/r/websecurity

Photograph via snooOG

Links and discussion on the development and maintenance of secure websites, for website owners, developers and pentesters. As applications and services move to the web, avoiding web vulnerabilities such as XSS and CSRF becomes critical.

Links and discussion on the development and maintenance of secure websites, for website owners, developers and pentesters. As applications and services move to the web, avoiding web vulnerabilities such as XSS and CSRF becomes critical.

Smokey says: avoid buying new fossil-fuel-powered devices to fight climate change! [see more tips]

Note: this subreddit is not for technical support. Please use /r/24hoursupport or /r/techsupport for that.

Resources:

Other subreddits you may like:

Does this sidebar need an addition or correction? Tell me here

/r/websecurity

7,029 Subscribers

1

SSO Credential Storage

I need some advice for a project im meant to implement for my company.

We are currently running multiple web apps and a lot of our users need access to multiple of those web apps. I was tasked with implementing some sort of single sign on web app that allows to access the target web apps with one login.

Sadly the only method of external authentication the target apps provide is an endpoint where i can log in with a username and password, which then provides me with a token i can pass to the client to start a new session.

This means i need to somehow store the credentials for the target app accounts in my SSO so i can then use them to log into the target apps.

Can you guys point me in the right direction of how to accomplish this?
Should i implement some sort of encryption system or are there other options to store those credentials securely?

0 Comments
2024/11/25
19:37 UTC

1

is security.org a trustworthy?

Hi, i've got some guy trying to convince me the NordVPN is a scam with a bunch of claims that I'm not currently able to refute. In doing my own research i'm finding it difficult to have trust in anything i read online and am looking for reputable information sources. I came across security.org which seems legit... but it's hard to know for sure so i thought i'd ask; is security.org a trustworthy site?

If not, and/or, what online resouce(s) can be considered gospel? No paid shills or backdoor affiliations pushing agendas, products, misinformation, etc...

Cheers

4 Comments
2024/11/09
18:45 UTC

1

Are there any recommended WAFs not based on rules?

Rule-based WAFs is necessary in some way but not that effective anymore. Are there some WAFs not based on rules to detect malicious actors?

0 Comments
2024/11/04
15:19 UTC

0

Seeking Advice on Securing a Node.js API and SQL Database for a Small WPF Desktop App

I'm looking to provision an SQL database using services like DigitalOcean, Linode, Vultr, or AWS. For security reasons, I want to set up a Node.js API to interact with this database, as my application is a small WPF desktop app that will be used by no more than three users from their personal computers.

I have experience creating a Node.js API without any security features, primarily for testing. However, I now need to secure both the API and the database.

I realize that security can be a vast and complex subject, but I'm looking for some baseline practices that will allow me to achieve a reasonable level of security without diving into overwhelming details.

What are some practical steps or recommendations you would suggest for securing the API and the database in this scenario? Thank you!

4 Comments
2024/11/02
10:14 UTC

1

Trying to understand an attack vector

Howdy,

So one of my websites recently got hit with an attack that was generating a ton of 404 errors (23k in one day, 5x normal server traffic). The odd thing about this attack, was that the primary URLs they tried looked something like this:

/papers/aHlwZXJzb2

There are ~14 of these URLs attempted, with at least 1k attempts each.

At first we thought someone might have published a bunch of bad links to our side with a mal-formed URL shortener, but then as the volume increased, it was clear it was some kind of attack.

Is this just an attempt to DDoS the site? What other purpose would these bad URLs have?

Our logs didn't show anything else out of the ordinary, just the normal amount of brute force attacks that show up on a daily basis, so this was really odd.

Any ideas?

1 Comment
2024/10/31
22:03 UTC

1

if CSP header receives image from trusted source, but actually a script

Content-Security-Policy is a decent way to whitelist sources of content to the browser of the client.

but what happens lets, say if one of the websites in the white list was hacked, and deliverd a script instead of image, fooling CSP that it's an image?

can't a hacker make the script inside the image run in someway, or is it completely hermetically sealed that no executable can perform?

