Topics relating to application security and attacks against software. If your question is not about a specific programming problem, please consider instead asking it at Security.SE: http://security.stackexchange.com

- Stackoverflow.com Wiki
66 articles, 10 books. Go to books ↓

When writing forms for your ASP.Net MVC websites the common approach to ensuring only real people use them site is to simply add an Html.AntiForgeryToken() to your form’s view mark-up and controller and be on your way.


Lessons from NYC's improperly anonymized taxi logs


A well-designed application has to have a good balance of various components: aesthetics, usability, security, and so on. Most web apps have measures employed to protect sensitive data, and a majority of those measures are related to information submission and account credentials. That said, this is one area where security and design decisions can easily clash with each other.


This tutorial highlights one promising new defense that can significantly reduce the risk and impact of XSS attacks in modern browsers: Content Security Policy (CSP).


With the web slowly maturing as a platform the demand for cryptography in the browser has risen, especially in a post-Snowden era. Many of us have heard about the upcoming Web Cryptography API but at the time of writing there seem to be no good introductions available. We will take a look at the proposed W3C spec and its current state of implementation.


Every system and thus also every database is always vulnerable. Most databases, however, do offer a significant amount of features to implement a security layer – and MongoDB is no different from any other DBMS here. So, how could this massive security hole happen?


Although the security of all websites is important, the security of an eCommerce website is particularly important because these sites keep records of users’ data and order-related financial information. Any attempt to hack such data can cause a huge loss to your store.


Mark McDonnell shares his research on what the security basics of the web mean. He explains PGP, SSL, SSH, certificates, and the general purpose of public and private key methods.


The recent Ashley Madison hack has shown how to make your originally safe password hashing useless. Many passwords have been already decrypted that way and it again turns out that most passwords are super simple and predictable. It shows that even if the passwords wouldn’t have been cracked, hackers could still run word-lists on the hashes and get access to the accounts easily. Always choose a strong password and use them only once.


The next time you’re thinking of throwing away a used boarding pass with a barcode on it, consider tossing the boarding pass into a document shredder instead. Two-dimensional barcodes and QR codes can hold a great deal of information, and the codes printed on airline boarding passes may allow someone to discover more about you, your future travel plans, and your frequent flyer account.


In case you need an OpenSSL anecdote to scare your co-workers with...


Web authentication systems have evolved over the past ten years to counter a growing variety of threats. This post will present a fictional arms race between a web application developer and an attacker, showing how different threats can be countered with the latest security technologies.


Most of these items are general and applies to all languages and frameworks not just Node.js - however some of the tools presented are Node.js specific.


99.99% of the Redis use cases are inside a sandboxed environment. Security is complex. Adding security features adds complexity. Complexity for 0.01% of use cases is not great, but it is a matter of design philosophy, so you may disagree of course.


Passwords are crap. Nobody picks good ones, when they do they re-use them across sites, and if you use even a trustworthy password manager, they’ll get hacked too. But you know what’s worse than a password? A fingerprint.


This guide provides practical advice to help engineers build up infrastructure following security best practices so that they can confidently deploy their services to the public Internet and lower their chances of being compromised.


In light of increasing threats over the past decade coupled with heightened concern for individual privacy, industries and governments around the world have embarked on a series of initiatives designed to increase security, reduce fraud and protect personally identifiable information.


Ebay thought they were secure, you see. They thought they'd done everything right. Sure, their regex only matched alphanumeric characters inside script tags, but really, who writes javascript without using letters or numbers? How much harm could possibly be done?


If you think you’re clever enough to securely encrypt only part of your web application, you’re almost certainly wrong.


You think PBKDF2 is pretty secure and takes long to brute-force? Well, it’s not the case when you replace the cryptographic keys with precomputed values.


The page we’re linking to gains partial access to the source page via the window.opener object.


Unless you’ve been living under a rock for the past few months you have probably heard about the dump from the 2012 LinkedIn hack being released.


Did you know links sent privately through messenger can be read by anyone? Moreover, Facebook knows about this and has no plans to fix the issue.


As much as we like to keep pushing the needle further around the "strong security dial" with things like security headers, strong HTTPS implementations and robust hashing algorithms, every now and then we need to take a moment to remember just how low the bar still remains and that frequently, we can't even get the basics right.


123456, password, rootkit, 111111, 12345678, qwerty, 123456789, 123123, qwertyui, letmein, 12345, 1234, abc123, dvcfghyt, 0, r00tk1t, ìîñêâà, 1234567, 1234567890, 123, fuckyou, 11111111, master, aaaaaa, 1qaz2wsx


If you ever lose your iPhone, iPad or iPod, be extra alert for upcoming identity theft attempts.


Dropbox had been hacked. Not just a little bit hacked and not in that "someone has cobbled together a list of credentials that work on Dropbox" hacked either, but proper hacked to the tune of 68 million records.


How to safely generate random numbers in C/C++ Java, .NET, Node.js, PHP, Python, Ruby


Most systems administrators use the industry-standard Secure Shell (SSH) for accessing systems, and yet many of its special features are not widely leveraged. At Facebook, we take advantage of those features to use SSH in a way that is reliable, secure, and manageable. SSH, more specifically OpenSSH, has a great way to provide both the security and reliability we require: signed certificates with principals.


In ASP.NET 4.5 the encryption of ViewState received a significant rewrite that addressed this issue and effectively makes ViewState very secure.


