Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 8 years ago.
Improve this question
Is there any way you can be sure that web application you want to register on is encrptying your passwords and not sotirng them in plain text (where admin can read them or attacker could easily get them)?
Unless you are able to read the source code of the script processing your password, there is no way to know what's happening to it behind the scenes.
But there are some things about security you can find out on the client side, just to get a feel about the kind of security level this web application adheres to.
Check if the website is using a valid SSL certificate. This already tells you something on how feasible it is for someone to do network sniffing.
Have a look in the HTML source, and see how the form submitting your data is built. Is it using a POST request and not a GET?
Register with a fake account and check your cookies. Do you see anything that looks like your session information is saved in plain text or base64? And if something looks like base64 (the string ends with = or ==), decode it and see what the string really contains.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 6 years ago.
Improve this question
I did an interesting experiment today.
I opened Amazon.com in my browser, logged in, brought up Fiddler, and tried to add a brand new credit card.
I typed in my credit card number, expiration, and card holder name. When I submitted the request I didn't see any POST to Amazon in Fiddler. The UI said there was a problem submitting my information, and that I should try again.
I repeated it and got the identical response.
I shut down Fiddler and hit submit. My information was accepted instantly.
I'd like to know how Amazon accomplished this feat. Is it common knowledge? Is there an HTTP header involving certificates that makes it easy?
I think it is certificate pinning or something like it. Server certificate is pinned in application, so app accept only it, not any other certs even they are valid.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I have a business idea where clients would enter some information in on a Software as a service type interface by filling out some web forms. The information they entered in would then be saved to my database. I am comfortable with this part, however I would like to be able to have clients put a small almost stupidly simple code snippet on their web page and be able to push content to their web page in a content div. I guess I could just send them a .php file to upload to their root and a single include line to write but I would prefer not to do this sort of thing since I don't really want to be mailing out proprietary code snippets with my DB information.
Are there any suggestions for how to implement the content push that are both extremely simple for clients to put on a web page but at the same time very private in the way the code is pushed?
I don't know if I understood your question really well but...
Isn't the answer to your problem a webservice? You could create a webservice that receives some sort of "password" and if the password is right you return the data JSON/XML formatted.
But you are talking about push, that means that when your server have new information you want to notify your client's server about the new information. I would say that what you should do in that case is make a request to the client server notifying them that you have "new stuff" and then after they have been notified they simply go ahead and use your webservice (mentioned above) and update their data.
I hope this answer your question or gives you and idea of how to do it.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
I'm creating a browser based image cloud service and every user will have his own picture folder.
My question is how to make sure, other users or hackers can not access foreign folders.
What is to consider?
Is it e.g. enough to check session-variables?
Thanks in advance!
I'm not 100% sure what you mean by just checking the session-variables.
I would create a setup like this:
\root
\userImages
\user1
\img1.png
\img2.png
\user2
\img1.png
\img2.png
\public
\index.php
I'm assuming you would use PHP or ASP.NET or something similar that uses some type of server like nginx or apahce. You can set the server root to the public folder. This means only your code would have access to the user images.
You can use PHP or whatever language to look at the session information and see if the user is authenticated. If you can, I would recommend encrypting the cookie data with Mycrypt. Once you have checked the authentication, you can get the file with a script and send back header information. Here's a really in depth article that I think would help you if you actually want a how-to. Protecting Images with PHP
If you are using PHP, Laravel handles sessions and protecing images really nicely.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking for code must demonstrate a minimal understanding of the problem being solved. Include attempted solutions, why they didn't work, and the expected results. See also: Stack Overflow question checklist
Closed 9 years ago.
Improve this question
I am wanting to develop an app that is totally client side. But my main issue is that,
IS DATABASE INTERACTION POSSIBLE ?
So, the final answer is NO!
Client-side scripting, is designed to manipulate and display the content, returned from the server.
Use of Client-Side scripts(eg; JavaScript) is to decrease the bandwidth usage, not to interact frequently with database.
By definition if a site/app is totally client side (no server side code at all) then no, no interaction with a server (and therefore a database) is possible.
From what I can see, what you want is a site where all the interaction is client side (possibly a single screen with no refreshes?). If so, the answer is yes. You can write jQuery/javascript to fire off server side pages that take data from the client side and then interact with the database.
Pages can be written in HTML with CSS & javascript/jQuery [all client side]
The javascript/jQuery calls server side scripts/pages which interact with the DB [all server side]
The results from step 2 are returned to the javascript/jQuery and integrated into the page.
Does this make sense ?
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
I'll be using a shared Internet connexion starting this September at my school and I was wondering about what someone sniffing traffic with Wireshark may find there. I am not planing to do this myself but I feel I ought to know more about it if I want to sometimes work on my website during class.
Basically, isn't every non-SSL website that asks you for a password and an e-mail totally unsecure to log on on a shared connexion? When you know how many people use the same password for all their web/laptop/mobile accounts, it doesn't take long to get access to someone's all private data if you manage to sniff one password and e-mail.
As for me, I am already looking at how to secure my FTP connexions, but what about my users who log through HTTP? Unless I buy a SSL certificate (which I don't want, the site's too small), they are going to get more exposed to Wireshark sniffers all over the world, right? Isn't this where login tools such as OpenID become handy for small communities, since they do provide a free encryption of passwords?
OpenID and SSL are completely unrelated. OpenID's purpose is to consolidate and give ownership of a user's identity to the user, while SSL is used to keep a user's traffic with your site secret (encrypted). You can use OpenId to keep track of the user (like Stackoverflow does) and still not use SSL for the content pages.