Questions tagged [security]

Topics relating to application security and attacks against software. Please don't use this tag alone, that results in ambiguity. If your question is not about a specific programming problem, please consider instead asking it at Information Security SE:

This tag is used for topics relating to application security and attacks against software. Security relates to a wide range of subjects including , , , , and , among others.

Web Application Security

Web application security is a branch of Information Security that deals specifically with security of websites, web applications and web services.

At a high level, Web application security draws on the principles of application security but applies them specifically to Internet and Web systems. Typically web applications are developed using programming languages such as PHP, Java EE, Java, Python, Ruby, ASP.NET, C#, VB.NET or Classic ASP.

More about web application security and best practices:

Note that security questions which are not about a specific programming problem may be better suited to our sister site, IT Security Stack Exchange.

56174 questions
11 answers

The definitive guide to form-based website authentication

Moderator note: This question is not a good fit for our question and answer format with the topicality rules which currently apply for Stack Overflow. We normally use a "historical lock" for such questions where the content still has value.…
Michiel de Mare
  • 41,982
  • 29
  • 103
  • 134
8 answers

Why does Google prepend while(1); to their JSON responses?

Why does Google prepend while(1); to their (private) JSON responses? For example, here's a response while turning a calendar on and off in Google Calendar: while (1); [ ['u', [ ['smsSentFlag', 'false'], ['hideInvitations', 'false'], …
  • 42,368
  • 6
  • 37
  • 51
17 answers

Why is char[] preferred over String for passwords?

In Swing, the password field has a getPassword() (returns char[]) method instead of the usual getText() (returns String) method. Similarly, I have come across a suggestion not to use String to handle passwords. Why does String pose a threat to…
  • 39,245
  • 13
  • 40
  • 68
27 answers

How can I prevent SQL injection in PHP?

If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example: $unsafe_variable = $_POST['user_input']; mysql_query("INSERT INTO `table` (`column`) VALUES…
Andrew G. Johnson
  • 26,603
  • 30
  • 91
  • 135
26 answers

How should I ethically approach user password storage for later plaintext retrieval?

As I continue to build more and more websites and web applications I am often asked to store user's passwords in a way that they can be retrieved if/when the user has an issue (either to email a forgotten password link, walk them through over the…
  • 16,779
  • 5
  • 27
  • 46
16 answers

How can I sanitize user input with PHP?

Is there a catchall function somewhere that works well for sanitizing user input for SQL injection and XSS attacks, while still allowing certain types of HTML tags?
  • 23,354
  • 10
  • 44
  • 49
14 answers

Secure hash and salt for PHP passwords

It is currently said that MD5 is partially unsafe. Taking this into consideration, I'd like to know which mechanism to use for password protection. This question, Is “double hashing” a password less secure than just hashing it once? suggests that…
  • 24,773
  • 9
  • 57
  • 83
13 answers

How does the SQL injection from the "Bobby Tables" XKCD comic work?

Just looking at: (Source: What does this SQL do: Robert'); DROP TABLE STUDENTS; -- I know both ' and -- are for comments, but doesn't the word DROP get commented as well since it is part of the same line?
  • 259,732
  • 324
  • 769
  • 1,199
32 answers

How to avoid reverse engineering of an APK file

I am developing a payment processing app for Android, and I want to prevent a hacker from accessing any resources, assets or source code from the APK file. If someone changes the .apk extension to .zip then they can unzip it and easily access all…
  • 8,983
  • 4
  • 21
  • 23
18 answers

Best Practices for securing a REST API / web service

When designing a REST API or service are there any established best practices for dealing with security (Authentication, Authorization, Identity Management) ? When building a SOAP API you have WS-Security as a guide and much literature exists on the…
  • 12,290
  • 3
  • 29
  • 28
21 answers

Why Does OAuth v2 Have Both Access and Refresh Tokens?

Section 4.2 of the draft OAuth 2.0 protocol indicates that an authorization server can return both an access_token (which is used to authenticate oneself with a resource) as well as a refresh_token, which is used purely to create a new…
dave mankoff
  • 17,379
  • 7
  • 50
  • 64
9 answers

SecurityError: Blocked a frame with origin from accessing a cross-origin frame

I am loading an