Most voted "security-guard" questions
This tag is used for security related issues and attacks against the software application.
Learn more…395 questions
Sort by count of
-
384
votes9
answers31327
viewsHow to hash passwords safely?
If I do the hash of passwords before storing them in my database is enough to prevent them from being retrieved by someone? I’m just talking about the recovery directly from the database and not any…
-
156
votes7
answers20768
viewsHow to protect source code?
I am thinking of making an application to sell, I would like to know how to protect my source code to keep my software safe. I saw the Java bytecodes, stored in the file .class are easily converted…
-
106
votes6
answers32253
viewsWhat is the best way to create a PHP login system
I’m making a small system, and to access it, the user enters the login and password. What is the best way - safe and simple- to do the login and password system?
-
55
votes3
answers51454
viewsHow does the AES encryption algorithm work?
I’d like to understand how the encryption algorithm works AES (Advanced Encryption Standard). I seek didactic answers, which make me understand the processes used by the algorithm step-by-step,…
-
52
votes1
answer1763
viewsCan the IP address be forged?
When a client connects to my server, can I trust that the IP address I have access to (every/framework/etc language used in web applications exposes the client’s IP in some way) is really that…
-
51
votes1
answer7183
viewsWhat is it and what is JWT for?
I saw in some comment here on the site, in some question, talking about JWT to solve an authentication problem. I had seen the term vaguely before and I thought it was something from Java (hehehe).…
-
46
votes3
answers1348
viewsShould systems force the user to create a strong password?
I’ve been wondering why some systems require such strong passwords. Example: Minimum of 8 Characters Uppercase and Minuscule Numbers Special Characters In many places they say that strong passwords…
-
45
votes3
answers4342
viewsWhat is the difference between encryption, encryption and hash calculation?
I see a lot of confusion on the site about the terms. In the context of security of data what would be encoding, Encrypting and hashing and in which contexts each should be used? In particular, does…
-
44
votes4
answers3861
viewsWhat are the risks of using permission 777?
Always when I have folder permissions problem on my Ubuntu operating system, I usually give permission 777 for a particular folder. I usually do this in the development environment. In some…
-
42
votes2
answers5738
viewsWhat is PHP Injection? How does it differ from SQL Injection? And how do you avoid it?
What is PHP Injection? What difference does it make to SQL Injection? How to avoid PHP Injection in my application? What are the main forms of PHP Injection type attack? Updating Observing:…
-
42
votes5
answers2375
viewsShould I show generic error messages like, wrong password or user, or specific messages?
It is common in many systems when entering the user and the incorrect password, the system informs us that one of them is wrong, but not exactly what (it happens also here in Stack Overflow). Does…
-
39
votes3
answers859
viewsI am suffering attacks of type SQL Injection
Ever since I started an online project, I’ve been having problems with hacking, where someone is making direct entries into the database. This is what gave me the initiative to put in all the…
-
38
votes3
answers1203
viewsWhy do parameterized SQL queries (name = ?) prevent SQL Injection?
Why parameterized SQL queries(nome = ?) previnem SQL Injection? Can cite examples?
-
35
votes3
answers1996
viewsWhat do I need to do to measure password strength?
Often we need to accept the input of passwords by users. In general we cannot accept any password that can be easily attacked, probably by Brut force (gross force) or similar techniques. It is…
-
34
votes2
answers2030
viewsHow does a birthday attack work?
I’ve heard of a technique called that, and something about exploring hash collisions. But how does this technique work, and where it can be applied?
-
31
votes5
answers3608
viewsCan the browser "remember" a password programmatically?
I am developing an application where from a password provided by the user a pair of keys (authentication and encryption) is derived. The password itself is never sent to the server, only the…
-
31
votes2
answers5413
viewsWork with Session without cookies to prevent session theft
When the session is started, it creates a cookie with PHPSESSID, making the ID public. Knowing that to prevent session hijacking it is best to hide the session ID from other users, then PHPSESSID…
-
30
votes6
answers1117
viewsAlgorithm against Brute-force
I’ve been thinking about an algorithm against attacks like Brute-force which, as we have seen in case of iCloud, can generate great headaches if treated with indifference. Initially I thought of…
-
29
votes1
answer1107
viewsWhat is Null Byte Injection? How to avoid it?
What would that be Null Byte Injection? How to avoid it?
-
29
votes3
answers880
viewsWhat are the security impacts of a site that has an invalid certificate?
Many Brazilian government websites often do not have valid safety certificates. Examples: https://www.ibama.gov.br/ (expired) https://www.ibge.gov.br/ (auto-signed, invalid URL)…
-
29
votes2
answers539
viewsHow does antivirus scan my program?
I had a class in college that left me "kind of" puzzled, my teacher was talking about the differences of interpreted languages and compiled languages and pointed out that interpreted languages could…
-
28
votes2
answers12475
viewsWhat is the Antiforgerytoken?
What is the AntiForgeryToken and what it serves as in an ASP.NET MVC application?
-
26
votes3
answers568
viewsCompute secure data randomly
Random functions are not entirely random in computation. I wonder if there is a safe way to generate a salt, or any other random string safely, without using external hardware. Can randomization be…
-
26
votes3
answers8116
viewsHow does the session work in web browsers?
A session allows, for example, that I allow the user to remain logged in, saving the information of who is logged in (username, for example). I believe it’s something more elaborate than cookies,…
-
23
votes3
answers599
viewsIs mixing HTTP with HTTPS a problem?
On my website I am using links normal HTTP, but where it contains data transaction, as in forms, for example, use HTTPS which is from a shared SSL certificate provided by my hosting server. I don’t…
-
20
votes3
answers1686
viewsAre there safer languages than others?
