security

Detecting people sharing login / account information for a website

☆樱花仙子☆ 提交于 2020-05-10 03:25:25
问题 I have a website that contains a secure area accessible by logging in with account info. Within the secure area, I have some expensive IP. I have been finding that people are sharing their passwords with other people. Are there any existing technologies / solutions / methods that I can implement to detect fraud patterns? Thanks in advance for the help. 回答1: check geographical region. If within some timeframe multiple logins from regions geographically far apart log in, then you know those

Detecting people sharing login / account information for a website

╄→尐↘猪︶ㄣ 提交于 2020-05-10 03:24:18
问题 I have a website that contains a secure area accessible by logging in with account info. Within the secure area, I have some expensive IP. I have been finding that people are sharing their passwords with other people. Are there any existing technologies / solutions / methods that I can implement to detect fraud patterns? Thanks in advance for the help. 回答1: check geographical region. If within some timeframe multiple logins from regions geographically far apart log in, then you know those

Does a *.example.com for a content security policy header also match example.com?

末鹿安然 提交于 2020-05-09 01:23:28
问题 Say I have this header set on mywebsite.com : Content-Security-Policy: script-src self https://*.example.com I know it will allow https://foo.example.com and https://bar.example.com , but will it allow https://example.com alone? Looking at the spec.... Hosts such as example.com (which matches any resource on the host, regardless of scheme) or *.example.com ( which matches any resource on the host or any of its subdomains (and any of its subdomains' subdomains, and so on)) ...it seems as it

Does a *.example.com for a content security policy header also match example.com?

故事扮演 提交于 2020-05-09 01:23:12
问题 Say I have this header set on mywebsite.com : Content-Security-Policy: script-src self https://*.example.com I know it will allow https://foo.example.com and https://bar.example.com , but will it allow https://example.com alone? Looking at the spec.... Hosts such as example.com (which matches any resource on the host, regardless of scheme) or *.example.com ( which matches any resource on the host or any of its subdomains (and any of its subdomains' subdomains, and so on)) ...it seems as it

Veracode XML External Entity Reference (XXE)

天大地大妈咪最大 提交于 2020-05-08 03:52:11
问题 I've got the next finding in my veracode report: Improper Restriction of XML External Entity Reference ('XXE') (CWE ID 611) referring the next code bellow ... DocumentBuilderFactory dbf=null; DocumentBuilder db = null; try { dbf=DocumentBuilderFactory.newInstance(); dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); dbf.setExpandEntityReferences(false); dbf.setXIncludeAware(false); dbf.setValidating(false); dbf.newDocumentBuilder(); InputStream stream = new ByteArrayInputStream

Veracode XML External Entity Reference (XXE)

a 夏天 提交于 2020-05-08 03:51:59
问题 I've got the next finding in my veracode report: Improper Restriction of XML External Entity Reference ('XXE') (CWE ID 611) referring the next code bellow ... DocumentBuilderFactory dbf=null; DocumentBuilder db = null; try { dbf=DocumentBuilderFactory.newInstance(); dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); dbf.setExpandEntityReferences(false); dbf.setXIncludeAware(false); dbf.setValidating(false); dbf.newDocumentBuilder(); InputStream stream = new ByteArrayInputStream

Has Hardware Lock Elision gone forever due to Spectre Mitigation?

*爱你&永不变心* 提交于 2020-05-07 03:48:57
问题 Is this correct that Hardware Lock Elision is disabled for all current CPUs due to Spectre mitigation, and any attempt to have a mutex using HLE intrinsics/instructions would result in usual mutex? Is this likely that there will not be anything like HLE mutexes in future to avoid vulnerabilities like Spectre? 回答1: So, TSX may be disabled not to mitigate Spectre, but as a part of another vulnerability mitigation, TSX Asynchronous Abort (TAA). Here's relevant article on Intel website: Intel®

体验了一下Docker的root用户映射

浪子不回头ぞ 提交于 2020-05-02 04:17:15
###2016/07/01:要想限制容器里用户的权限,有两种方法: 让你在容器里做个凡人(这个方法对于有些需要root的容器是不适合的) 。 具体的就是,指定容器里用户的uid:gid,使得容器里压根不存在root用户。 $ docker run -it -u 1000:1000 ubuntu groups: cannot find name for group ID 1000 #这个错误没关系 I have no name!@fcaadb40ddd0:/$ id #执行id命令看看结果。 uid=1000 gid=1000 groups=1000 (这里的uid:gid和主机的不一样,具体的怎么关联的不太清楚。一般来说这个就足够了,但是也许会有什么应用需要root权限,这时就需要下一步要说的方法来限制权限了) 让你在容器里做玉皇大帝, 但是这个玉皇大帝和所有凡人,都只是被映射到茫茫宇宙中一片卑微甚至虚空的身份上 。 就算容器里有个孙悟空突破了限制做了玉皇大帝,那也翻不出如来佛的手掌。 具体的就是,把容器里的root等用户映射成主机那边的指定的一片uid:gid。 ###2017/01/20:忽然想起来看看,容器里以root运行的进程,在外面看来到底是什么?是一个进程。那是什么用户身份呢?也是root,只是capabilities受到很多限制,理论上依然危险。

Deny Direct Access to JavaScript Files in IIS Web Server

大憨熊 提交于 2020-04-30 12:25:46
问题 I have a web application which is in php and java script. if someone tries to enter the path of the java script file in the browser, the complete java script is being displayed in the browser. For example: http://myserver.com/MyApp/app/view/baseView.js , this returns the source code of that particular java script file. Can I restrict this ? I am using Windows IIS 7.5 Web Server. I have tried doing this in the main web.config file: <security> <authorization> <remove users="*" roles="" verbs=""

What are security concerns around use of canvas.toDataURL?

本小妞迷上赌 提交于 2020-04-30 11:34:13
问题 What security threads would canvas.toDataURL generate in general? What measures we have to take to make use of it secure and thread free to our website? In the following links there are discussions around security error that .toDataURL raises if the image is not hosted locally, but why is that? canvas.toDataURL() causing a security error Capture HTML Canvas as gif/jpg/png/pdf? 回答1: You may be aware of the same-origin policy. In essence, it's a security mechanism employed by browsers to make
订阅 security