(assuming MIME is on nonsniff of course)

9 Comments
2024/10/11
10:50 UTC

1

Adding an outer layer of security

I'm a self-taught amateur PHP programmer coding strictly for a private website - family and friends only and I use robots.txt to discourage indexing.

I have an idea to provide an outer layer of security for certain private pages by using a cookie with a key value which would be a hash signature.

  • The first thing my code would do on a private page - before rendering anything to the browser - is check for a query string setting the cookie.
    • The value stored in the cookie would probably be a hash of a username and some other value like a date.
    • This would allow me to deny access by simply changing the user's key value in the list the cookie is checked against.
  • The second thing would be to check if there is a cookie, and if so check it against a list of valid IDs.
    • If this test fails the code would simply end without returning anything to the browser.
  • If this outer layer is satisfied the user would proceed to the site and log in with a normal login system.

My thought is that this outer layer on certain private pages would back up the subsequent security measures and offer some protections if I have weaknesses in the login system.

Would appreciate commentary if this would work or if there's a hole in this I'm not seeing.

I should add that I know there are other ways of implementing security. As my plans progress I will be looking for a good secure login system to implement on the site to control access. I'd feel more comfortable with certain pages having this invisible perimeter layer and want to know of this additional layer strategy would work.

4 Comments
2024/10/07
17:46 UTC

1

Is there a CSRF threat for non-cookie based auth?

Every time I have read about "CSRF attacks" I am always left with "how exactly this this a big deal?" So the idea is that a logged in user has some kind of authorization cookie, and they visit some evil website that makes a client-side request to a known endpoint of the site that user is authenticated with... Because there is a cookie, that client-side request from the evil website then passes the cookie along and therefore the endpoint that should not be accessible is in-fact accessed.

So, with an application that does not use cookies, but instead fetches an auth token for a given user once authenticated, and continues to pass that token into every request until it expires--- this seems to me as thought it is completely CSRF-proof... The evil website would not be able to submit the auth token, and the endpoint would be checking for that token, and therefore 401/403. Is this correct?

2 Comments
2024/10/01
18:23 UTC

3

Released secure.py v1.0.0 – Simplify HTTP Security Headers for Python Web Apps

Hi web security enthusiasts,

I've just released secure.py v1.0.0, a Python library that makes adding essential HTTP security headers to your web apps effortless. Whether you’re using Flask, Django, FastAPI, or another framework, secure.py helps protect your app against common vulnerabilities with minimal effort.

Key Features:

  • Quick Security Presets: Apply BASIC or STRICT security headers in one line.
  • Full Customization: Control headers like CSP, HSTS, and X-Frame-Options to suit your needs.
  • Multi-Framework Support: Works seamlessly with Flask, Django, FastAPI, Sanic, Starlette, and more.
  • Best Practices: Implements best practices from the OWASP Secure Headers Project (https://owasp.org/www-project-secure-headers/).

Secure.py aims to make securing your web application easy while ensuring best practices are followed. Headers like CSP and HSTS can be a hassle, but they’re crucial for protecting against XSS, clickjacking, and more. Now, adding them is as simple as a few lines of code.

Check it out on GitHub: https://github.com/TypeError/secure

I’d love your feedback—let me know how it works for you or if there are features you'd like to see in the future!

Thanks, and happy securing!

0 Comments
2024/09/29
09:36 UTC

2

Any advice on how to explain to senior about being safe

My mom is in her sixties and she is having the worst time learning about safety on the internet. She has gotten her identity stolen a minimum of twice this year probably more. She has finally agreed for me to explain things to her about how to stay safe on the internet. I'm not good with explaining things, can somebody please help me figure out how to word this?

