IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [web-application]

An application that is accessed over a network such as the Internet or an intranet using a browser.

An application that is accessed over a network. The term may also mean an application that is hosted in a browser-controlled environment or coded in a browser-supported language and reliant on a common web browser to render the application executable.

3390 questions
35
votes
4 answers

Is a public /admin route a security flaw?

I have a web application built in a classic MERN stack (MongoDB, Express, React, Node) and I want to create an admin route, so I figured I could just do it with a [url]/admin route. Could that be a security risk? Of course the admin users would be…
Kristoffer Tølbøll
  • 467
  • 4
  • 7
30
votes
4 answers

How can an attacker use robots.txt?

I want to understand how the robots.txt file can be use by an attacker. I know it can contain a list of paths and directories. Is that all or can we find more information in it?
human_garbage
  • 425
  • 1
  • 5
  • 4
18
votes
6 answers

How do I get started with security? (beginner)

I have been working in web development for a fair amount of time. I am looking at developing in either Python (Django etc.) or PHP. I am new to security. Where do I begin looking? What are basic things I should have in mind? Basically, how do I get…
ape
  • 281
  • 3
  • 5
17
votes
3 answers

Is encrypting SALT with given user's password more secure?

I'm learning about web security. I understand that passwords are hashed with salt. Why aren't the salts encrypted with same user's password? Cloudn't this make password cracking much harder? Generating generate salt encrypt it with AES using user's…
Kevin
  • 181
  • 1
  • 4
14
votes
5 answers

Should web sites disable form autocomplete on all forms?

I've noticed that some web-app security scanners flag the 'AutoComplete' feature of some websites (in the username/password fields) as a security risk and thus suggest including AutoComplete=off or in the code somewhere. I've since learned that…
NULLZ
  • 11,518
  • 19
  • 81
  • 111
14
votes
5 answers

What is better, an established framework or a homebrew solution?

Recently, a website related to our university was hacked along with many others. This led to a general discussion1 on how to secure the website in the future. Anyway, there is one point that was discussed quite a bit. Assuming that one is a…
Manishearth
  • 8,317
  • 5
  • 37
  • 56
13
votes
3 answers

How to protect my API endpoints

I have an API written in nodejs and I have a frontendapp written in angularjs. I want my API to be called only through my frontendapp and not from any other source. e.g. I have an endpoint called myhost.com/posts/id and when the method is delete it…
Avraam Mavridis
  • 297
  • 1
  • 2
  • 7
13
votes
4 answers

Sending HTTP 403 as. 200 - "Silent Identification of Admin"

A researcher recently reported an issue in a site about using script on a 3rd party site to discover if a user is an admin. Here's the scenario: Main site is target.example Attacker site is evil.example target.example has SSL and HSTS and…
greggles
  • 570
  • 1
  • 8
  • 20
11
votes
4 answers

Should a web application return true http errors?

Exception and error information can be used by a malicious user to map out the API of an web application, so it is routine to see security checklists to advise returning only a "Please contact your administrator" type of message. On the otherhand,…
MatthewMartin
  • 210
  • 1
  • 7
11
votes
3 answers

Is it dangerous to show all the JavaScript functions in my web application?

Right now I'm developing a web application and it uses a lot of JavaScript functions so I'm putting all of them in different JS files to access from the HTML, but the functions are "easy readable" so the atacker knows what is going on with the…
NathanWay
  • 559
  • 7
  • 14
10
votes
6 answers

What are web attacks which users can run code on your servers?

I hear stories about insecure web servers and sites which people (or bots) break into and execute their own code on the server. My question is how is that possible? I heard of people putting their own javascript on websites stealing cookies and…
user5575
10
votes
3 answers

Is it possible to forge a post request?

Consider the following URL http://mysite.com/form?date=x. Suppose that if x is in an incorrect format, that a page is returned with

x is not a valid date

, where the page author has forgotten to escape the variable x. Assume that x is properly…
Casebash
  • 601
  • 1
  • 7
  • 16
10
votes
3 answers

Flaws in Crypto Cat

I've heard from several people that Crypto Cat has some security flaws. Has anyone performed an analysis of the system and written a whitepaper? I'm curious what the flaws specifically are and what solutions could be implemented to fix them.
Charles Hoskinson
  • 325
  • 1
  • 2
  • 14
10
votes
2 answers

Is there any risk related to allow user to give an URL as their image profile?

Building a website, I'd like to allow users to specify an url that point to an image that will be used as a profile picture (included in the HTML DOM as a ). But before doing anything stupid, I was wondering if it was possible for an malicious…
Cyril N.
  • 2,679
  • 2
  • 19
  • 29
9
votes
4 answers

Does it make sense to isolate each web service user on his own servers?

I am planning an architecture of a web application for my company which is launching a financial service for its partners, and my main question is - does it make sense to put each partner on a different server (or even server groups web/db)? The…
WebEngineer
  • 91
  • 3
1
2 3
8 9