w3hello.com logo
Home PHP C# C++ Android Java Javascript Python IOS SQL HTML videos Categories
  Home » SECURITY » Page 1
Make batch file for install two or more software
Both JDK and MySQL server have an option for a silent installation, where you can specify the options without using the graphical installer. JDK (example):jdk.exe /s ADDLOCAL="ToolsFeature,SourceFeature,PublicjreFeature" See https://docs.oracle.com/javase/7/docs/webnotes/install/windows/jdk-installation-windows.html#jdk-silent-installation MySQL: msiexec /i mysql-5.1.73.msi /quietSee https://doc

Categories : Security

How to send authentication token to client
The token should contain a universal datetime that way the token can 'expire' after nn amount of time. Check out this page: http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/

Categories : Security

Should be used for JSF 2.2 CSRF protection?
I am confused. I see that JSF 2.0 has implicit CSRF protection: How JSF 2.0 prevents CSRF This implicit protection is on POST requests only (i.e. pages with <h:form>). On the other side according to the article http://www.oracle.com/webfolder/technetwork/tutorials/obe/java/JSF-CSRF-Demo/JSF2.2CsrfDemo.html we should add the following element to the faces-config.xml file with t

Categories : Security

Is it possible to have every message signed with digital signature in XMPP (Jabber) protocol?
Yes, in the sense that there are several standards, including http://tools.ietf.org/html/draft-miller-xmpp-e2e, which nobody that I know of has implemented yet, but is liable to be the best starting point. No, in the sense that even if your client implemented that protocol, not all of your friends would us it, so "every" is not achievable.

Categories : Security

Why can't the Yesod session cookie be hijacked?
That's a good catch. This used to be more accurate, when we would include the IP address of the client in the cookie to prevent hijacking. Combined with the anti-tampering protections, this made it basically impossible for a MITM attack to work unless you were NATed behind the same router or using the same proxy. Unfortunately, we had to disable that protection due to concerns about proxies as we

Categories : Security

Heroku + SSL Endpoint + SSL Cert from goDaddy. Is it secured
It indeed is a general question, so only a general answer can be provided. Furthermore, it all depends on how you define "enough". Of course using SSL give you the advantages of it, you are better of with it than without. But make sure that you understand what SSL does and does not do. A limited list: SSL does encrypt the communication between client en server. SSL does conform the identity of

Categories : Security

Testing for cross-site scripting (XSS) vulnerabilities in continuous integration environment
Think of Codeship as a operating system, where you can run some aplications. I use Wapiti for security testing. You can run the Wapiti and then deploy the report to a other server. Running the Wapiti. wget http://downloads.sourceforge.net/project/wapiti/wapiti/wapiti-2.2.1/wapiti-2.2.1.zip unzip wapiti-2.2.1.zip cd wapiti-2.2.1/src/ chmod -x wapiti-2.2.1/bin/wapit python wapiti.py http://www.ex

Categories : Security

Amazon Web Service RDS security group - removal of 0.0.0.0/0 blocks my EC2
If you don't have a VPC, you need to add the Amazon EC2 security group for the EC2 instance to the DB security group for the DB instance. I don't think it will work with public IPs since these are not used internally. You can find more info and detailed instructions here.

Categories : Security

What benefits refresh tokens in OAuth2
Access tokens are short lived they normally only work for 1 hour. In order to get a new access token you use the refresh token. Page 24 Authorization servers SHOULD issue access tokens with a limited lifetime and require clients to refresh them by requesting a new access token using the same assertion if it is still valid. Otherwise the client MUST obtain a new valid assertion. By s

Categories : Security

Grails security filter doesn't work with 2 controllers
Use pipe symbol to add multiple controllers, like def filters = { all(controller: 'Admin|Report', action: '*') { ... } } Ref# How to define mutliple distinct controllers in Grails 2 filter?

Categories : Security

How exactly TLS/SSL works regarding client certificate?
I can copy/paste from openssl wiki : http://wiki.opensslfoundation.com/index.php/SSL_and_TLS_Protocols#Client_Authentication Basically Client send Client Certificate to server that match the CA DN given by Server. Client send then a Cerificate Verify that uses its private key to prove he owns it. A Client Certificate authentication requires the client to own a Certificate and have the correspon

Categories : Security

Can fiddler access local machine data?
If the user is accessing the website without using SSL (i.e. by going to "http://" instead of "https://"), then it is possible to see all of the traffic between the website and the browser, and not only on the local computer but also on the network that the computer is connected to. If the user is accessing the website via HTTPS, Fiddler is able to act as a proxy and decrypt the traffic between t

Categories : Security

Using JWT audience field for authorization roles
I understand audience rather then list of consumers/applications who can authorize the user. In my application I put roles into own array in the payload. For example like that. { "sub": 1234567890, "exp": 9876543210, "name": "John Doe", "roles": ["USER", "EDITOR"] } On the server I am authorized using spring security and user loaded from "sub". And on the client I can use these roles t

Categories : Security

Why forward port 80 to 8080?
Why run the application server on port 8080? Because then it does not need to be run as root user (which you need for ports under 1024). Why forward port 80 to 8080? So that it still looks like a "normal" HTTP server to the outside world (no need for ugly port numbers in the URL).

