56,611
questions
0
votes
0
answers
6
views
Unhandled 'error' event with self-signed TLS certificate on node:http2 and wget
I created a simple HTTPS server with node:http2 package and self-signed certificate. This is a code for this app server:
import {createSecureServer} from 'node:http2';
import {readFileSync} from 'node:...
- 1,784
-3
votes
0
answers
32
views
Security Concern: Exposure of .env File via API : How to secure the .env file cannot expose thorught any api
We are facing a serious security issue with our backend infrastructure. We have API endpoints that allow command execution or access to the server's CLI.
Let me explain the scenario: Suppose our ...
0
votes
0
answers
14
views
Logon events from within credential provider
I have a custom credential provider that I use to perform logon operations. I looked to see if it is possible to obtain logon status within credential provider, and I do not see any API's that provide ...
- 643
-1
votes
0
answers
22
views
how do I know which Cyphers Suites are used by default on my Java 11 installation on RHEL 8?
I have a third party application using a Java 11 client on RHEL 8. My security team asked me to provide security details about encryption like what cipher suite is used? How can I check it please?
- 35
0
votes
0
answers
19
views
Bypassing OpenDocument Password Protection (nope, I don't want to ^^) [closed]
for multiple use cases I require to use an easy to use and feature-rich editor for documents as well as spreadsheets. I already know, that MS files (MS msX file formats) PWD protection can be bypassed ...
-1
votes
0
answers
7
views
Wireguard VPN Setup Question: How do I configure my Wireguard interfaces when I do not trust one of the peer's networks?
The problem that I am having is that I want to establish a secure connection between my home Ubuntu 22.04 Linux development box which I'll call Foo and my Windows 11 machine that I use at a technical ...
0
votes
0
answers
22
views
.NET App is not using OpenSSL Certificate store on Linux Docker Container
I have a .NET 8 (8.0.8) Web API which call external API using RestSharp.
The GET method is not executing because of the error I have:
The SSL connection could not be established, see inner exception.
...
0
votes
0
answers
6
views
Issues while migration from jersey-spring4 to jersey-spring6
While upgrading from jersey-spring4 2.27 to jersey-spring6 3.1.3 ,we came to know that jersey 3 uses namespace jakarta while jersey 2 uses namespace javax.
But quartz scheduler library does not ...
0
votes
1
answer
21
views
IdentityServer4 and SSO
I have two types of login in my web api:
through the application.
Through a personal sso related to a private company.
I implemented my authentication service using IdentityServer4.
But the ...
0
votes
0
answers
24
views
How to securely expose the app version from package.json using ES Modules?
I'm currently using ESM in my TypeScript + Next.js project, and I want to log the application version from my package.json file to the client console.
Here is the code snippet I'm using in a global ...
- 3
-2
votes
0
answers
14
views
Why am I not recieving any hosts when using net.probe in bettercap? [closed]
I am using bettercap on a Kali Linux Virtual Machine. I am connected wirelessly to the WiFi-network.
I want to see the devices conected to my network. In order to do that I am using bettercap on a ...
- 1
0
votes
0
answers
25
views
Implement hard coded ssl certificate with libcurl and openssl
i have a c++ application which connects to my https authentication server. I want to prevent mitm attacks because i dont want users to be able to crack my program.
I have implemented string encryption,...
0
votes
0
answers
20
views
Wazuh dashboard HTML file
I have a chatbot and I want to integrate this chatbot into Wazuh Dashboard. For this, I need to add the script code of my chatbot to the Wazuh HTML file, but I cannot find the folder containing the ...
-1
votes
1
answer
31
views
How can I restrict access to code on VS Code so that only I can access it and other users must log in and can only access the launched GUI?
How can I restrict the backend code on VS Code so that users can only access the launched GUI?
I have developed a GUI from some Python code I made in Jupyter Notebook via VS Code. I made and launched ...
- 125
0
votes
0
answers
18
views
How to link or associate the certificate in apple keychian with associated private key generated in secure enclave?
I have generated the keypair using secure enclave with (SecKeyCreateRandomKey()) , then created csr and then certificate is issued by CA. I have stored the certificate in keychain with (SecItemAdd()). ...
- 1
0
votes
0
answers
27
views
Creating a signature for the client-side payload [closed]
I want to make it harder for attackers by implementing signatures on client-side request payloads. I understand that everything on the client side is not secure, and implementing signatures is not ...
- 52
0
votes
0
answers
14
views
Can other software programs deny access to data sealed in a PCR of a TPM by extending measurements to that PCR?
