Items tagged security, quora
Is there anyway to game unique link verifications? Like when you get sent a link of the form https:/........com/UID=TYYN04001 How would one change the digits to reproduce another working link?
Not if they’ve been implemented correctly.[... 42 words]
By doing exactly what they’re doing already: adding more sophisticated rate limiting, and preventing users from using common weak passwords.[... 80 words]
Set up full drive encryption—that way if someone steals your laptop they won’t be able to access your data without a password.[... 95 words]
Don’t cleanse. Escape instead.[... 18 words]
I would like to setup a web-server which will be used solely by myself. What would be the safest way to do so in terms of confidentiality of the contents?
I haven’t configured them myself, but it might be worth looking in to client SSL certificates for this. That way your server won’t communicate with any browser that hasn’t installed a certificate which you generate. I believe the BBC used to use this for a lot of their important servers which they wanted to be accessible only by their own developers from across the internet (I don’t know if they still do).[... 108 words]
Input validation is, in my opinion, a red herring. Sure—if you ask the user for an integer or date you should make sure they entered one before attempting to save it anywhere or use it for processing, but injection attacks often involve text fields (e.g. names, or comments posted on Quora) and validating those on input is a recipe for banning “Tim O’Reilly” from ever creating a proper profile on your site![... 316 words]
Be very careful when implementing JSON-P for authenticated actions—evil third party sites could assemble URLs to your user’s private data and steal it. This attack has worked against Gmail in the past.[... 203 words]
It’s called the Same Origin Policy, and it’s principally about intranets. Imagine you have a URL http://intranet.corp/top-secret-...—and you then visit http://evil.example.com/ . If cross domain XHR was allowed the evil site could suck that secret document off your intranet without you realising.[... 105 words]
Probably because if you implement logout as a GET action, I can force you to log out of a site by tricking you in to visiting a page with an <img src="http://yoursite.com/logout/" width="1" height="1"> element on it.[... 64 words]
XSS attacks are common and easy, and crop up all the time. What’s new is that the number of people who are aware of the potential for XSS worms has increased hugely, so when an XSS does crop up in something popular there’s a much higher chance of someone turning it in to a worm (as happened with Twitter the other day).[... 96 words]
Absolutely never. Magic quotes was a badly designed feature, and PHP has been trying to escape its legacy for years. If you are constructing SQL strings using string concatenation you’re asking for trouble—use prepared statements or a library that interpolates and correctly escapes variables for you.[... 65 words]
For security reasons.[... 159 words]