Home » Information Security » Page 3
ASP.NET Web API and potential XSS
Information Security
I'm wondering if my ASP.NET Web API had an XSS vulnerability as my controller didn't have a method to handle the default GET call. Without the GET method being handled in the code a call to/api/mycontroller/?<script>alert('hi');</script> would result in: {"Message":"No HTTP resource was found that matches the request URI 'http://localhost:8888/api/mycontroller/?'.", "MessageDetail":"No

Any eventhandlers that apply to hidden elements?
Information Security
Im trying to XSS a search field and my attack vector is getting reflected like this:<input type="text" id="txtRpHiddenKeyword" style="display: none;" value="ATTACK VECTOR HERE" />Only double-quotes are allowed and angle brackets are encoded therefore i can only use eventhandlers to execute my JavaScript. Problem is that display is set to none therefore onMouseOver onClick etc wont work so my

What is this encrypted with or where can I find examples of encryptions to compare it with? [on hold]
Information Security
I have a hash thingy I am trying to decode and I have done relatively little with encryption, though I would like to try to learn some more.The hash is: 1YMTpavsFq7ykllC3CCsg3e1li31re1nROxuW1wqIqpk and I have no clue what to look for. I already tried MD5 (it failed) and I am going to try AES256, SHA-256, and AES-CBC.I believe it may have something to do with SSL, though I'm not sure.EDIT: I believ

How much can I trust Tor?
Information Security
Greetings.How much can I depend on Tor for anonymity? Is it completely secure? My usage is limited to accessing Twitter and Wordpress.I am a political activist from India and I do not enjoy the freedom of press like the Western countries do. In the event my identity is compromised, the outcome can be fatal.

How to secure SSH agent forwarding on Windows?
Information Security
I'm trying to configure ssh agent forwarding. The workstation that starts the connection is a Windows, the intermediate and second hosts are Linux.On Windows, I managed to make it work using PageAnt. But I don't like the fact that once a key is loaded, there is no way to lock it and force a user to re-enter his password after a few seconds for instance.So I tried to open the private key using Putt

Should an administrator be able to turn off TFA for a user
Information Security
We use Google Authenticator and SMS for two factor authentication. Should we allow the administrators of the site to turn off TFA for users?Google Auth uses SMS as backup option but SMS does not have a backup and when the user cannot receive SMS for whatever reason he/she cannot login. I know we can backup SMS with voice calls but these situations might still arise.

Is it possible to steal a non secure Cookie when the Web Server (IIS) only allows Https?
Information Security
Is it possible to steal a non secure Cookie (Secure Flag is false) when the Web Server (IIS) only allows Https?

NaCl: US Export Regulations
Information Security
I'm in charge of a product security in our US based startup and I plan to use NaCl for encryption (well, Sodium, actually).I'm trying to navigate the labyrinth of US export regualtions - something I never dealt with before. By now I'm aware that encryption export from the United States is governed by the EAR and BIS. This latter classifies software containing encryption, and assigns each product t

For someone who has a key and ciphertext, is it possible to find out what encryption algorithm was used?
Information Security
I am new in cryptography, and while learning a different questions pop up in my mind. Here is one of them. For someone who has a key and ciphertext, is it possible to find out what encryption algorithm was used?

Google Open ID connect and ID token
Information Security
I am wondering if it is safe to send "id token", which is one of the items that are result of authenticating a user using Google Open Id Connect, to the client and use it for further authentication.The other item that is significant is the access token. My idea was to send the id token to the client, and keep access token only on the server, so that when a user comes next time to the website they

Privacy Policy - Copyrights Notice - Feedback - Report Violation - RSS 2017 © bighow.org All Rights Reserved .