Basically her main problem is that her email is full of nonsense. I actually just looked in her email and there were things saying about how "her credit score was impacted" "your online banking details have been compromised" "click here for free money" etc.

I am trying to find a nice way to explain how you should not open any emails you were not expecting or do not know who they are from. I have explained that multiple times in that phrase but it hasn't sunk in. I am also trying to figure out a way to explain about how she should not just click any random link on her phone.

As I said I am very bad at explaining things and wording them properly, I'm just looking for a way to explain it to someone who is not tech savvy in anyway.

1 Comment
2024/09/28
09:21 UTC

1

Private content. Is it even possible?

I’m working on a journalling e-mail system where each day I receive an email with a prompt to write something about my newborn son.

The reply, along with any image attachments are sent to an email service provider that forwards it to a webhook on my server.

The email service provider says they do not store the e-mail - only stats related to it.

Assuming that this is true, how can I make this as private/secure as possible?

My dumb(?) idea:

  1. Create a RSA key. Send the private part to the user, keep the public on the server.
  2. Every time content comes in: generate an AES key, use it to encrypt the content, encrypt the AES using the RSA public key, store the encrypted content and individual AES key.
  3. When the user wants to read the content, have them send (maybe I can decrypt in the browser?) the RSA private key, for each piece of content, use it to decrypt the AES, then use the AES to decrypt the content itself.

This is just what I plan on doing. Not really sure if it works or not (but it should, right?!)

Any new ideas, or ideas how i can make this even more private? Is this plan even decently safe? Thanks!

2 Comments
2024/09/07
14:51 UTC

2

Is there a security reason for not saying an email/username is not in the system?

So basically I see ALOT of websites that when prompted to reset a forgotten passwords gives the user the prompt "An email has been sent" even if that email was never registered in the system as a user.

Can someone explain what the reason for this is?

Why not give the message "Email is not registered"?
That would be much more useful for the user. Rather than the user having to wait to see if an email comes and if it doesnt then figure out that they used a different adress they can instead emedietly try a different adress.

I am guessing it is a security issue of some kind rather than just lazy coding.

7 Comments
2024/08/29
11:28 UTC

1

Web security

So I’m unsure of if this is the right place to post This. I've been looking into web security protocols recently, and I'm curious about something. In your expert opinion, can a state of the art website with robust security measures, we're talking advanced intrusion detection systems with a multi-factor authentication, and perhaps even AI-driven behavioral analysis detect when a user is engaging in screen recording or taking screenshots?

I understand that JavaScript can sometimes detect certain browser-based screenshot attempts, but I'm wondering about more sophisticated methods that might bypass traditional client-side restrictions. Are there any server-side techniques or emerging technologies that could reliably identify these things? My programer friend explains alittle bit about this to me but he wasn’t sure.

1 Comment
2024/08/05
07:22 UTC

3

Link Between Phishing Domains and STUN Servers

I'm currently investigating a phishing scam and I've come across something puzzling. I noticed that phishing domains hosting fake pages are generating numerous DNS requests to suspicious STUN servers without any apparent reason (no VoiP service, no need of WebRTC or P2P exchange)

  • What potential link could exist between phishing domains and STUN servers?
  • Why would a phishing domain need to interact frequently with STUN servers?
  • Has anyone seen similar patterns or have insights into this behavior?
1 Comment
2024/07/30
08:30 UTC

1

How allowing many features of https:// protocol to a file:/// scheme would introduce security vulnerabilities?

I have a very basic question to ask regarding the web-security.

I have asked this question bcoz I have seen so many things that you can do while you are working with a local server over http:// protocol but such features ain't available with the file:/// scheme (directly opening an HTML file into a browser with file:/// scheme). I know, such features are restricted over file:/// scheme due to security vulnerabilities.

Assume that someone is accessing his HTML webpage locally using file:/// protocol and he is not using a local server to access or view an HTML webpage, then how allowing many features of https:// protocol to a file:/// scheme as well can introduce security vulnerabilities?

