security

Securing oauth bearer token against attacks such as XSS, CSRF in javascript apps

邮差的信 提交于 2021-02-20 15:06:18
问题 I am a bit unclear about how to secure (or protect) bearer tokens when using pure JavaScript applications. I know when user request token to the server it can come with a validity of 14 days or 24 hours. but once the user has token there is no neat (assured) way of securing this from XSS or CSRF attacks (am I missing something?). Now lets say user is logged into the web application and the browser has this token which is valid for 14 days. If the user is accessing another web application

Securing oauth bearer token against attacks such as XSS, CSRF in javascript apps

孤人 提交于 2021-02-20 14:59:28
问题 I am a bit unclear about how to secure (or protect) bearer tokens when using pure JavaScript applications. I know when user request token to the server it can come with a validity of 14 days or 24 hours. but once the user has token there is no neat (assured) way of securing this from XSS or CSRF attacks (am I missing something?). Now lets say user is logged into the web application and the browser has this token which is valid for 14 days. If the user is accessing another web application

Securing oauth bearer token against attacks such as XSS, CSRF in javascript apps

自古美人都是妖i 提交于 2021-02-20 14:58:38
问题 I am a bit unclear about how to secure (or protect) bearer tokens when using pure JavaScript applications. I know when user request token to the server it can come with a validity of 14 days or 24 hours. but once the user has token there is no neat (assured) way of securing this from XSS or CSRF attacks (am I missing something?). Now lets say user is logged into the web application and the browser has this token which is valid for 14 days. If the user is accessing another web application

Path-relative style sheet import vulnerabilities

坚强是说给别人听的谎言 提交于 2021-02-20 13:24:07
问题 To avoid path-relative style sheet import vulnerabilities should I attach css file on my page using full path e.g. <link href="http://mywebsite/style.css" type="text/css" rel="stylesheet" /> instead of <link href="style.css" type="text/css" rel="stylesheet" /> What do you think? 回答1: Just add a leading slash and make the path root-relative, rather than relative which this vulnerability relies on. No need for the domain / scheme. <link rel="stylesheet" href="/style.css"> 来源: https:/

HSM and custom module

我是研究僧i 提交于 2021-02-20 05:26:09
问题 We are implementing safety-critical system, where the FIPS 140-2 compliant HSM (hardware security module) is required to generate and store key material, perform encryption/decryption and run custom code with the following requirements set for the custom module: Module is available over RPC Module has access to all HSM keys and services Module has in-memory and persistent storage (1+ MB both) Module memory is secured (FIPS 140-2 level 3+) As for the HSM services itself, it is required to:

Configuring Jersey Test Framework with Security

醉酒当歌 提交于 2021-02-20 02:52:17
问题 I am writing a REST web service using Jersey, and I'm trying to write a set of unit tests to test the service using the Jersey Test Framework. However, I use HTTP Authentication and SecurityContext as part of my web service, and I'm having issues setting up JTF to allow me to test these aspects. I can send authentication information in the request, but how do I configure it to know about the different roles and users I wish to set up? I'm currently using Jetty (via JettyTestContainerFactory),

Solving UnauthorizedAccessException issue for listing files

[亡魂溺海] 提交于 2021-02-20 02:50:10
问题 Listing all files in a drive other than my system drive throws an UnauthorizedAccessException . How can I solve this problem? Is there a way to grant my application the access it needs? My code: Directory.GetFiles("S:\\", ...) 回答1: Here's a class that will work: public static class FileDirectorySearcher { public static IEnumerable<string> Search(string searchPath, string searchPattern) { IEnumerable<string> files = GetFileSystemEntries(searchPath, searchPattern); foreach (string file in files

How can I write a program that can detect by itself that it has been changed?

落爺英雄遲暮 提交于 2021-02-19 08:12:30
问题 I need to write a small program that can detect that it has been changed. Please give me a suggestion! Thank you. 回答1: The short answer is to create a hash or key of the program and have the program encrypt and store that key within itself. From time to time the program would make a checksum of itself and compare it against that hash/key. If there is a difference then handle it accordingly. There are lots and lots of ways to go about this. There are lots of very smart engineers out there that

How can I write a program that can detect by itself that it has been changed?

穿精又带淫゛_ 提交于 2021-02-19 08:12:20
问题 I need to write a small program that can detect that it has been changed. Please give me a suggestion! Thank you. 回答1: The short answer is to create a hash or key of the program and have the program encrypt and store that key within itself. From time to time the program would make a checksum of itself and compare it against that hash/key. If there is a difference then handle it accordingly. There are lots and lots of ways to go about this. There are lots of very smart engineers out there that

Client Authentication for WebAPI 2

倖福魔咒の 提交于 2021-02-19 07:39:25
问题 My company has written an API to expose our application data to our clients. We've completed the endpoints and now want to secure the API. The API will only be used by pre-approved clients so no anonymous access is needed. I've been told that we can use an x.509 certificate that we generate to identify and authenticate each client. By identifying, I mean embedding a client code in the certificate that we issue to each client (is this even possible?). As you can probably tell I have little