Collaborate Disseminate
So I understand the purpose of regenerating a session ID after a state change such as authenticating, i.e to prevent session fixation. What I’m not clear on is why this would be necessary after a password change (as recommended by OWASP).
… Continue reading Session regeneration after password change?
I found a credentials.json file on a subdomain:
{"web":{"client_id":"xxx.apps.googleusercontent.com","project_id":"invoiceupload-xxx","auth_uri":"https://accounts.google.com/… Continue reading Any way to attacker can get benifits from Google’s credentials.json [closed]
I am doing a research on an app which has some secret ID. I see that the source code of the app has the secret ID hardcoded inside and the API to request for the access token has just this Secret ID as its query parameter. So ideally it is… Continue reading What is the significance of an app leaking its access token – knowingly/unknowingly with just read access
Our company is creating an application security program from scratch. We’re not exactly sure where to start, does anyone have any references? Where to start? What’s all needed at minimum?
Continue reading Creating an Application Security Program [closed]
For example, I have an application that allows users to integrate with 3rd party apps. It stores API keys for those applications in AWS RDS as plain text(a pretty old functionality). From the security standpoint, is it even worth encryptin… Continue reading Are there any benefits of encrypting columns with sensitive data in the AWS RDS that is encrypted at rest?
Samsung phone
Android 12
One ui core 4.1
Whenever I reboot my phone, the camera indicator shows up in the status bar, there’s no camera related app open in the foreground and I have not enabled background permission to any app (except fo… Continue reading com.sec.android.app.camerasaver is using the camera in the background on android 12 [migrated]
If a dependency that is used in development environment or at build time has a security vulnerability, could it cause a security threat for the application? I’m looking for an example to understand how it can have an impact on the security… Continue reading Vulnerabilities in Build-time Libraries Could be a Security Threat
There are different scenarios when it’s about secure computation/storage on mobile devices, e.g., "REE only", "REE + TEE", or "REE + SE" or "REE + TEE + SE".
REE – Real Execution Environment, i.e. de… Continue reading How to distribute Android mobile app functionality between OS, Trusted Execution Environment (TEE) and Secure Element (SE)?
Integrated Security
I have a ASP.NET web application with connection strings and other secrets to protect in production. Ideally I would like to use IntegratedSecurity to keep SQL credentials out of the connection strings, but IIS Expres… Continue reading Securely store application secrets in production without 3rd party KMS
Imagine a web app that, on the login page, has a password field which does not allow user input, but just displays a client-only generated password that is reasonably strong, with a button to re-generate the password.
In this approach, ins… Continue reading Why don’t applications suggest passwords themselves?