Are some languages safer than others? Or does this not depend on the language but on the programmer? The language in which a program is programmed interferes with its security, regardless of the…
-
20
votes4
answers2408
viewsWhat is buffer overflow?
Whenever I use the function gets() the compiler returns me the following warning: Function is Dangerous and should not be used Translation: this function is dangerous and should not be used I hear a…
-
20
votes3
answers3434
viewsWhat does "sanitize" data mean?
I’m making a form, and I’m doing the validation part... I see the term a lot sanitize or sanitizar, what it means? I’ve even seen some functions in the php that carry this term in their parameters.…
-
20
votes2
answers907
viewsWhat is HTTP Response splitting?
Reading about HTTP headers I ended up coming across a function filter that removed both invalid characters from the header field value (header field), how many multiple characters CRLF. This second…
-
19
votes2
answers526
viewsWhat is two-factor authentication?
What is two-factor authentication? Or multiple-factor authentication? This expression usually comes from "associated" to large companies - such as Google, Facebook, etc - that have a login and…
-
18
votes5
answers3306
viewsForm submission security in HTTP header
After some tests on the site of Yahoo and Facebook I realized that after filling in my username and password and clicking on Login, with the developer tools opened in the option Network (Chrome or…
-
18
votes2
answers5391
viewsWhat is the HMAC?
When working on a project that uses sha256 and security keys, I came across the term hmac. I’m still not quite sure what this is about, and I’d like to understand a little more. I have the following…
-
18
votes3
answers1013
viewsWhat is blockchain and how does it work?
What is blockchain and how it works? In which contexts, outside cryptocurrencies, it can be implemented and why would it be feasible to implement it in these contexts?
-
17
votes5
answers625
viewsAllow or not allow end spaces in passwords?
The @dvd answered about password validation in Javascript. In his reply, he suggested removing spaces from the ends when validating the size: It is interesting [to validate the password size] also,…
-
16
votes2
answers2178
viewsConcept of Man-in-the-Middle attack
Conceptually speaking, what is an attack Man in the middle, more commonly known as man-in-the-Middle Attack?
-
16
votes1
answer2380
viewsXSS attacks, how does it happen?
Recently a client was the victim of XSS attacks. We handle all the faulty inputs, but I can’t understand how malicious javascript code was inserted into the files ". js" on the server. How they…
-
16
votes1
answer511
viewsWhat is the technique of hiding components to ensure information?
I missed the name of this technique in which the person responsible for development rather than dealing with the problem simply hides it. Example: I have a button that when clicked causes a DROP…
security-guardasked 9 years, 11 months ago Renan Gomes 19,011 -
16
votes3
answers2621
viewsWhat is end-to-end encryption
I hear a lot about this cryptography business end-to-end but I can’t quite understand why it’s called the "safest option for privacy". I have doubts and enumerated them, see: What is? How it works?…
-
16
votes4
answers8313
viewsIs using addslashes against SQL injection safe?
Use the addslashes() is it really safe against SQL injection? If not, tell me why. I’ll wear mine like this addslashes() <?php $id = addslashes ( $_GET ["id"] ) ; /* Adicionei as barras */ echo…
-
16
votes1
answer462
viewsSecurity - Syscall inside shellcode does not run
I’m studying information security and doing experiments trying to exploit a classic case of buffer overflow. I succeeded in creating the shellcode, in its injection into the code and its execution,…
-
15
votes4
answers309
viewsHow to deal with a comet process?
Analyzing the linux API I noticed that an interesting structure is possible: #include <unistd.h> #include <stdlib.h> int main() { while (1) { if (fork()) exit(0); // Altera meu pid…
-
15
votes2
answers2622
viewsWhat to save in a login session?
I am developing a login system in PHP and Mysql for an administration panel, and I have seen many "secure" login systems where they store in the session the user login or password, that is when they…
-
15
votes2
answers500
viewsDoes data received from HTTPS come encrypted?
If I install certificate SSL and use HTTPS on my website, for example, I run a form POST, form data arrives encrypted to the server? If yes, how to decrypt using PHP?.…
-
15
votes4
answers15337
viewsSecurity - What is a KEY API?
I’m seeing this word in almost every service application.. What a KEY API really is and what its uses are? How it really works? Also please, if possible, explain the difference between public and…
-
15
votes2
answers567
viewsWhat would CSS Injection Attacks be? Does CSS have security holes?
I was reading a documentation from Mozilla and came across this term CSS Injection Attacks I tried to do some research, but I couldn’t get any information that would make it clear what this type of…
-
14
votes2
answers177
viewsShould I take any action regarding Heartbleed?
As a developer, I have to take some action regarding the Heartbleed? Being a problem in Openssl, I believe it is more within the scope of webmasters, server administrators, etc. But I’m not sure if…
-
14
votes1
answer1251
viewsDemonstrating a slowloris attack on apache server using Python
I have the network dump (file in PCAP format captured with tcpdump) of a "chat" between the attacked server (Apache web server: 192.168.1.2) and the malicious clients: The attack was a simulation in…
-
13
votes3
answers317
viewsWhat are the most common problems and dangers when enabling `register_globals` in php?
I recently asked the following question How the file receives the $_POST? Based on the comments and the answer I was interested to know the main problems and dangers of having this function enabled…
-
13
votes2
answers1520
viewsWhat are the benefits of using HTTPS?
Where I work, people always comment that they have to put HTTPS in the systems to make it safer. I’d like to know: On what the SSL makes a website safer? What are the types of attacks they avoid? In…
-
13
votes3
answers515
viewsCompany can monitor everything employee does on work computer?
Tied to my case /questions/69324/skype-monitoramento I need answers that are based on something beyond the sense of achism, there are people who tell me that is provided for in the law. For example:…