IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [web]

233 questions
153
votes
5 answers

What to do if stuck with website that has poor security?

I have a student loan account with a company, not the biggest company but big enough to where they should have their act together. Today I couldn't remember my password to log into my account dashboard. I clicked "forgot password" and they prompted…
DasBeasto
  • 1,796
  • 2
  • 14
  • 14
77
votes
4 answers

What is the purpose of (ab)using the redirect page of my website for dubious URLs?

My website has a redirect page with the format https://my.site/redirect?deeplink=https://foo.bar&... The redirect is implemented in Javascript, so when you request the site, you get a 200 and some HTML + JS, not a 30X. I recently started to notice…
Kirill Rakhman
  • 833
  • 1
  • 6
  • 9
75
votes
10 answers

Are security flaws acceptable if not much harm can derive from them?

Recently, I have discovered a security flaw in a business website. This website has a password-protected "Partners Area", and like many websites it provides a form to reset the user's password. When a user asks for a password reset for his nickname,…
danieleds
  • 749
  • 1
  • 5
  • 8
60
votes
6 answers

Why do some sites ask for username/email and password on two separate screens?

Well, I only have two examples, but it seems to be a slowly growing thing. First, I noticed that hotmail.com/live.com started to do this - ask for the email address on the first screen, and then you have to click 'next' and then enter your…
Dan.
  • 581
  • 1
  • 4
  • 6
58
votes
1 answer

Does a client certificate identify the owner to unrelated websites?

If I install a client certificate in my browser, which websites can see any information about this client certificate or the CA that issued it? I once visited an ssl diagnostic site that immediately reported back information from one of my client…
user13097
  • 453
  • 4
  • 6
51
votes
5 answers

What exploit are these user agents trying to use?

I just looked at my user agent tracking page on my site (archived on Yandex) and I noticed these user agents. I believe they are an attempt to exploit my server (Nginx with PHP). The 1 in front of it is just how many times the user agent was seen in…
Alexis Evelyn
  • 583
  • 1
  • 4
  • 9
51
votes
4 answers

Why submit a website to plaintext offenders?

I've read this question and to quote from the accepted answer Besides that, by submitting the site to plaintext offenders, you will provide a third-party point of view, which might help your case. But, isn't submitting a website to plaintext…
Ryan Weaver
  • 543
  • 4
  • 11
32
votes
3 answers

How are short passwords not safe if you limit the number of attempts?

On all web services that require passwords, like gmail, you are asked to set a long password. Like 8 characters or more. The reason being higher security. But the same services limit the number of login attempts to 3-4 tries before locking your…
Alex
  • 527
  • 4
  • 7
24
votes
3 answers

How to deal with WPE users

I own a chat room and some users use a program Winsock Packet Editor, "WPE PRO". With it they manage to bypass chat rules, like they can't be muted or kicked, and they can send messages fast bypassing the limit of the chat. I was wondering if there…
Salim Aljayousi
  • 373
  • 2
  • 3
22
votes
5 answers

Could hashing prevent SQL injection?

On a whim I've recently decided to throw up the first proper website I created onto my local web server I use for development. I thought it'd be a great environment to throw some SQL at for injection as I know there are flaws and the site was only…
lewis
  • 351
  • 1
  • 2
  • 7
17
votes
1 answer

Why JSON Hijacking attack doesn't work in modern browsers? How was it fixed?

I understand JSON Hijacking vulnerabilities have been fixed in all modern browsers, but how exactly? There are many articles that talk about techniques to prevent JSON Hijacking attacks (i.e. prepending while(1); like Google does), but no one has…
fbid
  • 301
  • 2
  • 11
16
votes
1 answer

What is this potential identity leak that NoScript warns about?

Recently, while using the Tor Browser, NoScript popped up the following warning when I opened a stack overflow link in a new tab from duckduckgo: Potential Identity Leak You are about to load a page from stackoverflow.com. If you are a…
nobody
  • 11,251
  • 1
  • 41
  • 60
14
votes
1 answer

What parties have access to the *full* requested URL of a website accessed via the HTTPS protocol?

What parties have access to the full requested URL of a website accessed via the HTTPS protocol? Here are some possibilities I can think of, and there could be more: local device accessing the website router modem local network provider (wired or…
RockPaperLz- Mask it or Casket
  • 3,114
  • 21
  • 50
13
votes
4 answers

How to perform a proper DDoS test in a safe and controlled way?

What is the proper and safe way to perform a DDoS test without crashing the whole infrastructure? What different types of DDoS attacks are there and what things should be considered performing such a test? Also, where can you rent a "botnet" or a…
Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
9
votes
2 answers

Does the "auto formfill" feature in Chromium-based browsers actually send this to the webpage?

I use Vivaldi. I have previously filled in forms where I used a certain name and e-mail. Today I cleared the browser data except for the autofill stuff. Then I went to Stack Exchange to register an account. It's pre-populated with an e-mail address…
Javiair
  • 107
  • 2
1
2 3
15 16