security

What are security concerns around use of canvas.toDataURL?

做~自己de王妃 提交于 2020-04-30 11:32:13
问题 What security threads would canvas.toDataURL generate in general? What measures we have to take to make use of it secure and thread free to our website? In the following links there are discussions around security error that .toDataURL raises if the image is not hosted locally, but why is that? canvas.toDataURL() causing a security error Capture HTML Canvas as gif/jpg/png/pdf? 回答1: You may be aware of the same-origin policy. In essence, it's a security mechanism employed by browsers to make

Native sql query- SQL Injection Attack

空扰寡人 提交于 2020-04-30 07:55:50
问题 I'm working with JPA. How could my application be SQL injection safe if I'm using a native sql query (not entity query)? I need to build the native sql query with the data submitted by a user from a html form. If I use parameters in the native sql I can avoid SQL injection attacks, but my problem is that I can't be sure how many data fields are being submitted by the user. 回答1: You should use positional parameters binding: String queryString = "select * from EMP e where e.name = ?1"; Query

Android broadcast receiver custom permissions

夙愿已清 提交于 2020-04-30 07:45:08
问题 In view of the security model in Android, I'm trying out custom permissions. I'm trying out to enforce broadcaster permissions in my application. The scenario is that I have an activity A, which triggers a broadcasts like this (with a permission) : Intent updateUserBroadcast = new Intent(); updateUserBroadcast.setAction("android.intent.action.ACTION_UPDATE_USERNAME"); updateUserBroadcast.putExtra("username", userName); sendBroadcast(updateUserBroadcast, "com.android.MaliciousApp.RECEIVE

iOS Swift Diffie-Hellman key exchange to encrypt and decrypt messages? using Secure Enclave

时光总嘲笑我的痴心妄想 提交于 2020-04-30 07:11:51
问题 How can i use the Diffie-Hellman key exchange to encrypt and decrypt messages? I'am able to generate the shared keys (for both bob and alice) but SecKeyCopyKeyExchangeResult returns me a Data...how can i get SecKey to use with SecKeyCreateDecryptedData and SecKeyCreateEncryptedData ? So i think i should extract the SecKey somehow from the shared data so i can make symettrical encryption/decryption. The code so far is: let bob_shared_secret: NSData = generateSharedKey_ecdh(publicKey:

iOS Swift Diffie-Hellman key exchange to encrypt and decrypt messages? using Secure Enclave

為{幸葍}努か 提交于 2020-04-30 07:11:17
问题 How can i use the Diffie-Hellman key exchange to encrypt and decrypt messages? I'am able to generate the shared keys (for both bob and alice) but SecKeyCopyKeyExchangeResult returns me a Data...how can i get SecKey to use with SecKeyCreateDecryptedData and SecKeyCreateEncryptedData ? So i think i should extract the SecKey somehow from the shared data so i can make symettrical encryption/decryption. The code so far is: let bob_shared_secret: NSData = generateSharedKey_ecdh(publicKey:

How do I prevent session hijacking by simply copy a cookie from machine to another?

非 Y 不嫁゛ 提交于 2020-04-29 07:15:22
问题 Most Web Applications use cookies to manage the session for a user and allow you to stay logged in even if the browser was closed. Lets pretend we did everything in the book to make sure the cookie itself is save. encrypt the content set http only set secure ssl is used for the connection we check for tampering with the content of the cookie Is it possible to prevent someone with physical access to the machine to copy the cookie and reuse it on another machine and thus stealing the session?

iptables常用的防御功能实例

醉酒当歌 提交于 2020-04-25 13:23:23
一、使用 connlimit 模块, 控制 并发访问(CC / DOS )量: iptables -I INPUT -p tcp --dport 80 -m connlimit --connlimit-above 10 -j LOG --log-prefix "WEB Attack" 示例配置 如下: *filter -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 10 -j LOG --log-prefix "WEB Attack" -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT 结果 图: 效果图: sudo

Secured connection between app and server

◇◆丶佛笑我妖孽 提交于 2020-04-18 03:55:55
问题 I try these code to connect my ionic app to apiserver (get) import { Injectable } from '@angular/core'; import { HttpClient } from '@angular/common/http'; import { Observable } from 'rxjs'; import { map } from 'rxjs/operators'; @Injectable({ providedIn: 'root' }) export class EncryptionService { url = 'https://api.am....com'; api-key='......' constructor(private http: HttpClient) { } newcheck(checkid: string ,cost: string,toname: string,tocode: string,passcode: string,date: string,checkfor:

Secured connection between app and server

[亡魂溺海] 提交于 2020-04-18 03:55:13
问题 I try these code to connect my ionic app to apiserver (get) import { Injectable } from '@angular/core'; import { HttpClient } from '@angular/common/http'; import { Observable } from 'rxjs'; import { map } from 'rxjs/operators'; @Injectable({ providedIn: 'root' }) export class EncryptionService { url = 'https://api.am....com'; api-key='......' constructor(private http: HttpClient) { } newcheck(checkid: string ,cost: string,toname: string,tocode: string,passcode: string,date: string,checkfor:

What kind of JavaScript protection is usually applied on fields to prevent value injection?

若如初见. 提交于 2020-04-17 23:30:35
问题 There is a certain website with a certain login form which includes two fields; username and password . I can successfully inject data with vanilla JavaScript to the first field: document.querySelector("#username").value = "USERNAME"; But when I try to inject a password: document.querySelector("#password").value = "PASSWORD"; I get an error: VM1766:1 Uncaught TypeError: Cannot set property 'value' of null at :1:45 My problem I double checked if the field exists as is and it is indeed existing
订阅 security