Without your consent most major web platforms leak whether you are logged in. This allows any website to detect on which platforms you're signed up. Since there are lots of platforms with specific demographics an attacker could reason about your personality, too.


DNS isn’t a sexy topic. Unless you’re a network or infrastructure engineer, you probably think as little as possible about it — until something goes wrong. If you run a site and haven’t thought much about DNS, now’s a good time to take steps that can keep your site/services up when your peers go down.


All passwords should be hashed before entering a database because you have to consider the scenario where some malicious user attempts to gain entry into your data. Passwords are sensitive pieces of information that you don't want people to see.


Post Snowden, and particularly after the result of the last election in the US, it's clear that everything on the web should be encrypted by default.


The value your site has to attackers is not just the data, it's the reputation. It doesn't even need to be a good reputation in terms of it being a well-established site with lots of inbound links, it simply needs to be a site that doesn't have a bad one.


This is a simple demonstration of form fields hidden from the user, but will be filled anyways when using the browser form autofill feature, which poses a security risk for users, unaware of giving their information to the website.


Clickjacking, XSS and CSRF, exploits that have been around for 15+ years now and still form the basis for many vulnerabilities on the web today. If you spend any time around bug bounty programs you will notice similar patterns with these exploits, that many could have been prevented with just a few HTTP Headers in place.


This post gathers what you need to know, and what you need to do, if you use CloudFlare, or if you personally used a website using CloudFlare.


Don't look now, but online scammers are already hard at work taking advantage of newly signed legislation that allows Internet Service Providers to sell your online privacy, including your web browser history, to the highest bidder without your consent.


After more than a year of research and development, Netflix recently upgraded their infrastructure to provide HTTPS encryption of video streams in order to protect the privacy of their viewers. Despite this upgrade, we demonstrate that it is possible to accurately identify Netflix videos from passive traffic capture in real-time with very limited hardware requirements. Specifically, we developed a system that can report the Netflix video being delivered by a TCP connection using only the information provided by TCP/IP headers.


2FA is an additional layer of security to protect user accounts from attackers that have already compromised your password. When you login into a service using your username and password, you will get an additional challenge before access is granted. Usually it is a 6 digit temporary code that changes every 30 seconds. Google authenticator, Authy and Toopher are just a few of the 2FA solutions Lastpass supports that are based on RFC6238 and RFC4226. There are other types of 2FA but these are the most common.


Bad crypto is everywhere, unfortunately. The frequency of finding crypto done correctly is much less than the number of times I find it done incorrectly. Many of the problems are due to complex crypto APIs that are insecure by default and have have poor documentation.


This write-up will not examine any new vulnerability. Rather, it explores a common methodology used in trivially hacking iOS apps, in which you perform a man-in-the-middle (MitM) attack on yourself.


If you have ever hosted a website or even administrated a server you'll be very well aware of bad people trying bad things with your stuff.


Let that sink in for a moment: A huge collection of botted accounts — the vast majority of which should be easily detectable as such — may be able to abuse Twitter’s anti-abuse tools to temporarily shutter the accounts of real people suspected of being bots!


Most so-called "DNS attacks" are not DNS attacks at all, meaning they don't exploit a weakness in the DNS protocol. Most of the time, they are attacks against the provisioning infrastructure, the set of actors and servers that domain name holders (such as WikiLeaks for wikileaks.org) use to provision the data.


When properly configured, the protections between a user and a CloudFlare-secured site can be an effective way of shielding the true IP addresses of an organization’s internet-facing assets and therefore protect them with CloudFlare’s filtering capabilities.


Security researchers in China have invented a clever way of activating voice recognition systems without speaking a word. By using high frequencies inaudible to humans but which register on electronic microphones, they were able to issue commands to every major “intelligent assistant” that were silent to every listener but the target device.


There are a few resources that you can find that teach how to secure an ASP.NET Core web application. For web apis using ASP.NET Core it’s a little bit harder to find information.


Azure Blob storage is a great method to cost effectively store data, from key/value pairs to individual binary files, and Microsoft provides several mechanisms to ensure that you can properly secure your data. In this post, we'll take a look at methods you can use to secure data that is stored as blobs in Azure Storage Accounts.


There’s a potential security exploit that ASP.NET MVC leaves you open to. However, in Peter’s opinion, all the proposed solutions miss the point.


It seems that there is no limit to human ingenuity when it comes to working around limitations within one's environment.


From minimizing pointer use to strong type checking at compile time, Swift is a great language for secure development. But that means it's tempting to forget about security altogether. There are still vulnerabilities, and Swift is also enticing to new developers who haven't yet learned about security.


There are some repeating ideas that due to their massive potential impact it is important to know (and tell your friends) about.


Security breaches are very common. To make matters worse, when it comes to users’ passwords it is frequent that no reasonable precautions were taken to ensure that they can’t be easily extracted from the breached data.


You may know that most websites have third-party analytics scripts that record which pages you visit and the searches you make. But lately, more and more sites use “session replay” scripts. These scripts record your keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit, and send them to third-party servers. Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder.


Checklist of the most important security countermeasures when designing, testing, and releasing your API.


When offering an online service there are two risks to user accounts: Firstly, the service itself can be compromised by an attacker. Secondly, a user’s password could be obtained by an attacker and then be used to target our platform by injecting malicious content or abusing the account.


There is a widespread misconception that having a CAPTCHA in place protects against CSRF. In most cases, this is incorrect at best and dangerous at worst. CAPTCHA does not prevent CSRF – here’s why.