IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [appsec]

Application security - Specific to security concerns for an application that are independent from the underlying operating system, or surrounding infrastructure. Pertains to the design / architecture, source code, patching and maintenance cycle, or deployment and configuration of this software.

Application security refers to the security a specific application and could pertain to the design / architecture, source code, patching and maintenance cycle, or deployment and configuration of this software.

956 questions
926
votes
11 answers

How to securely hash passwords?

If I hash passwords before storing them in my database, is that sufficient to prevent them being recovered by anyone? I should point out that this relates only to retrieval directly from the database, and not any other type of attack, such as…
AviD
  • 72,138
  • 22
  • 136
  • 218
225
votes
4 answers

Recommended # of iterations when using PBKDF2-SHA256?

I'm curious if anyone has any advice or points of reference when it comes to determining how many iterations is 'good enough' when using PBKDF2 (specifically with SHA-256). Certainly, 'good enough' is subjective and hard to define, varies by…
Tails
  • 2,438
  • 3
  • 14
  • 10
143
votes
5 answers

How can I export my private key from a Java Keytool keystore?

I would like to export my private key from a Java Keytool keystore, so I can use it with openssl. How can I do that?
Jonas
  • 5,063
  • 7
  • 32
  • 35
112
votes
9 answers

Why can we still crack snapchat photos in 12 lines of Ruby?

Just came across this bit of ruby that can be used to decrypt Snapchat photos taken out of the cache on a phone, apparently adapted from here. To my surprise, it worked without a problem, considering the problems around Snapchat's security which…
Dmitri DB
  • 1,181
  • 2
  • 9
  • 12
108
votes
5 answers

Can simply decompressing a JPEG image trigger an exploit?

The novel Daemon is frequently praised for being realistic in its portrayal rather than just mashing buzzwords. However, this struck me as unrealistic: Gragg's e-mail contained a poisoned JPEG of the brokerage logo. JPEGs were compressed image…
JDługosz
  • 1,138
  • 2
  • 7
  • 12
98
votes
8 answers

Can anyone provide references for implementing web application self password reset mechanisms properly?

We are implementing self password reset on a web application, and I know how I want to do it (email time limited password reset URL to users pre-registered email address). My problem is that I can't find any references to point the developers at…
bdg
  • 1,162
  • 1
  • 8
  • 9
92
votes
4 answers

How does XSS work?

I have very little experience in web development, but I'm interested in security. However, I haven't fully understood how XSS works. Can you explain it to med? The Wikipedia article give me a good idea but I don't think I understand it very well.
Ither
  • 1,039
  • 1
  • 9
  • 9
87
votes
2 answers

Should I use AntiForgeryToken in all forms, even login and registration?

I'm running a rather large site with thousands of visits every day, and a rather large userbase. Since I started migrating to MVC 3, I've been putting the AntiForgeryToken in a number of forms, that modify protected data etc. Some other forms, like…
Artiom Chilaru
  • 973
  • 1
  • 9
  • 7
80
votes
7 answers

SQL injection -- why isn't escape quotes safe anymore?

Raw SQL When you're writing SQL -- for anything that takes human input really, a lot of things have been done to avoid the injection. Everyone that's heard of SQL injection knows that (I'm going to use PHP as a sample) doing something like this…
Incognito
  • 5,204
  • 5
  • 27
  • 31
76
votes
19 answers

What security resources should a white-hat *developer* follow these days?

What sites, twitter accounts, FOSS software should a white-hat code 'hacker' follow these days? Do Include: Late breaking information on new security issues (RSS, Twitter, etc) A website that tracks unpatched security issues per vendor Twitter…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
73
votes
3 answers

How to exploit HTTP Methods

Many security scanners like nikto, nessus, nmap, and w3af sometimes show that certain HTTP Methods like HEAD, GET, POST, PUT, DELETE, TRACE, OPTIONS, CONNECT, etc are vulnerable to attack. What do these methods do and how can they be exploited? I'm…
Digital fire
  • 3,126
  • 5
  • 31
  • 44
71
votes
10 answers

Does disabling right click have any impact on security?

On a banking website I see that they have disabled right-click. Does that make the site any more secure? Is it a good general practice?
18bytes
  • 885
  • 1
  • 10
  • 12
66
votes
4 answers

Is an up-to-date browser secure on an out-of-date OS?

Windows 7 support will end on January 14, 2020. Assuming that after that day I still use an updated browser, is it true that I'm still safe? Can it "patch" the OS-based security holes? Minor question: typically, how long would the browsers stop…
Ooker
  • 1,539
  • 1
  • 12
  • 17
63
votes
16 answers

What tools are available to assess the security of a web application?

What tools are available to assess the security of a web application? Please provide a small description of what the tool does. Update: More specifically, I'm looking for tools that assume no access to the source code (black box).
Olivier Lalonde
  • 5,039
  • 8
  • 31
  • 35
62
votes
6 answers

How to Securely Implement a "Remember Me" Feature?

Assuming you already have a website that implements all of the standard login stuff, what is the correct and most secure way to allow users to automatically be logged in for a certain time period (let's say 30 days)? This time period should be…
colithium
  • 833
  • 1
  • 8
  • 10
1
2 3
63 64