security

问题 so I am trying to secure a web application that I built using spring mvc and security. I currently have the basic username and password from a normal custom login page working using a custom authentication provider to provide the populated authentication object that is verified against a database. What I am wondering is how do I implement a second phase of logging in that uses TOTP? I can get the the TOTP issuing and verification to work, but am unsure how to modify spring security to accept

问题 I have a bash script that I am modifying to accept key=value pairs from stdin. (It is spawned by xinetd.) How can I safely convert those key=value pairs into environment variables for subprocesses? I plan to only allow keys that begin with a predefined prefix "CMK_", to avoid IFS or any other "dangerous" variable getting set. But the simplistic approach function import () { local IFS="=" while read key val; do case "$key" in CMK_*) eval "$key=$val";; esac done } is horribly insecure because

问题 I have a bash script that I am modifying to accept key=value pairs from stdin. (It is spawned by xinetd.) How can I safely convert those key=value pairs into environment variables for subprocesses? I plan to only allow keys that begin with a predefined prefix "CMK_", to avoid IFS or any other "dangerous" variable getting set. But the simplistic approach function import () { local IFS="=" while read key val; do case "$key" in CMK_*) eval "$key=$val";; esac done } is horribly insecure because

问题 I am new to storing passwords on databases and from what I read I have created a simple php script below <?php $salt = openssl_random_pseudo_bytes (16); $password = "test"; $hash = hash ("sha512" , $salt . $password); echo $hash; ?> Am I doing this correctly? Should the salt be stored in databases as byte datatype? Should the final hash be stored at String datatype in database? 回答1: The SHA* algorithms are not appropriate to hash passwords, because they are ways too fast, and therefore can be

问题 I'm trying to sign a string with different certs from MS-KeyStore. But, I know there are imported keys from a token in MS-Keystore. So, my problem is - if I go through the Keystore and try to sign with a cert which has a reference to pkcs11 I get a pop up to enter the pkcs11 password. How can I check if the cert is from my token? Thanks in advance!!! This is my code for now: String alias; byte[] data = "test".getBytes(); char[] pin = "pass".toCharArray(); try { KeyStore ks = KeyStore

问题 Is it possible to inject properties into a JSON-String using PHP json_encode()? Or would be the following example vulnerable: <?php $search = $_GET['q']; $api_call = array('search' => $search); do_my_api_call(json_encode($api_call)); ?> This should output something like {"search":"my input string"} This would be an outcome to avoid: {"search:"my input string","function":"do something weird to my REST-API"} If the second one is possible with a manipulated query, how should I quote the input

问题 Is it possible to inject properties into a JSON-String using PHP json_encode()? Or would be the following example vulnerable: <?php $search = $_GET['q']; $api_call = array('search' => $search); do_my_api_call(json_encode($api_call)); ?> This should output something like {"search":"my input string"} This would be an outcome to avoid: {"search:"my input string","function":"do something weird to my REST-API"} If the second one is possible with a manipulated query, how should I quote the input

问题 I've created a forum which uses a PHP session when logged in to determine the user id, and cookies for log-term login. I suppose I have two questions: Is this the best/securest method? Cookies can be added manually via the address bar with javascript, which is a huge security risk. Is there any way around this? Thanks! 回答1: First, make sure you are using https and not http. This will keep your traffic from getting sniffed and exploited. Secondly, generate as random a value as possible to use

问题 I'm developing a web application using socket.io. I'm currently using the socket id as an identifier which gets broadcast to other clients. Now this raised security concerns as to whether this id could be used to hijack another users session. Unfortunately it is extremely difficult to find any information on this online. So - should the socket id be kept secret or can I safely use it as a public identifier? 回答1: A client cannot do anything with a socket.id directly. So, allowing the id to be

问题 A beginner question, but I've looked through many questions on this site and haven't found a simple, straightforward answer: I'm setting up a Linux server running Ubuntu to store a MySQL database. It's important this server is secure as possible, as far as I'm aware my main concerns should be incoming DoS/DDoS attacks and unauthorized access to the server itself. The database server only receives incoming data from one specific IP (101.432.XX.XX), on port 3000. I only want this server to be