Questions tagged [security]

Topics relating to application security and attacks against software. Please don't use this tag alone, that results in ambiguity. If your question is not about a specific programming problem, please consider instead asking it at Information Security SE: https://security.stackexchange.com

This tag is used for topics relating to application security and attacks against software. Security relates to a wide range of subjects including cryptography, authentication, authorization, privacy, integrity and access-control, among others.

Web Application Security

Web application security is a branch of Information Security that deals specifically with security of websites, web applications and web services.

At a high level, Web application security draws on the principles of application security but applies them specifically to Internet and Web systems. Typically web applications are developed using programming languages such as PHP, Java EE, Java, Python, Ruby, ASP.NET, C#, VB.NET or Classic ASP.

More about web application security and best practices:

Open Web Application Security Project (OWASP) - Their Top 10 list is a good starting point.
Microsoft: Basic Security Practices for Web Applications
Mozilla Developer Network: Web security

Note that security questions which are not about a specific programming problem may be better suited to our sister site, IT Security Stack Exchange.

52707 questions

5484

votes

12 answers

The definitive guide to form-based website authentication

Form-based authentication for websites We believe that Stack Overflow should not just be a resource for very specific technical questions, but also for general guidelines on how to solve variations on common problems. "Form based authentication for…

security http authentication language-agnostic article

asked Aug 02 '08 at 19:51

Michiel de Mare

40,513
27
100
132

4244

votes

8 answers

Why does Google prepend while(1); to their JSON responses?

Why does Google prepend while(1); to their (private) JSON responses? For example, here's a response while turning a calendar on and off in Google Calendar: while (1); [ ['u', [ ['smsSentFlag', 'false'], ['hideInvitations', 'false'], …

javascript json ajax security

asked Apr 19 '10 at 18:00

Jess

39,842
6
34
51

3585

votes

18 answers

Why is char[] preferred over String for passwords?

In Swing, the password field has a getPassword() (returns char[]) method instead of the usual getText() (returns String) method. Similarly, I have come across a suggestion not to use String to handle passwords. Why does String pose a threat to…

java string security passwords char

asked Jan 16 '12 at 14:20

Ahamed

36,657
12
35
67

2773

votes

28 answers

How can I prevent SQL injection in PHP?

If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example: $unsafe_variable = $_POST['user_input']; mysql_query("INSERT INTO `table` (`column`) VALUES…

php mysql sql security sql-injection

asked Sep 12 '08 at 23:55

Andrew G. Johnson

25,473
30
86
133

1343

votes

26 answers

How should I ethically approach user password storage for later plaintext retrieval?

As I continue to build more and more websites and web applications I am often asked to store user's passwords in a way that they can be retrieved if/when the user has an issue (either to email a forgotten password link, walk them through over the…

security password-encryption password-storage

asked Feb 17 '10 at 19:54

Shane

16,499
4
25
46

1209

votes

14 answers

Secure hash and salt for PHP passwords

It is currently said that MD5 is partially unsafe. Taking this into consideration, I'd like to know which mechanism to use for password protection. This question, Is “double hashing” a password less secure than just hashing it once? suggests that…

php security passwords hash protection

asked Dec 30 '08 at 22:02

luiscubal

23,581
8
51
82

1188

votes

17 answers

How can I sanitize user input with PHP?

Is there a catchall function somewhere that works well for sanitizing user input for SQL injection and XSS attacks, while still allowing certain types of HTML tags?

php security xss sql-injection user-input

asked Sep 24 '08 at 20:20

Brent

21,918
10
42
49

1138

votes

13 answers

How does the SQL injection from the "Bobby Tables" XKCD comic work?

Just looking at: (Source: https://xkcd.com/327/) What does this SQL do: Robert'); DROP TABLE STUDENTS; -- I know both ' and -- are for comments, but doesn't the word DROP get commented as well since it is part of the same line?

security validation sql-injection

asked Dec 01 '08 at 21:50

Blankman

236,778
296
715
1,125

834

votes

18 answers

Best Practices for securing a REST API / web service

When designing a REST API or service are there any established best practices for dealing with security (Authentication, Authorization, Identity Management) ? When building a SOAP API you have WS-Security as a guide and much literature exists on the…

wcf security rest authorization rest-security

asked Aug 11 '08 at 05:44

Nathan

12,160
3
25
27

808

votes

33 answers

How to avoid reverse engineering of an APK file?

I am developing a payment processing app for Android, and I want to prevent a hacker from accessing any resources, assets or source code from the APK file. If someone changes the .apk extension to .zip then they can unzip it and easily access all…

android security proguard reverse-engineering

asked Dec 13 '12 at 06:42

sachin003

8,573
4
19
23

728

votes

14 answers

Why Does OAuth v2 Have Both Access and Refresh Tokens?

Section 4.2 of the draft OAuth 2.0 protocol indicates that an authorization server can return both an access_token (which is used to authenticate oneself with a resource) as well as a refresh_token, which is used purely to create a new…

security oauth access-token refresh-token

asked Aug 15 '10 at 15:25

dave mankoff

16,001
6
45
59

702

votes

4 answers

SQL injection that gets around mysql_real_escape_string()

Is there an SQL injection possibility even when using mysql_real_escape_string() function? Consider this sample situation. SQL is constructed in PHP like this: $login = mysql_real_escape_string(GetFromPost('login')); $password =…

php mysql sql security sql-injection

asked Apr 21 '11 at 07:56

Richard Knop

73,317
142
374
539

693

votes

7 answers

Are PDO prepared statements sufficient to prevent SQL injection?

Let's say I have code like this: $dbh = new PDO("blahblah"); $stmt = $dbh->prepare('SELECT * FROM users where username = :username'); $stmt->execute( array(':username' => $_REQUEST['username']) ); The PDO documentation says: The parameters to…

php security pdo sql-injection

asked Sep 25 '08 at 15:43

Mark Biek

135,050
52
150
195

682

votes

5 answers

How can bcrypt have built-in salts?

Coda Hale's article "How To Safely Store a Password" claims that: bcrypt has salts built-in to prevent rainbow table attacks. He cites this paper, which says that in OpenBSD's implementation of bcrypt: OpenBSD generates the 128-bit bcrypt salt…

security hash internals bcrypt

asked Jul 26 '11 at 15:21

Nathan Long

113,812
91
316
418

675

votes

8 answers

Are HTTPS headers encrypted?

When sending data over HTTPS, I know the content is encrypted, however I hear mixed answers about whether the headers are encrypted, or how much of the header is encrypted. How much of HTTPS headers are encrypted? Including GET/POST request URLs,…

security post encryption https get

asked Oct 09 '08 at 15:00

Dan Herbert

90,244
46
174
217

2 3

…

99 100 Next