In particular Microsoft posting this has me wondering: " Windows only uses one PCR bank".
I am also studying the Linux kernel and it uses PCR[9] only for its boot process so far in my study.
...
- 915
0
votes
0
answers
13
views
Trigger GitLab DAST scan from external pipeline
I want to use GitLab only for DAST scans. I have some existing pipelines(Jenkins, Azure devops ). I would like to run DAST scans using Gitlab's DAST scanner. What are my options? I do not want any ...
- 3
-1
votes
0
answers
14
views
how i do allow a "trusted" application downloaded on macos with dozens of .dylibs [closed]
my colleagues are downloading a .tar.gz file i've prepared from a known URL.... the archive itself contains a command-line executable together with a large number of .dylib files in support....
when ...
- 323
0
votes
1
answer
64
views
How to debug production containers using kubectl debug under root user?
I’m facing an issue related to our strict security policies, which are configured according to best practices. Below is the security context we are using:
spec:
securityContext:
runAsUser: <...
-3
votes
0
answers
19
views
Disable X-XSS protection header [closed]
please i would like to disable X-XSS-Protection header.
I have done this in the apache serveur:
Header unset X-XSS-Protection
but it doesn't work
i still have the x-xss-protection header in the curl ...
-3
votes
0
answers
14
views
Which Vulnerability i Sould Practice Next? [closed]
Hi i already Practice XSS , SQLi , CSRF , IDOR , access control , broken authenetication , file upload and information discloure what shoud i practice next in term of Beginner Vulnerabilities ?
And ...
-2
votes
0
answers
24
views
Should we still implement anti CSRF tokens?
CSRF attacks can be prevented by setting the session cookie's SameSite attribute to Lax.
In the past, browser support for SameSite wasn't that great but today is around 95% (https://caniuse.com/?...
- 27
0
votes
0
answers
29
views
Web interface for a bot
Scope of my question is mainly how to structure the project, hosting services and what security measures to use to ensure this project does not get compromised. I will provide details about what I'm ...
- 25
0
votes
1
answer
27
views
Issue with Access Rules for Attachments / odoo 17
In a custom module , I add new field ir_attchment_ids .
When connecting wih other user (not admin) , I got this error .
Uh-oh! Looks like you have stumbled upon some top-secret records.
Sorry, user (...
- 599
-3
votes
0
answers
17
views
Security Concerns and Best Practices for GitHub OAuth and Organization-Based Project Management [closed]
I am building an side project where users can create projects that are integrated with GitHub repositories. I have implemented GitHub OAuth for login and access to users' repositories, but I'm facing ...
- 23
0
votes
1
answer
57
views
Is my password safe in a pyinstaller .exe?
So I built a program to run reports. I put credentials in the python script. I want to distribute this to user without python so I converted it to a .exe using pyinstaller. I wasn't able to find the ...
- 694
-2
votes
0
answers
45
views
Laravel and Public folder hacked, how to secure it? [closed]
I am wondering how hacker can get access to Public folder and save few files inside it.
The homepage file has link to index.php which is available in Public folder and a hacker had saved index.htm, ....
- 357
0
votes
0
answers
41
views
Private key expiration [closed]
We have a desktop application that, among other things, handles digital signatures. We have to notify the user that their signature is about to expire. The problem is public and private keys have ...
- 49
-2
votes
0
answers
10
views
systemd NoNewPrivileges=yes equivalent in openrc
Is there any equivalent way to specify
[Service]
...
NoNewPrivileges=yes
in openrc? The reference of systemd is here.
- 1,439
-2
votes
0
answers
29
views
I am trying to sanitize object but still getting error snyk.io in | NODE.js [closed]
I have 2 types of error in snyk report https://snyk.io/ I don't know if it can be solved with Deepcode AI as well but appreciate the answers.
SQL injection: unsanitize input from an HTTP parameter ...
- 2,250
0
votes
0
answers
10
views
Handling Autofilled Form Values Before User Interaction and Understanding Browser Behavior
I’m encountering an issue with browser autofill functionality and form validation that has me puzzled. Here’s what’s happening:
Scenario:
When a form is loaded, the browser autofills the username ...
- 39
-1
votes
0
answers
25
views
port 6000 not working, however other port are working for same app [closed]
I have created an app and start deploying it, and it worked on port 8080, 7000, 8000, 9000, but when I expose port 6000 it didn't work. I checked that the port is available as not shown working when ...
0
votes
0
answers
107
views
SQL Injection query with UNION
I'm walking through some online training and I'm stuck in a place where I have to use SQL injection via a UNION query.
