Questions tagged [security]

Topics relating to application security and attacks against software. Please don't use this tag alone, that results in ambiguity. If your question is not about a specific programming problem, please consider instead asking it at Information Security SE: https://security.stackexchange.com

This tag is used for topics relating to application security and attacks against software. Security relates to a wide range of subjects including cryptography, authentication, authorization, privacy, integrity and access-control, among others.

Web Application Security

Web application security is a branch of Information Security that deals specifically with security of websites, web applications and web services.

At a high level, Web application security draws on the principles of application security but applies them specifically to Internet and Web systems. Typically web applications are developed using programming languages such as PHP, Java EE, Java, Python, Ruby, ASP.NET, C#, VB.NET or Classic ASP.

More about web application security and best practices:

Open Web Application Security Project (OWASP) - Their Top 10 list is a good starting point.
Microsoft: Basic Security Practices for Web Applications
Mozilla Developer Network: Web security

Note that security questions which are not about a specific programming problem may be better suited to our sister site, IT Security Stack Exchange.

56174 questions

5518

votes

11 answers

The definitive guide to form-based website authentication

Moderator note: This question is not a good fit for our question and answer format with the topicality rules which currently apply for Stack Overflow. We normally use a "historical lock" for such questions where the content still has value.…

forms http security authentication language-agnostic

asked Aug 02 '08 at 19:51

Michiel de Mare

41,982
29
103
134

4461

votes

8 answers

Why does Google prepend while(1); to their JSON responses?

Why does Google prepend while(1); to their (private) JSON responses? For example, here's a response while turning a calendar on and off in Google Calendar: while (1); [ ['u', [ ['smsSentFlag', 'false'], ['hideInvitations', 'false'], …

javascript json ajax security

asked Apr 19 '10 at 18:00

Jess

42,368
6
37
51

3823

votes

17 answers

Why is char[] preferred over String for passwords?

In Swing, the password field has a getPassword() (returns char[]) method instead of the usual getText() (returns String) method. Similarly, I have come across a suggestion not to use String to handle passwords. Why does String pose a threat to…

java string security passwords char

asked Jan 16 '12 at 14:20

Ahamed

39,245
13
40
68

2773

votes

27 answers

How can I prevent SQL injection in PHP?

If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example: $unsafe_variable = $_POST['user_input']; mysql_query("INSERT INTO `table` (`column`) VALUES…

php mysql sql security sql-injection

asked Sep 12 '08 at 23:55

Andrew G. Johnson

26,603
30
91
135

1342

votes

26 answers

How should I ethically approach user password storage for later plaintext retrieval?

As I continue to build more and more websites and web applications I am often asked to store user's passwords in a way that they can be retrieved if/when the user has an issue (either to email a forgotten password link, walk them through over the…

security password-encryption password-storage

asked Feb 17 '10 at 19:54

Shane

16,779
5
27
46

1265

votes

16 answers

How can I sanitize user input with PHP?

Is there a catchall function somewhere that works well for sanitizing user input for SQL injection and XSS attacks, while still allowing certain types of HTML tags?

php security xss sql-injection user-input

asked Sep 24 '08 at 20:20

Brent

23,354
10
44
49

1245

votes

14 answers

Secure hash and salt for PHP passwords

It is currently said that MD5 is partially unsafe. Taking this into consideration, I'd like to know which mechanism to use for password protection. This question, Is “double hashing” a password less secure than just hashing it once? suggests that…

php security hash passwords

asked Dec 30 '08 at 22:02

luiscubal

24,773
9
57
83

1219

votes

13 answers

How does the SQL injection from the "Bobby Tables" XKCD comic work?

Just looking at: (Source: https://xkcd.com/327/) What does this SQL do: Robert'); DROP TABLE STUDENTS; -- I know both ' and -- are for comments, but doesn't the word DROP get commented as well since it is part of the same line?

security validation sql-injection

asked Dec 01 '08 at 21:50

Blankman

259,732
324
769
1,199

848

votes

32 answers

How to avoid reverse engineering of an APK file

I am developing a payment processing app for Android, and I want to prevent a hacker from accessing any resources, assets or source code from the APK file. If someone changes the .apk extension to .zip then they can unzip it and easily access all…

android security proguard reverse-engineering

asked Dec 13 '12 at 06:42

sachin003

8,983
4
21
23

840

votes

18 answers

Best Practices for securing a REST API / web service

When designing a REST API or service are there any established best practices for dealing with security (Authentication, Authorization, Identity Management) ? When building a SOAP API you have WS-Security as a guide and much literature exists on the…

wcf security rest authorization rest-security

asked Aug 11 '08 at 05:44

Nathan

12,290
3
29
28

823

votes

21 answers

Why Does OAuth v2 Have Both Access and Refresh Tokens?

Section 4.2 of the draft OAuth 2.0 protocol indicates that an authorization server can return both an access_token (which is used to authenticate oneself with a resource) as well as a refresh_token, which is used purely to create a new…

security oauth-2.0 oauth access-token refresh-token

asked Aug 15 '10 at 15:25

dave mankoff

17,379
7
50
64

819

votes

9 answers

SecurityError: Blocked a frame with origin from accessing a cross-origin frame

I am loading an