CSRF: can the JSON data returned by a POST request be stolen?
Can the JSON data, returned by a POST request be stolen by a cross-site request forgery attack? ...
security
JSON security best practices?
While researching the issue of JSON vs XML, I came across this question. Now one of the reasons to prefer JSON was listed as the ease of conversion in Javascript, namely with the eval(). Now this immediately struck me as potentially problematic from a security perspective. So I started doing some research into the security aspects of ...
Is there a PHP equivalent to Java URL filters/interceptors?
One of the things I like about Java servlets is the use of unobtrusive filters and interceptors. Basically you could use these things to enforce security, put extra information on the HttpRequest, do monitoring or whatever. Is there some equivalent in PHP? From what I've seen so far it seems that you tend to include a certain file in ...
Exposing database IDs - security risk?
I've heard that exposing database IDs (in URLs, for example) is a security risk, but I'm having trouble understanding why. Any opinions or links on why it's a risk, or why it isn't? EDIT: of course the access is scoped, e.g. if you can't see resource foo?id=123 you'll get an error page. Otherwise the URL itself should be secret. EDIT:...
How can I let users run a script with root permissions?
Given the dangers of SUID shell scripts, is there a more secure way of giving passwordless access to scripts (bash, PHP) with root permissions in Linux? (Ubuntu 8.10) ...
Secure hash and salt for PHP passwords
It is currently said that MD5 is partially unsafe. Taking this into consideration, I'd like to know which mechanism to use for password protection. Is “double hashing” a password less secure than just hashing it once? Suggests that hashing multiple times may be a good idea. How to implement password protection for individual files? Sug...
Security Testing Types
What are the different types of Security Testing? ...
Bugs versus vulnerabilities?
What, if any, is the difference between a software bug and a software vulnerability? ...
Convert .pfx to .cer
Is it possible to convert a .pfx (Personal Information Exchange) file to a .cer (Security Certificate) file? Unless I'm mistaken, isn't a .cer somehow embedded inside a .pfx? I'd like some way to extract it, if possible. ...
Is Silverlight Secure?
We have a need for an application that runs on an end user's machine and provides us with score results, and we need to results to be accurate (i.e. not tampered with). Currently, there is a debate between Flash and Silverlight, and it looks like Silverlight is going to be the winner. Aside from the agurment that anything on an end us...
Pin Generation
Hi, I am looking to develop a system in which i need to assign every user a unique pin code for security. The user will only enter this pin code as a means of identifying himself. Thus i dont want the user to be able to guess another users pincode. Assuming the max users i will have is 100000, how long should this pin code be? e.g. 123...
Database Security
How to protect a SQL Server database from viewing others? ...
Check the signature on large data sets efficiently using JCA
I have to verify the signature on a file that may be as large as 2Gb, and I want to do so in a way that is as memory-efficient as possible. For various reasons, the file will already be loaded completely into memory, and is accessed using an InputStream by the application. I would like to verify the signature using the stream interface...
Open SSL newbie question on securing certificate
I am building an application and I am planning on using Open SSL for securing data transfers. I am planning on only having the client validate the server's certificate. I am confused on how I should secure the server's certificate. I would like to encrypt the server's certificate containing the private key but I do not want to use any ha...
Software Security Engineer
Is there a career path out there or its part of our job to find out security holes and such? And If there is, what path do you suggest a person who wants to become one? If there isn't, what experiences you can tell about security issues? (major or minor) ...
How to force SharePoint tasks to be editable by "Assigned To" only?
We are using the default Task list from a Team Site and would like to only allow those that the Task is "Assigned To" to edit the tasks. How do you go about enforcing this? When we tried the "Advanced Settings", we found that "Only their own" meant only those tasks created by the current user. ...
Rails friendly url routing with open id
I would like to use create a rails route for a user's open id. The url would look something like http://mysite.com/identity/:html_encoded_openid or http://mysite.com/identity/:html_encoded_openid.xml This would be so that the site could be queried for an open id and either view info for that identity or receive an xml document contai...
To what does "zero day" refer?
Does "zero-day" or "0-day" (in context of software vulnerabilities and exploits) refer to the software release, or a particular type of exploit? [I did not find an answer to this on SO. Though it is answered elsewhere on the Internet, my understanding of SO is that it's okay to ask/answer basic questions] ...
What reasons are there NOT to use OpenID?
You see a fair bit (in the Geek community anyway) about OpenID. It seems like a good idea. I'm developing a website that will be targeted at a somewhat less geeky audience (but not quite Mom and Pops either) so I have to wonder if OpenID is going to be "too hard" for some audiences. What do you think? That aside, are there any other ...
Protecting your images, CSS and Javascript files from being used by external sites with Apache?
I came across a site that demonstrated a Javascript library and it asked that you please not link to the Javascript file directly from your site. That's a reasonable request. In fact, it wouldn't have occurred to me to do that instead of hosting it myself but I guess will try and save on bandwidth any way they can. This got me thinkin...