Achieve Angular 1.5.9 template injection

I am testing a web application and I have found a stored cross site scripting vulnerability through Angular template injection however I am having a problem exploiting it. Here is what the application does: Everything is htmlspecialchar() \ is esc...
more »

2017-03-19 21:03 (0) Answers

Invalid CORS request seen only in UCBrowser

When redirecting from abc.mydomain.com to www.mydomain.com, I get "Invalid CORS request" in UCBrowser, but it works perfectly fine in other browsers like Chrome, Firefox etc. HTTP status code in response is 403. I'm redirecting by response.sendRedir...
more »

2017-03-19 20:03 (1) Answers

Access to the server from certain devices

I will try to be clear, but, maybe you will help me to ask the right question. I build a server API for iOS and Android apps. Idea is that only these apps will work with this API. There will be no site. As I know, for now, "request-response" paradig...
more »

2017-03-19 17:03 (0) Answers

preg_replace integer and security

when I want to secure $_GET parameter I usually use: $var = htmlspecialchars(stripslashes(strip_tags(trim($_GET['var']))), ENT_QUOTES); but if the $_GET parameter is only integer (only 0-9 characters) should I use: $var = htmlspecialchars(stripsl...
more »

2017-03-19 10:03 (1) Answers

Server certificate vs Server-Client certificate

What are the differences between Server certificate vs Server-Client certificate, and which one is more safe. And in case I have a private web service running in my server which can be accessed by specific clients, what is the preferred one to use? ...
more »

2017-03-18 16:03 (0) Answers

javascript create filtered access to object

NOTE: This is my first post, so please tell me if there is anything I should do better in that respect I am making a javascript game (node as server, browser as client) in which the users can provide a string of a function to be executed as the AI...
more »

2017-03-18 04:03 (0) Answers

Session_start Security

I working on a login system that creates a session for the user once he logs in. I am attempting to make the system as secure as possible. I found some resources that claim session_start() itself is insecure and recommend taking extra steps to secure...
more »

2017-03-17 23:03 (1) Answers

Is this a common or flawed security practice?

I would like user authentication to take place in the following way: User generates an encryption key and keeps it on their device. The key is then encrypted by their password. To create a new account, the user sends a public key and a signed messa...
more »

2017-03-17 17:03 (0) Answers

Hinding sensitive data in Open Source projects

I wanted to build an Oauth v2 login system. I was given a client_secret which was meant not to be disclosed. Since the project is Open Source how should I hide the client_secret from others. Is there a system through which only the original creator h...
more »

2017-03-17 17:03 (1) Answers

How to secure Lexik Translation Bundle routes?

I am using Symfony 2.8 and I import my translations into the database with the help of the Lexik translation bundle - this allows me to have a route like /admin/translations where i can see statistics and add more translations (well, the customer wil...
more »

2017-03-17 16:03 (1) Answers

Google crawl errors - indian songs

I am unlucky enogh to have recieved the label "this site may have been hacked" on google search. So i have checked the site, and i found 700+ crawl errors to weird indian songs on my domain an example is : /coep/sare-gaon-me-hora-se-teri-baan-ka-r...
more »

2017-03-17 10:03 (0) Answers

AWS EC2 and VPC security groups

According to the AWS Security White Paper Note, however, that you must create VPC security groups specifically for your Amazon VPC; any Amazon EC2 security groups you have created will not work inside your Amazon VPC. When I create a security g...
more »

2017-03-17 04:03 (1) Answers

Java - prevent code modification techniques

I recently heard of a software security company that makes your code hack-proof in terms of reverse engineering and code modification. Their technique is this: They insert checksums in multiple check points in the code that secure the code between t...
more »

2017-03-16 19:03 (2) Answers