Here's the initial query:
SELECT *
FROM Transactions T
LEFT JOIN Accounts as OA ...
0
votes
0
answers
40
views
How to Restrict mTLS Client Certificates to Specific Services Without Modifying Standard Software Verification Logic?
I’m setting up mTLS to secure communication between my application’s components, specifically Service A and Service B. I’ve issued server certificates for both Service A and Service B, and they trust ...
- 1
-1
votes
1
answer
30
views
How to remove PII from MessageHandlingException in Spring Integration?
I am trying to remove PII from logs. Is there some way to tell spring integration not to include the payload and header in the exceptions.
public Message<?> hasErrorAndPii(Message<?> ...
- 53
0
votes
0
answers
17
views
Validating a signed catalog file using BCryptVerifySignature
I'm trying to validate that a catalog file (.cat) has not been tampered with.
The idea is to sign it with the private key from Self Signed Certificate on the sender side and validate it on the ...
- 9
0
votes
1
answer
24
views
Can i enable WPA3 security by programatically in android p2p?
I have an application capable of creating a wifi direct group with a custom group SSID and password, but it works with normal WPA2.
How to enable WPA3 security with P2P group in Android ...
- 41
0
votes
1
answer
31
views
login-info.cfg Splunk file semantic and structure
I've installed a Splunk instance version 9.2.0.1 on my local Linux OS machine (it's installed on Windows OS via WSL). Some days ago, I went through file under $SPLUNK_HOME/etc/login-info.cfg (in my ...
0
votes
0
answers
25
views
How to Securely Protect Decrypted Firmware Files During Flashing Process In C++ CLI Tool?
I am developing a C++ CLI tool for Windows that flashes firmware to devices. The tool fetches encrypted firmware files from a server, decrypts them only during the flashing process, and deletes them ...
Mike Peretz
0
votes
0
answers
22
views
Programmatically Searching Multiple Columns for Value using Psycopg2
I'm working on a full-stack web project to database native plants in my area, and I'm using PostgreSQL and Python on my backend.
An important part of the tool is the ability to filter plants using ...
-1
votes
0
answers
33
views
Source of website injection for flex-query.com?
I help update a Wordpress site and it occassionally gets this code injected into it.
<script>!function(e,t){var c=e.currentScript;if(c&&c.parentNode.removeChild(c),location.href.match(/...
2
votes
0
answers
61
views
How to make a nicer UX for trusting a signed Access frontend
My application consists of a Microsoft Access .accde frontend, plus a few associated resource files. These are copied to a folder on the user's desktop by an NSIS installer .exe. Both the .exe and the ...
- 1,088
0
votes
0
answers
88
views
Does Postquantum Kyber512 supports directly Encryption / Decryption solely (without AES) [closed]
Try to implement encryption and decryption using kyber512 KEM, but I can't find any method to do this directly.
It looks like there's no way to directly encrypt files. Because kyber512 is used to ...
- 1,232
0
votes
0
answers
14
views
How to access secrets locally (Replicate external secret Operator)
This is a more open-ended question but I hope it is allowed here. I am currently tasked with replacing the Jasypt library which we use to decrypt secrets in our applications. For now the course of ...
- 678
1
vote
0
answers
66
views
Exists better way to checking error in C? [closed]
I'm working with C using the GTK API to create a GUI interface.
What problems will I encounter if I centralize my error checking in my code?
I'm using GError from GLib, and switch case with structs to ...
- 31
0
votes
0
answers
44
views
Updated Java from 14.0.2 to Java 21 and now spring security is returning 401 on all endpoints or 403 [closed]
I'm facing an issue with my Spring Security configuration in a Spring Boot application. My WebSecurityConfig class is set up to handle various endpoint permissions and configurations. The problem ...
0
votes
0
answers
20
views
How to secure a Stream Key in order to securely consume a livestream via HLS?
I'm trying to build a simple livestreaming platform for studying purposes. Currently, I'm using the nginx rtmp module, which sets up an rtmp application, and provides the contents via an HLS endpoint. ...
- 1,097
0
votes
0
answers
8
views
Electron app cant keep entry in Privacy & Security > Screen & System Audio Recording
Some very few OSX users of my Electron app cant seem to be able to keep the app entry in the list of Privacy & Security > Screen & System Audio Recording allowed apps.
After they manually ...
0
votes
0
answers
12
views
configure apigateway spring boot microservice to handle request validation&authorization with jwt token and the springboot security microservice
my security microservice is working fine when i register a user it is saved in my database and when loging in a jwt is generated
the security service is meant to protect a search api service that is ...