I already tried to ask chatgpt but didn't get any practical examples that make sense.

Plz, can someone explain it with some examples?

0 Comments
2024/07/27
04:38 UTC

1

Securing an API that supports both web and mobile clients

One of the commonly-cited benefits of using a SPA is when you want to expand and have a mobile app, you can use the same REST API for both. How does this work in practice, specifically with regards to user auth?

In a web environment, you generally have an HTTP-only cookie or a JWT (or both) for authorization, while with a mobile app, you might do something like exchange an API key for a JWT. How would this work if using the same API for both, specifically in regard to authentication? How would one reliably differentiate between a mobile user and a web user? Mobile clients can fake cookies and web clients can fake user agent strings, so these don't seem to be options.

The primary concern seems to be a web user getting an API key for auth instead of a cookie, but does this even matter that much? Functionally, this will allow a user to log in for much longer durations, but is there even a way to really prevent this anyway, given that a user could create their own mobile or desktop client that consumes the API? As long as the difference between a web user and an app user is limited to the auth mechanism, what's the practical threat exposure? I'm an experienced web developer, but I'm new to desktop/mobile client development, so this particular problem domain is new to me.

P.S. yes, I know security is hard. Yes, I know enterprises don't roll their own auth. Yes, I know about Auth0 et. al. This is more informational than anything.

4 Comments
2024/07/22
02:17 UTC

0

Most Secure Websites on Earth?

Which websites have truly excelled in their execution of best web app/ api security practices?

The ones that resist the most fiendish web app attacks common in our time?

The ones that have mastery of best Web App practices as defined by OWASP?

I ask because I think we all can learn from such organizations.

I thank anyone in advance for responses!

3 Comments
2024/07/21
00:26 UTC

1

What do you think of report-uri.com?

There are not many tools like that one.

Is that worth paying for?

Are there any alternatives?

What do you use for CSP?

6 Comments
2024/07/12
18:33 UTC

3

ecommerce security

Hello! I'm making an ecommerce website and I want to do some research into the security aspects. Ideally I'd like to read a book about it or something, is there anything you could recommend?

4 Comments
2024/07/11
17:50 UTC

1

How to protect API from being proxied or used by other frontends

So I have a website (www.foo.com) and an api (api.foo.com) which is used for authN/Z and other user related transactions. Problem is our website which is public is suffering from fake websites copies, which might be scraping our frontend and using our api endpoint to auth. So we’ve added proper cors and cookie validation shared only on our domains (fe and api). But the attacker upgraded to just proxying requests and managing all api request thru their server/code to emulate browsers and bypass our cookie protection. At this point I don’t think any other thing we implement on the application level can help with these kind of attacks. What do you think?

Thanks.

7 Comments
2024/07/03
04:23 UTC

0

I sent an email to someone I should not have. Through my Gmail. I forgot to put my VPN on.

I used the Gmail app on my phone. Is there any way the person that received this email can figure out what city I’m in or where I live? If so, they may know it was me… 😱😱😱😧😧😧😦😦😦

1 Comment
2024/06/28
05:00 UTC

3

Security Questions on Website Registration - Safe???

I am often surprised that security questions are still a thing for account recovery.

Though I don't have current training or experience in web security - almost 20 years have passed since I studies this sort of thing briefly - it seems to me that these questions are a disaster waiting to happen. "What city was your mother born in?" Really? How did this approach to authentication survive past 1997?

Do I have this wrong? Are these not the worst possible idea, or is there some reason that they're a legitimate tool for account recover authentication?

I'd be interested in hearing the perspectives of people with current experience in the field.

2 Comments
2024/06/22
17:04 UTC

1

Best option to secure private keys. AWS KMS vs AWS CloudHSM.

Hey,

I'm working on a project that involves super sensitive private keys, and I'm looking for some advice on the best way to store them securely in AWS. Two options are popping up: AWS CloudHSM and AWS KMS. But which one is like Fort Knox for my keys, even if someone hacks into my AWS account?

