security

Understanding CSRF

by

The attacker has no way to get the token. Therefore the requests won’t take any effect. I recommend this post from Gnucitizen. It has a pretty decent CSRF explanation: http://www.gnucitizen.org/blog/csrf-demystified/

Where is the PEM file format specified?

by

For quite a long time, there was no formal specification of the PEM format with regards to cryptographic exchange of information. PEM is the textual encoding, but what is actually being encoded depends on the context. In April 2015, the IETF approved RFC 7468, which finally documents how various implementations exchange data using PEM textual … Read more

Is there any possible ways to bypass cloudflare security checks?

by

When you visit a site which is protected by cloudflare, it would contain a security check which you cannot bypass and on failing eventually your access is denied and you are redirected to the captcha challenge page due to the requests from low reputation IP addresses. IP Reputation is calculated based on Project Honeypot, external … Read more

Using Symfony2’s AccessDeniedHandlerInterface

by

This sounds about right. Or, if you’re specifically interested in AccessDeniedException you could also define access_denied_handler within your firewall in security.yml: security: firewalls: my_firewall: # … access_denied_handler: kernel.listener.access_denied.handler # … Then define your service in your services.xml or equivalent: <parameters> <parameter key=”kernel.listener.security.class”>Path\To\Your\Class</parameter> </parameters> <service id=”kernel.listener.access_denied.handler” class=”%kernel.listener.security.class%”> <tag name=”kernel.event_listener” event=”security.kernel_response” method=”handle” /> </service> The handler class: … Read more

Is it OK to return a HTTP 401 for a non existent resource instead of 404 to prevent information disclosure?

by

Actually, the W3C recommends (RFC 2616 ยง10.4.4 403 Forbidden) doing the opposite. If someone attempts to access a resource, but is not properly authenticated, return 404 then, rather than 403 (Forbidden). This still solves the information disclosure issue. If the server does not wish to make this information available to the client, the status code … Read more

Mysqldump launched by cron and password security

by

Quoting the MySQL docs(http://dev.mysql.com/doc/refman/5.1/en/password-security-user.html): Store your password in an option file. For example, on Unix you can list your password in the [client] section of the .my.cnf file in your home directory: [client] password=your_pass To keep the password safe, the file should not be accessible to anyone but yourself. To ensure this, set the file … Read more

tech