" |
Sections |
title:apples body:"apples oranges" |
URL | url:"*.example.com" |
Saves | in:saves |
Status |
closed:yes duplicate:no migrated:no wiki:no |
Types |
is:question is:answer |
Exclude |
-[tag] -apples |
For more details on advanced search visit our help page |
Results tagged with web-application
Search options not deleted
user 16228
An application that is accessed over a network such as the Internet or an intranet using a browser.
11
votes
How secure is redirecting user from http://normal.bank.com to https://secure.bank.com?
After visiting http://normal.bank.com, an attacker can replace all links to https://secure.bank.com with links to http://secure.bank.com. When the user clicks on http://secure.bank.com, the MITM will …
2
votes
Tagged website malware
This seems to be a way for the malware to check whether it has already infected the file or not. No tool is needed, it could be something as easy as hex-coded string that means something to the malwar …
3
votes
Can I safely use an encrypted URL parameter for the session id?
It's a bad idea.
Encrypting the session identifier has no real impact on the security of your application. If the traffic is sent in plaintext (without SSL) anyone is able to read that encrypted sess …
4
votes
Accepted
Are there any Benefits of Ajax Fingerprinting?
I've read this article a while ago (I think it's about 7 years old), and with all respect to Shreeraj Shah (the author) I completely disagree, and I extend my disagreement to most of his "security" me …
4
votes
How to restrict access to a web application to authorized devices only?
What you're trying to achieve is not possible. HTTP isn't designed to provide hardware-specific identifiers, the only "identifier" is the User-Agent which isn't identifying at all, and it can be spoof …
5
votes
Accepted
Purpose of using base64 encoded urls
There's absolutely no security gain from using this method of presenting the URLs. This is just a silly way of making the website "production-ready" (whatever that means). In fact, it's not even a pro …
7
votes
Accepted
Do I need to expire a session cookie when sessions are handled server-side?
Telling the browser to expire the cookie is just a form convenience, because the user is always able to override that. After all, the cookie is really on his browser, so you'll always check the expiry …
2
votes
Secure browser storage
The only thing that fits your requirements is HttpOnly cookies. They can be normally exchanged in the HTTP headers, can be easily accessed by the user (you know, being client-side), but it is enforced …
6
votes
Accepted
Unsanitized HTML input
Looking at your description, the application seems to be vulnerable to Cross-Site Scripting (XSS). Such attack can lead to the compromise of student accounts and even accounts with higher privileges. …
2
votes
Should I take care when entering incorrect passwords in untrustworthy websites?
If there's a way to link your untrustworthy website's (Site A) account to your trustworthy website's (Site B) account, and you're entering Site B's password in Site A's login form, then you're potenti …
26
votes
Accepted
Why does Hydra return 16 valid passwords when none are valid?
Same problem happened to me when I was playing with DVWA. The reason is that you're trying to brute-force YOUR_SERVER/dvwa/vulnerabilities/brute/index.php which needs authentication. Try to visit that …
39
votes
Do we need to logout of webapps?
When logging in to a web service, a cookie is planted in your browser. This cookie has a unique ID value that identifies you while you're using the web service, and, possibly, when you come back later …
5
votes
What simple security considerations can I / should I make for a read-only API?
This question is too broad to be answered. To be honest, it just feels that you're asking someone to do your job for you. Having that said, I'll try to answer you in the best way possible.
First thing …
10
votes
Is there a security reason for a site to limit the number of times a user can change their p...
No, I don't think there's any sensible security reason for having a limit on the number of password changes. The only limit that should be enforced is part of a general limit on expensive operations t …
5
votes
System for securely authenticating content acquisition
Whoa! You're overcomplicating the issue to a high degree; the matter at hand is way simpler.
Table 1 (products)
product_id - product_name - product_key
product_key can simply be the sha1() of prod …