This is where I'd love to hear from you all! I'm open to suggestions and any insights you might have on CloudHSM vs. KMS for ultimate private key security. Should I go for the extra layer of protection with CloudHSM, or is KMS sufficient for most cases?

Thanks all

3 Comments
2024/06/03
22:49 UTC

1

Is my Youtube account hacked - what should i do?

Some years ago, i noticed hundreds of weird videos in my Youtube like playlist, tons of indian songs, rap songs, tutorial videos, stuff like that.

I manualy deleted them multiple times, and hundreds of other videos reappear after a while. It's not a constant stream, this last chunk was 142 liked videos ago, and i quite rarely press the like button, just to save a video sometimes. Its like theres some number of likes assigned to my account, and new ones are added only if i delete old ones. Maybe to not trigger some alarms with a 100k liked video playlist.

No other weird activity on my youtube account, or other accounts. I've had it for years, and it uses my secondary email address. The google account isn't compromised, there's no other weird activity on my youtube channel, no added subscriptions.

Changing the password didn't solve the problem, and my google accounts only show my devices as being connected.

So I'm not shure it's a client side issue, sounds like someone has some level of access to youtube servers / services, who shouldn't, and is simply using my accounts liked videos playlist address as some like dump for some like bot.

So what should i do? Youtube doesn't have some help chat or problem resolution email. The problem, although small scale, should worry them, i assume, since it indicates a deeper problem.

3 Comments
2024/06/01
20:35 UTC

1

Building a Centerlized Crypto Exchange. What is the secure way to store users wallets?

I'm currently developing a centralized crypto exchange (CEX) and I'm seeking expert advice on the most secure way to store user wallets, including both public and private keys. This is a critical aspect of ensuring user fund security and trust in my platform.

Any insights or best practices you can share on secure wallet storage strategies for CEX applications would be greatly appreciated.

Thanks in advance for your assistance!

0 Comments
2024/05/25
22:41 UTC

1

Security headers,

What's the best practice for setting the right security headers on a backend and frontend applications with any negative impact on the app.. I will be glad to hear opinions.

0 Comments
2024/05/22
16:24 UTC

2

Enhancing Web Security with RSA and AES Encryption

Update:
I know TLS is very secure but what if the website is redirected to a proxy server ? that disables TLS and uses its own certificate authority ?
Also this is just another layer of security.

I've been exploring ways to bolster the security of web communication, particularly when it comes to protecting sensitive data. One approach that caught my attention involves combining RSA and AES encryption for an added layer of protection.

I know that red sign will appear that they website is not secure but many users will just ignore it and continue.

Also this is just another layer of security.

The Approach

1. Session Initialization

  • The server generates a unique session identifier and a session-specific AES key.
  • An RSA key pair is generated (public and private keys).
  • The server sends the public RSA key to the client.

2. Client-Side Encryption

  • The client generates an AES key for encrypting the payload.
  • Using the server's public RSA key, the AES key is encrypted.
  • The client encrypts the payload using the AES key.
  • Encrypted AES key and payload are sent to the server.

3. Server-Side Decryption

  • The server decrypts the AES key using its private RSA key.
  • Using the decrypted AES key, the server decrypts the payload.
  • Processing the request, the server generates a new AES key for subsequent operations.

4. Session Key Rotation

  • After each operation, the server updates the session with a new AES key.
  • The new public RSA key is sent to the client for future requests.

Conclusion

By employing RSA for key exchange and AES for payload encryption, this approach aims to bolster security for web communications. The frequent rotation of AES keys and secure exchange of session-specific keys ensure robust protection against potential threats.

I'd love to hear your thoughts on this approach. Any feedback or insights on improving web security would be greatly appreciated!

Thanks!

4 Comments
2024/05/22
15:50 UTC

Back To Top