security

问题 I have been helping out some people with their computers and repairing them. One of these people asked me about the safety of storing passwords in the auto form field. I showed them a quick trick on how you can retrieve the password from a simple jQuery call in the console. While working on some websites, I have been trying to figure out a way of preventing the use of this trick to find out what the saved password is. To understand what im talking about if you dont know, try the following.

问题 I am programming a home Web server for home automation. I've seen several times 'bots' scanning the ports of my server. To avoid give any kind of activity signs to undesired scans, I'm trying to avoid generate any kind of answer for specific URLs, like '/', ie. configure a silent mode for the typical scanned URL's. I've tried with void .route decorators, error addressing and void pages, but all of them generated some kind of response. It's that possible in Flask with Python? Any workaround?

问题 I know this is a broad question, but I think I'm missing something here. Is it possible for an attacker to cause damage to a site by simple using inspect element and editing the javascript and html? For example, it seems too easy for someone to change the maxlength of an input, and upload so much data that it could crash the server, I know that it is always good practice to check data at the server but it still seems too easy. Or another more potentially dangerous example is if the attacker

问题 I created a keystore file for my PFX certificates (PKCS#12), but I need to know how many keys can be stored in a keystore file (JKS). I'm currently loading the certificates as follows: KeyStore oStore = KeyStore.getInstance("PKCS12"); oStore.load(new FileInputStream(AppConfig.get(AppConfig.SRC_KEY)), "SECRET".toCharArray()); ... oStore.setKeyEntry(idAlias, privateKey, pwd.toCharArray(), chain); oStore.store(new FileOutputStream(AppConfig.get(AppConfig.SRC_KEY)), "SECRET".toCharArray()); Is

问题 I'm about to use Python.requests to get data from my own online api to my local pc. My api requires authentication which for now is done trough simply posting user/pass: params = {'user': 'username', 'pass':'password'} requests.post(url, params=params) Are this requests safe or is it going to allow a middle-man to capture that user/pass? P.S My api is using a letsencrypt ssl certificate. Python version 3.7.0 回答1: this has nothing to do with the python-requests package, but with the HTTP (and

问题 I'm about to use Python.requests to get data from my own online api to my local pc. My api requires authentication which for now is done trough simply posting user/pass: params = {'user': 'username', 'pass':'password'} requests.post(url, params=params) Are this requests safe or is it going to allow a middle-man to capture that user/pass? P.S My api is using a letsencrypt ssl certificate. Python version 3.7.0 回答1: this has nothing to do with the python-requests package, but with the HTTP (and

问题 The bash builtin read has a flag -s that prevents it from echoing whatever is being read from the commandline. After searching opengroup.org and filtering through all the other meanings for read , I still haven't found a POSIX/portable equivalent. Is there a reasonable way to do this? In bash it's easy enough: $ bash -c 'read -sp "What is your password? " password; printf "\n%s\n" "$password"' What is your password? I'll never tell! But in sh… $ dash -c 'printf "What is your password? "; read

问题 Let's assume some validated data gets passed from one PHP page to another using session parameters. How can I be sure on the second php page, this session data is still the data I validated on the first php page? From what I understand the session data is stored in cookies on the users computer. So what stops the users from injecting corrupted data into that sessions cookie? Because in my scenario I need to rely on the fact, that the data passed to the second page is already validated. So the

问题 The problem sounds elementary in its nature but I cannot find a secure and simple solution. The issue is the following, I have a project and I want to pull dependencies from private git repos to build a runtime environment and remove both SSH key and SSH passphrase afterward. I cannot skip passphrase as it is enforced by git remote repos. I struggle to push the SSH passphrase, so the SSH won't ask for a passphrase I struggle to understand how to do it securely The question of how can I do it,

问题 The problem sounds elementary in its nature but I cannot find a secure and simple solution. The issue is the following, I have a project and I want to pull dependencies from private git repos to build a runtime environment and remove both SSH key and SSH passphrase afterward. I cannot skip passphrase as it is enforced by git remote repos. I struggle to push the SSH passphrase, so the SSH won't ask for a passphrase I struggle to understand how to do it securely The question of how can I do it,