Categories : Security

In the context of user agents, what do U, I, and N mean?
It describes the level of SSL support in the browser. "Strong security" is "Better than Netscape International was in 1995". Firefox stopped including that information in the user agent string at version 4, so it really isn't worth worrying about.

Categories : Security

Can you test exploits, viruses or dangerous scripts on Travis CI?
I think these sections in the Travis CI terms of service are relevant: Section 4.2: The customer must not interfere or intent to interfere in any manner with the functionality or proper working of Travis CI. Section 4.5: The customer will indemnify and hold harmless Travis CI, its officers and directors, employees and agents from any and all third party claims, damages, costs and (includi

Categories : Security

Silverstripe 3 - Unable to implement controller access security from CMS
I've figured it out. Basically, I can just do a Permission::check within the Controller as well. See below code for solution: public function ListMyComponents(){ $components = null; if(Permission::check('COMPONENT_VIEW')){ $components = MyComponent::get()->filter(array('Status' => 'Enable')); } return $components; }//ListMyComponents Thanks though, for those who may

Categories : Security

Websockets - wss on http vs. wss on https
Is a web socket secure (wss) connection still encrypted through TLS/SSL if the website/server is not? Yes. Are wss (Secure Web Socket) connections just as secure on an http server as they are on an https server? Yes (see above). There is one thing to note: if the HTML/JavaScript that opens the secure WebSocket connection comes over non-secure HTTP, the WebSocket connection is still secu

Categories : Security

Property-Level Access Control in Parse
The easiest way to do this is to use cloud code. Here is how you could do it : Parse.Cloud.beforeSave("YourObject", function(request, response) { // Find a way to decide if writing is allowed. var writingForbidden = (request.master === false); if (writingForbidden) { var readOnlyProperties = ["property1", "property2", "property3", "..."]; var dirtyProperties = re

Categories : Security

Exposing OAuth secured REST service as non secured using WSO2 ESB
OAuth mediator can only be used to validate the OAuth access token which comes with the request. In your use case the back-end REST service is secured with OAuth and the request which comes via the ESB should have the access token. In this case OAuth mediator is of no use since token validation happens at the backend, not at ESB. This article explains how OAuth works. In step 2 and 3 you will anyw

Categories : Security

how can a program keep a secret from its creator?
It seems the content of the program doesn't matter that much but you want to assure that the timestamp and content of the log can't be forged. I suggest writing the log to some external site where you can put data to but not delete from. Writing false values to the log can only be prevented by having a log which progresses by time. For example, if you hide expenses from your bank account you'll r

Categories : Security

CDNs and personally identifiable information in the referer header
Your concern is right. Client's browser will be leak your query string or url when it try to reach images or external javascript files. Mitigate can be done via following meta tag. <meta name="referrer" content="never"> When you put this meta tag into your html, browser wont leak your urls. Further information : http://w3c.github.io/webappsec/specs/referrer-policy/

Categories : Security

Using OAuth instead of Basic authentication?
If you have local database accounts for the users (Resource owners) then you can replace the basic authentication with the one of OAuth flow named "Resource Owner Password Credentials" flow. It is very simple flow where you issue HTTP post to an end point specified in your HTTP server usually named /token The content-type for this HTTP Post action is x-www-form-urlencoded, so the post body will co

Categories : Security

Jboss EAP 6.3: HQ119031: Unable to validate user: USERNAME
Have you tried adding username and password to your bridge context? <jms-bridge name="myBridge"> <source> <connection-factory name="jms/RemoteConnectionFactory"/> <destination name="jms/queue/bridgeQueue"/> <user>guest</user> <password>pass</password> <context> <property key="java.nami

Categories : Security

In what ways is this XOR encryption system vulnerable?
This is borderline useless. All an attacker must do is get one of your passwords and he has all your passwords. So you're as secure as the least secure system you use this scheme for. One login from a public WiFi network without SSL and you're done.

Categories : Security

is it possible to secure a specific queue in activemq with a user name and password
You'll want to use either the JAAS or Simple Authentication Plugin.. Either of these will allow you to set up authorization to queues.

