Stack Overflow
Stack Overflow

Questions tagged [owasp]

The Open Web Application Security Project (OWASP) is an organization that wants to inform people about application security.

The Open Web Application Security Project (OWASP) is an organization that wants to inform people about application security.

They provide various examples of attack vectors, and how to protect your applications against them, including examples in multiple programming languages.

OWASP provide a long list of cheat sheets to help address security issues with common application design.

OWASP Top Ten Project

The OWASP Top Ten flagship project provides a list of critical application security vulnerabilities. These vulnerabilities are selected based on a combination of frequency, exploitability and severity. The list acts as a starting point for web applications to harden themselves against attack.

1114 questions
423
votes
4 answers

Why is it common to put CSRF prevention tokens in cookies?

I'm trying to understand the whole issue with CSRF and appropriate ways to prevent it. (Resources I've read, understand, and agree with: OWASP CSRF Prevention Cheat Sheet, Questions about CSRF) As I understand it, the vulnerability around CSRF is…
metamatt
  • 13,809
  • 7
  • 46
  • 56
375
votes
8 answers

What is "X-Content-Type-Options=nosniff"?

I am doing some penetration testing on my localhost with OWASP ZAP, and it keeps reporting this message: The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff' This check is specific to Internet Explorer 8 and Google…
Pringles
  • 4,355
  • 3
  • 18
  • 19
191
votes
9 answers

PHP $_SERVER['HTTP_HOST'] vs. $_SERVER['SERVER_NAME'], am I understanding the manual pages correctly?

I did a lot of searching and also read the PHP $_SERVER docs. Do I have this right regarding which to use for my PHP scripts for simple link definitions used throughout my site? $_SERVER['SERVER_NAME'] is based on your web server's config file…
Jeff
  • 5,962
  • 16
  • 49
  • 81
59
votes
3 answers

CSRF, XSS and SQL Injection attack prevention in JSF

I have a web application built on JSF with MySQL as DB. I have already implemented the code to prevent CSRF in my application. Now since my underlying framework is JSF, I guess I don't have to handle XSS attack as it is already handled by…
AngelsandDemons
  • 2,823
  • 13
  • 47
  • 70
54
votes
4 answers

CSRF (Cross-site request forgery) attack example and prevention in PHP

I have an website where people can place a vote like this: http://mysite.com/vote/25 This will place a vote on item 25. I want to only make this available for registered users, and only if they want to do this. Now I know when someone is busy on…
Saif Bechan
  • 16,551
  • 23
  • 83
  • 125
35
votes
3 answers

Adding authentication in ZAP tool to attack a URL

How to pass authentication details to the ZAP tool to scan the website. Please help me to solve the problem.
user2323844
  • 401
  • 3
  • 8
  • 9
30
votes
2 answers

playframework owasp top 10

I'm thinking about using Play for a large-scale project, so, has anyone battle-tested Play framework for OWASP Top 10? Are there any security problems you know of in Play framework?
sirmak
  • 3,749
  • 4
  • 30
  • 34
22
votes
1 answer

How can I set the 'secure' flag for cookies in an ASP.NET MVC website?

I have set the following in web.config: When I hit the website using an HTTP connection, it redirects to my login page (specifying the scheme as HTTPS). When the…
Gary McGill
  • 26,400
  • 25
  • 118
  • 202
21
votes
1 answer

what is x-Application-Context header?

What is this response header (x-Application-Context) stands for? is it specific to Spring framework? what does the below header means? X-Application-Context airtel-project-service:aws:27094 does it reveals any senstive information like hostname…
user1493834
  • 756
  • 4
  • 11
  • 25
21
votes
2 answers

What Response Should Be Sent Back a When Cross-Site Request Forgery (CSRF) is Detected

What response should I send back when a Cross-Site Request Forgery (CSRF) is detected? There is a scanning tool which I cannot get a hold of that is saying one of my pages is not protected against CSRF. But it is. The response I send back is a…
gfrobenius
  • 3,987
  • 8
  • 34
  • 66
21
votes
2 answers

Reliable way to detect browser , version and plattfom in php

I have been looking for a reliable way to have (at least the less obscure ones) : the name of the browser the version and the platform (OS) it is on maybe more information but the 3 info above are enough. I want to display a custom content…
Jeffrey Nicholson Carré
  • 2,950
  • 1
  • 26
  • 44
19
votes
2 answers

Filtering upwards path traversal in Java (or Scala)

Are there any standard library methods that can filter out paths which include special traversal sequences, such as ../ and all other convoluted forms of upwards directory traversal, to safeguard a file path API input from traversing upwards of a…
matanster
  • 15,072
  • 19
  • 88
  • 167
19
votes
3 answers

Where can I find ESAPI.properties?

Am trying to use OWASP ESAPI library in my web app to escape request parameters in JSPs as below ESAPI.encoder().encodeForHTML(request.getParameter()). I have added esapi-2.1.0.jar under WEB-INF/lib but I get the below…
Pro
  • 582
  • 2
  • 8
  • 23
18
votes
7 answers

iOS certificate pinning with Swift and NSURLSession

Howto add certificate pinning to a NSURLSession in Swift? The OWASP website contains only an example for Objective-C and NSURLConnection.
lifeisfoo
  • 15,478
  • 6
  • 74
  • 115
17
votes
5 answers

Javascript Comments are security risk?

During a recient PCI audit the auditor said that we had major security risks because It was possible to download static resources from our website such as images css and javascript without prior authentication. Our javascript had comments in…
Wes
  • 6,697
  • 6
  • 34
  • 59
1
2 3
74 75