Stack Overflow
Stack Overflow

Questions tagged [application-security]

Application layer security design, implementation, vulnerability assessments and concerns, as opposed to infrastructure (e.g., ACLs on routers, IDSes, etc.)

encompasses measures taken throughout the code's life-cycle to prevent gaps in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development, deployment, upgrade, or maintenance or database of the application.

as stated in Wikipedia.

Since this tag is used in its general meaning, you are strongly encouraged to use one or more additional tags to better describe your specific case.

50 questions
21
votes
3 answers

Security of sending sensitive intent extras within my own app?

I have an activity which asks for a username and password, then starts another activity in my app to complete a user signup. I want to send the username+password as intent extras to the second activity. Something like: Intent intent = new…
user3203425
  • 2,919
  • 4
  • 29
  • 48
11
votes
3 answers

How secure is Oauth 2.0 Implicit Grant?

In Implicit Grant, the access token is sent back in the callback URL. Is this not a security risk because, if this callback URL is cached in the hop. In general it is advised, not to send sensitive data in URL params, and this access token will be a…
Karthik
  • 345
  • 3
  • 11
9
votes
1 answer

What are the disadvantages of a Docker container using the host network?

I understand that by default a docker container will be created in its own network stack. I would like to use the --net host flag when running docker containers to allow the use of all host ports. The disadvantages I am aware of: Services running…
James
  • 179
  • 2
  • 10
7
votes
2 answers

Certificate Pinning on .NET

I want to limit my .NET application to accept only known certificates. So how can I enforce certificate pinning on .NET? What is the best practice? Is it OK to just validate thumb print?
Yazginin Firati
  • 321
  • 1
  • 4
  • 6
6
votes
1 answer

Using Secure String and Keeping it Secure

So the .NET framework provides the SecureString class for storing strings in a secure fashion. But to read the information and work with it you have to return it to a standard string. See this implementation example. As you can see from the…
Mitchel Sellers
  • 62,228
  • 14
  • 110
  • 173
5
votes
1 answer

.net - What is the best practice for securing WPF application configuration settings?

I am aware that this is a more subjective question than is preferred, but I couldn't think of a better place or way to ask it. I am developing a WPF application, and I have configuration settings in an App.config file. Some of these settings are…
Sako73
  • 9,957
  • 13
  • 57
  • 75
4
votes
1 answer

How to prevent SQL injection and improve security on REST APIs?

I'm new into REST APIs and developing an API that is going to be used for iOS/Android/Web apps, but I'm unfamiliar with the kind of threats the APIs face once published. I see these same tips all over: Use oAuth 2 to allow transactions, Receiving…
Dialvive
  • 356
  • 7
  • 19
4
votes
7 answers

Storing Username/Password During Processing

Working inside the context of an ASP.NET application I am creating a page that will be able to execute database scripts against one of many databases in our environment. To do this we need to prompt the user for a username/password combination,…
Mitchel Sellers
  • 62,228
  • 14
  • 110
  • 173
4
votes
3 answers

Alternatives to dotfuscator suite?

I've been looking for solutions that provide a couple of types of protection and dotfuscator has been what I've landed on each time I look. Specifically, I like: code obfuscation their usage analytics tamper detection/notification shelf-life…
Steven Evers
  • 16,649
  • 19
  • 79
  • 126
3
votes
1 answer

Is it fine to use duplicate response header with same value?

I found a response where duplicate headers are used by the application with the same value. Could anyone tell me that, Is it a good programming practice or those are used for security perspective or anything else? HTTP/1.1 200 …
Pawan Dwivedee
  • 115
  • 3
  • 12
2
votes
0 answers

Is location.hash vulnerable to DOM XSS in jQuery selector when combined with other selectors

I'm using checkmarx SAST tool and its highlighting jquery selectors using the hash from the URL as Client DOM XSS: $('[name=' + location.hash.replace('#', '') + ' ]') or even $('#'location.hash.replace('#', '')) I dont understand how any of the…
shevisi tamid
  • 101
  • 1
  • 11
2
votes
1 answer

Host Header Injection

I am a beginner in security and reading about the host header injection. I tested an application for this vulnerability and it is possible there for some request but developer implemented no-cache, no-store flags and this vulnerability is not in…
Pawan Dwivedee
  • 115
  • 3
  • 12
2
votes
2 answers

ZAP Ajax spider authentication not working using ZEST

Followed following steps: 1. Record ZEST script (tested to be working) 2. Include site in context 3. Add user 4. Select forced user 5. Upload script and select script based authentication 6. Define logout indicator 7. Exclude logout from spider 8.…
user3399273
  • 139
  • 1
  • 11
2
votes
1 answer

how to add certificate in cacerts folder in android emulator 3.1

I am trying to intercept HTTPS traffic for native app in android emulator 3.1. However there is no cacerts.bks file present in the file system. All certs are stored under /system/etc/security/cacerts/. Any help in adding the cert and intercepting…
user1744535
  • 21
  • 3
2
votes
2 answers

Kerberos Authentication keytab KVNO

I have a network environment where kerberos authentication is setup in corporate standard (i.e. passoword can live only 30days for user). I've installed my java web application on this system which uses keytab file generated by KDC. All works fine…
Charith De Silva
  • 3,650
  • 4
  • 43
  • 47
1
2 3 4