Replay attacks for HTTPS requests

HTTPS is not replayable, the first server response in the handshake sequence includes a server-chosen random number. What Fiddler does is act as a proxy, meaning it intercepts your browser’s requests, and then generates an identical request to the server, meaning it has access to the plaintext, which is what it will be replaying. Your … Read more

Understanding CSRF

The attacker has no way to get the token. Therefore the requests won’t take any effect. I recommend this post from Gnucitizen. It has a pretty decent CSRF explanation: http://www.gnucitizen.org/blog/csrf-demystified/

What is the most secure method for uploading a file?

Allow only authorized users to upload a file. You can add a captcha as well to hinder primitive bots. First of all, set the MAX_FILE_SIZE in your upload form, and set the maximum file size and count on the server as well. ini_set(‘post_max_size’, ’40M’); //or bigger by multiple files ini_set(‘upload_max_filesize’, ’40M’); ini_set(‘max_file_uploads’, 10); Do size … Read more

php hide ALL errors [duplicate]

PHP has a configuration directive intended exactly for that, called display_errors. Like any other configuration setting, it’s best to be set in php.ini. But in case you don’t have access to this file, you can set it right in PHP code to Hide All Errors: ini_set(‘display_errors’, 0); to Show All Errors: ini_set(‘display_errors’, 1); While ERROR_REPORTING … Read more

WCF error: The caller was not authenticated by the service

If you use basicHttpBinding, configure the endpoint security to “None” and transport clientCredintialType to “None.” <bindings> <basicHttpBinding> <binding name=”MyBasicHttpBinding”> <security mode=”None”> <transport clientCredentialType=”None” /> </security> </binding> </basicHttpBinding> </bindings> <services> <service behaviorConfiguration=”MyServiceBehavior” name=”MyService”> <endpoint binding=”basicHttpBinding” bindingConfiguration=”MyBasicHttpBinding” name=”basicEndPoint” contract=”IMyService” /> </service> Also, make sure the directory Authentication Methods in IIS to Enable Anonymous access

How to pin the Public key of a certificate on iOS

In case you are in need of knowing how to extract this information from the certificate in your iOS code, here you have one way to do it. First of all add the security framework. #import <Security/Security.h> The add the openssl libraries. You can download them from https://github.com/st3fan/ios-openssl #import <openssl/x509.h> The NSURLConnectionDelegate Protocol allows you … Read more