Categories : Security

Secure HTTPS not working in Magento under CloudFlare
I go through link provided by you and found many URLs loaded from insecure server. check below few of them: The page at 'https://www.fabshopper.com/' was loaded over HTTPS, but displayed insecure content from 'http://www.fabshopper.com/skin/frontend/ultimo/fabshopper/images/fab_shopper.png': this content should also be loaded over HTTPS. The page at 'https://www.fabshopper.com/' was loaded over

Categories : Security

How to prevent access to specific routes in Symfony 2
All you need to configure is your security.yml. You can define multiple firewalls which will apply to different routes: security: firewalls: your_first_firewall: pattern: /public/ #this is regexp, so all urls starting with /public/ will match security: false #this will be public, no firewall your_second_firewall: pattern: /nonPublic/

Categories : Security

Update IIS 6 IP Restrictions using command line
No, there's no built-in Windows command to do it. You can find evidence of scripts that people have written to mitigate for this. Ultimately, you want to modify a metabase entry called IPSecurity. Here's the thing: this IPSecurity entry can be set up at the top level (W3SVC service) all of the way down to individual files. So, you can define security for any of: Service Site VDir Folder File

Categories : Security

How is SECURITY_MODE_COMMAND message requests to start/stop ciphering?
I assume you are talking about the NAS Security_Mode_Command message, described in TS 33.401 section 7.2.4.4, and defined in TS 24.301 section 8.2.20. From TS 24.301 section 8.2.20, we can see that Security_Mode_Command contains the information element "Selected NAS Security Algorithms", which is defined in section 9.9.3.23. I think the answer to your question is, that you should check this fiel

Categories : Security

Grails: how to restrict fetching of linked elements to user?
Introduce design that force you to query objects through services. Then let service augment your query with additional security constraints. Domain object is doing lot of stuff already, adding security context is possible but will kick your team sooner or later.

Categories : Security

How to save mac address of computer in an email program?
The MAC address of the client is part of the layer 2 protocol, and is used for address resolution (ARP) only on the subnet local to the client. Internetworking is done with TCP/IP (layers 3 & 4), which are transparent to layer 2. In other words, the protocols and equipment between your server and your clients make it impossible for your server to learn the MAC of your clients. This is by desig

Categories : Security

Why is including . at the back of the PATH on UNIX dangerous?
Including the current working directory in your PATH is dangerous because malicious users or programs can populate shared directories -- such as /tmp -- with common typos of regular commands. This kind of attack used to be very popular in college campuses; typing sl instead of ls in /tmp was a fairly good way to have your account owned. An easy fix (if you know that it will only be at the end) i

Categories : Security

Poodle config for Tomcat 7 blocks IE8 on XP
This was resolved on Tomcat 7 with the following config: <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" acceptCount="100" keystoreFile="XXXXXXXXX" keystorePass="XXXXXXXXX" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WIT

Categories : Security

Are security concerns sending a password using a GET request over https valid?
Sending any kind of sensitive data over GET is dangerous, even if it is HTTPS. These data might end up in log files at the server and will be included in the Referer header in links to or includes from other sides. They will also be saved in the history of the browser so an attacker might try to guess and verify the original contents of the link with an attack against the history. Apart from that

Categories : Security

Worklight HTTP Adapter not working with Kerberos
Unfortunately this type of configuration is not tested often at all and there are no more documentation on this subject matter. This will be discussed to see if documentation and testing can be improved. The workaround that is currently used (by Desmond) is to continue using NTLM instead.

Categories : Security

Is the HTTPS protocol affected by the Poodle SSLv3 attack?
Looks like you are terminating SSL (or HTTPS) traffic at WebServer. There are two parts: LB to WebServer (HTTPS Traffic): Disable SSLv3 on WebServer. HTTPS means HTTP tunneled over SSL protocol. This is impacted. WebServer to Weblogic (HTTP Traffic) : You are good here.

Categories : Security

Importing Pem/der certificate into kdb file
You should be able to import certificates from other key file types such as a p12 database or another kdb. After doing the import check the personal certificates using IKEYMAN to see if the certificate is there. If you then see the "Error Handshake, no certificate found" in the IHS error log it may be you have not specified the certificate to be the default. Also check the VirtualHost entry for

Categories : Security

Is it safe to employ output encoding against XSS on the client-side?
In theory, encoding client-side is no more dangerous than encoding server-side. The key to making it secure really is in how rigourous you are in putting suitable encoding in all the places which renders your data. You can certainly create a good implementation for rendering user submitted data safely on client and server sides. Practically though, a drawback of implementing output encoding client

Categories : Security




© Copyright 2018 w3hello.com Publishing Limited. All rights reserved.