IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [web-application]

An application that is accessed over a network such as the Internet or an intranet using a browser.

An application that is accessed over a network. The term may also mean an application that is hosted in a browser-controlled environment or coded in a browser-supported language and reliant on a common web browser to render the application executable.

3292 questions
407
votes
10 answers

Is BASIC-Auth secure if done over HTTPS?

I'm making a REST-API and it's straight forward to do BASIC auth login. Then let HTTPS secure the connection so the password is protected when the api is used. Can this be considered secure?
Morten
  • 4,223
  • 3
  • 14
  • 7
310
votes
16 answers

SQL injection is 17 years old. Why is it still around?

I'm no techie and would like your expertise in understanding this. I recently read a detailed article on SQLi for a research paper. It strikes me as odd. Why do so many data breaches still happen through SQL injection? Is there no fix?
Ishan Mathur
  • 2,603
  • 2
  • 10
  • 9
254
votes
2 answers

Can ads on a page read my password?

Disclaimer: I have minimal web-dev/security knowledge so please answer as if talking to a "layman." I've heard that web-advertisements need to be able to run their own JavaScript so that they can verify they're being viewed by "real users." As this…
scohe001
  • 1,035
  • 2
  • 7
  • 13
241
votes
5 answers

What is the difference between https://google.com and https://encrypted.google.com?

Is it there any difference between the encrypted Google search (at https://encrypted.google.com) and the ordinary HTTPS Google search (at https://google.com)? In terms of security what were the benefits of browsing through encrypted Google…
BlueBerry - Vignesh4303
  • 5,107
  • 13
  • 34
  • 63
234
votes
7 answers

Should I use CSRF protection on Rest API endpoints?

Quick note: this is not a duplicate of CSRF protection with custom headers (and without validating token) despite some overlap. That post discusses how to perform CSRF protection on Rest endpoints without discussing if it is actually necessary. …
Conor Mancone
  • 29,899
  • 13
  • 91
  • 96
232
votes
10 answers

Is there any reason to disable paste password on login?

Today I logged in to pay my cellphone bill, and I found that the site has disabled paste functionality in password field. I'm a webdev and I know how to fix this, but for regular user is REALLY annoying having to type a random password like…
IAmJulianAcosta
  • 2,445
  • 2
  • 14
  • 18
209
votes
4 answers

Is a rand from /dev/urandom secure for a login key?

Lets say I want to create a cookie for a user. Would simply generating a 1024 bit string by using /dev/urandom, and checking if it already exists (looping until I get a unique one) suffice? Should I be generating the key based on something else? Is…
Incognito
  • 5,204
  • 5
  • 27
  • 31
159
votes
4 answers

Why is the same origin policy so important?

I can't really fully understand what same origin domain means. I know it means that when getting a resource from another domain (say a JS file) it will run from the context of the domain that serves it (like Google Analytics code), which means it…
YSY
  • 2,229
  • 4
  • 20
  • 16
157
votes
3 answers

If my password was able to be printed on a form sent home from my child's school, does it imply insecure password storage policies?

I have a user account for each of my children in our district website, which oversees registration, grades, identification, etc. I was recently sent home a form from both of my children's classrooms asking us to login to our accounts so we could…
MrDuk
  • 1,237
  • 2
  • 8
  • 10
155
votes
12 answers

https security - should password be hashed server-side or client-side?

I am building a web application which requires users to login. All communication goes through https. I am using bcrypt to hash passwords. I am facing a dilemma - I used to think it is safer to make a password hash client-side (using JavaScript) and…
johndodo
  • 1,785
  • 2
  • 12
  • 9
122
votes
6 answers

How to find out what programming language a website is built in?

I think that it's fundamental for security testers to gather information about how a web application works and eventually what language it's written in. I know that URL extensions, HTTP headers, session cookies, HTML comments and style-sheets may…
storm
  • 1,714
  • 4
  • 16
  • 25
116
votes
18 answers

Does an established HTTPS connection mean a line is really secure?

From the view of somebody offering a web application, when somebody connects with TLS (https) to our service and submits the correct authentication data, is it safe to transmit all sensitive data over this line, or can it be that there is still…
Peter Smit
  • 2,699
  • 3
  • 22
  • 25
115
votes
13 answers

Is it good or bad practice to allow a user to change their username?

I have looked all over online as well as this site to try to find out more information regarding the security of this, but haven't found anything. In my particular case, the product is a website, but I think this question applies for any software…
Jeff Y
  • 1,051
  • 2
  • 7
  • 9
107
votes
5 answers

Should websites be allowed to disable autocomplete on forms or fields?

Currently, there is an HTML form/input attribute called autocomplete, which, when set to off, disables autocomplete/autofill for that form or element. Some banks seem to use this to prevent password managers from working. These days sites like Yahoo…
Manishearth
  • 8,237
  • 5
  • 34
  • 56
107
votes
2 answers

Is a redirect showing the password in plain text a security vulnerability?

A couple of days ago, I attempted to log into the website of a well-known SaaS provider. I used a password manager on my browser (so user/pass were correct) and the NoScript plugin which had limited permissions granted to the site so some JS was…
markdwhite
  • 1,023
  • 2
  • 6
  • 7
1
2 3
99 100