Why is JavaScript in the query string executing?

I have an XSS situation where if a user saves a value like "<img onerror=alert(document.cookie)>" it will alert the cookie cookie when the page loads. The value is in the URL like http://mything.com?value=onerror%253Dalert%2528document.cookie%2...
more »

2017-04-18 22:04 (0) Answers

End-to-End Encryption & Syncing

Our iOS app stores messages that users send each other in a PostgreSQL database on our server. Therefore, our users can access their entire message history on any device (iPhone, iPad, iPod Touch) just by logging in. We'd like to implement end-to-en...
more »

2017-04-18 20:04 (1) Answers

Multiple Social Logins in application

I'm currently struggling with finding a solution that will give me the ability to allow my clients in my application to login from: Facebook Google+ Instagram Twitter Maybe more on the way Now all i want is to allow the app connect to each of the...
more »

2017-04-18 20:04 (0) Answers

AD primarygroups with ranger and sssd

I am trying to implement hadoop security integration on hdp with ranger and sssd. I setup all nodes with sssd against AD and it is working fine. The problem is sssd getting primary groups of users as well like: uid=908601104(bilgin) gid=908603108(ha...
more »

2017-04-18 17:04 (0) Answers

Meaning of key=(null) in auditd linux?

Could you please explain why some auditd events don't have any value in the key? They have key=(null). I have reviewed all the auditd rules and all of them have the key specified. Find below an example of event found (notice the key=(null) at the en...
more »

2017-04-18 11:04 (0) Answers

Captcha with burp suite

I am trying to use burp suite for testing on a site but the site has a captcha and not sure how I can make burp suite bypass it ? The captcha is a image with 4 digits. I assume every time the page is loaded it changes the image with the captcha. H...
more »

2017-04-18 11:04 (0) Answers

Orientdb execute query as user in web

In OrientDB we have record-level security. When user execute query (e.g. select from classX), he only receives records that he has access to. It is super feature, but how I can use in my web application? I would like to get logged user from my secur...
more »

2017-04-18 05:04 (0) Answers

Python prepared statement security

I took a slight peek behind the curtain at the MySQLdb python driver, and to my horror I saw it was simply escaping the parameters and putting them directly into the query string. I realize that escaping inputs should be fine in most cases, but comin...
more »

2017-04-18 00:04 (3) Answers

Amazon S3 Privacy & Security

We are storing files uploaded by users of our app to Amazon S3. In order to keep these files private & secure, we are: having the client generate a UUID for the filename (so that the URL of the file is difficult to guess). See: What is the pro...
more »

2017-04-17 21:04 (1) Answers

How to keep safe my apps and its webadmin?

I got developed an android apps by a developer with corresponding its web-admin in php. It is an ecommerce site. As my one of my staff has little knowledge about apk & php and has access to my apk file & admin code both. So i am fearing that ...
more »

2017-04-17 20:04 (0) Answers

Why Angular2 sanitize script tag in components?

I totally understand that for security reasons and to prevent XSS attacks, user input must be sanitized: Sanitizing input from a text field or an input field. But, I'm having a hard time trying to understand why Angular removes script elements from ...
more »

2017-04-17 17:04 (1) Answers

Windows Accounts and processes exploitation

Part 1- Do all processes and executables in Windows require an account run and manage them. I was reading how the System account manages the core processes of the OS while service accounts and User accounts manage applications. Part 2- Do applicati...
more »

2017-04-17 17:04 (1) Answers

Java script date object

Does the date object get the values from the operating system locally ? what if someone changes his time value , in my project I need to implement a system for reserving food, in my case the user can't make request for food before 10 am , but what if...
more »

2017-04-17 14:04 (1) Answers

Magento with Licencing service (PACE)

We are going to implement a project in Magento which will have the items in soft form. In simple words going to implement a site which will sale the software. Client want to add the licencing functionality. So for this one we decide to use the PACE/I...
more »

2017-04-17 10:04 (0) Answers

How to secure ajax content

I was on almaconnect.com, on home page there is a textbox which auto-suggest some results of universities when you type (load content by making an ajax call). I did make a curl request of same ajax call but request resulted in some encrypted lines on...
more »

2017-04-17 09:04 (3) Answers