It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 9 years ago.
I am developing a nodejs server which will be interacting with a client mobile application.I came across some attacks on the server called as XSS and XHR.I came across a module called node-validator which was useful for handling and validating inputs.I need an idea whether XSS and XHR attacks have the same effect and if that module is useful for both.Any idea regarding this will be really helpful.
An XSS attack is also known as a Cross Site Scripting attack. It is when an attacker utilizes an un-sanitized input field to inject javascript into an application. A common example would be if an attacker managed to inject javascript into a blog post comments. It would then (if improperly sanitized) execute everytime someone views the comment. An example of this type of attack can be read about here.
An XHR attack would just be an extension of the XSS attack, where the injected script makes AJAX calls back to the domains server.
It is actually rather easy to prevent these types of attacks. By validating your input (stripping out HTML tags) and escaping special characters like ", ', `, etc you can prevent this. I would definitely recommend using an external library for this, as you will likely miss stuff on your own.
Also, this is a similar question which may help you. Sanitizing user input before adding it to the DOM in Javascript
If you are using expressjs/connect then there's a "built-in" csrf middleware in connect.
Related
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 10 years ago.
We have a new extension that we built for many months and is live on the webstore.
Our extension communicates with our API and we get many fake installs daily - installs that we see in our API and not in the web store.
After many sleepless nights - We suspect that a robot with chrome runs our extension and deletes the local storage every time - this is only our best guess, although we are not sure if it's likely because the IP of each installation is different.
There are many more details - so If you would like to help and need further info let me know what and I can elaborate.
I'm not familiar with this Chrome extension API, BUT, if someone earns money by letting people install your extension then I'd check that lead.
Eventually, the clients (many IPs you say) that apparently "install" your extension report this event by making an HTTP request - again I only presume!
Saying that, it might be that someone controls many computers which simply initiate these HTTP requests to "report" a (fake) installation, thus making money.
If that is the case, and someone does make money out of your extension (could be also INDIRECTLY) then check the affiliate code or whatever, this is even an issue to report to Google itself, they can certainly investigate that.
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 10 years ago.
I am currently writing user interface in ember.js and need some help in server-side decision concerning transfer technologi and server-side script.
App is planned to simply wrap calling of few server-side script with adding some database suggar for handling users permissions and storing inputs-outputs.
Users has to be logged-in for proper work with application.
I am expecting high concurrency of working users and since I can use more paralel threads on server I am not entirely sure if I have to go with Node.js+socket.io.
Half of requests will be simple ask to database requests and other half will need little more computation time of another server-side script (up to 5s).
I will most probably use MongrelDB as database.
My biggest questions:
Is today technologicaly safe to go with pure websockets or is better to have gracefull degradation of Socket.io?
Will node.js scale nicely on multi-core box or should I use something like Mongrel2 with python backend?
Will python backend handle big concurency giving that some responses are really long?
How do I handle logged-in users with node.js+socket.io?
Better to have graceful degradation - because websocket protocol is still in changing rapidly.
For scalling, I'm use Redis pub/sub, but you can use cluster module for multi-core.
Don't know.
I'm share session from connect to socket.io with RedisStorage. You can use RedisStorage only for handle logged-in users.
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 10 years ago.
Do I really need a Portal ??
Always one question comes to my mind , why do people go for Portal development , can't they manage with a normal web aplication , managing the UI Page with different sections? I am sorry if my question is not valid.
Or In what scenarios do we actually need a web Portal?
Managing a UI page with different sections is fine if your users are using only your application. However, a portal allows your users to use multiple applications (and many of them not created by you) and kind of 'aggregate' their content on one page; well at least have a place which provides easy access to them on one page. The emphasis here is on multiple applications; these are applications that you as a developer may have no control over; they may have been written by a third party (such as Google, or any other developer).
The items on a portal page may not necessarily be from the problem domain that you are developing for. There's no reason why a user can't put the local weather on the same page that he's examining the inventory for his company.
Portals provide a single point of entry; that's the key point. A portal also provides some other niceties such as managed logins. If you are creating an application for a customer, and you don't have a need for a portal, a portal may be overkill (and probably is, if you have to ask).
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 11 years ago.
I want protect web-application for administrator/other with physical access to server.
Any ideas?
Thanks
How physical is physical? :P
Your webserver (let's say Apache) needs to access your files. It runs under a user account (www-data or apache or something). Ergo: the files for the webapplication should be accessible to this other user.
An administrator (root user?) can impersonate any user, and has access to all files, so if you're dealing with a very smart administrator he can always get to your files.
You could run your webserver on a different account, and encrypt the part of your disk where the web application files are running. But since the webserver needs to decrypt it, the decryption key has to be stored somewhere, and the administrator has access to it.
So, I'd go for obfuscating your web application with (in case of PHP) something like Zend Guard, this makes the source unreadable. With a license manager on top the source is quite useless outside the server. (Not completely unbreakable though).
The only way to make really sure your sources are safe, you should be the only one with access to the root/administrator account.
Physical access can only be prevented by hosting your own server in a secure data center...
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 11 years ago.
how to minimize threat on website?can u list the way to minimize that problem?
This is an extremely broad topic, and can't really effectively be answered in one answer. But here's a few common vunerabilities you should be researching and learning about.
XSS (Cross-site scripting) attacks - A method by which the security of your users can be compromised by allowing arbitrary javascript to be executed on your page.
SQL Injection - By allowing arbitrary SQL scripts to be executed on your database, you can give attackers the ability to retrieve senstive information from your database or even destroy data.
Password Security best practices - There's a whole host of information about the proper way to deal with authentication and storage of user information in your database.
There are a handful of universal things to employ:
Good password policies
Avoid SQL injection vulnerabilities
Secure the server itself, not just the website
This list can, and does, go on just about forever. It's a little vague, but then so is your question really.
It sounds like you're asking "How do I do secure web programming?" That's just too broad for this site. You're asking us to impart years of industry knowledge about a very diverse subject into a few paragraphs. It just can't be done.
You're much better off getting some books on the subject. You can start with the Web Security Testing Cookbook. But there are a lot more places to go from there.
Keep in mind that two big parts of "securing a website" are:
Designing it with security in mind from the beginning. Retro-fitting security isn't very reliable. (As an old network admin I worked with once said, even if you put your cotton candy in a steel box, it's still soft and squishy.)
Knowing how to exploit security holes, so as to better test your own implementations.
As others have mentioned, this is a broad topic.
Personally, I would start here: http://www.owasp.org/index.php/Top_10_2010
The OWASP Top 10 list is the basis for PCI compliance, and considered the gold standard by many as far as web applicaiton security. OWASP offers general guidance, as well as specific guidance for any number of platforms. I've learned more about security here than anywhere else.