Collaborate Disseminate
Say a ransomware encrypts your database but hides the fact (by secretly decrypting everything you ask for). Then your backups become rubbish once the attacker deletes the key.
What are good measures against that?
I wonder if you e.g. shoul… Continue reading How to make sure that your backups are not encrypted?
In order to improve our security posture, we changed several dozen internal applications over to using a new username and password to access an AS400 database a few months back.
However, there is some mystery process running on a Windows S… Continue reading What’s a good approach to finding the source application that’s attempting to access a database with an incorrect password? [migrated]
I recently started receiving some really strange http traffic, and I’d like to understand what it’s trying to do. Some of it seems like sql injection attempts, but the strings are appearing in the referrer URL and in the user-agent as wel… Continue reading What are these http requests trying to break?
Less than a year ago a hacker was able to steal my personal information through my bank’s database. Is it possible for this hacker to steal my IP?
Continue reading Can a hacker steal my IP from a stolen bank database? [closed]
Having one HTTPS api which has an endpoint i.e POST data how can we prevent/check that the data received is not malicious or possibly detrimental?
To consider (please read)
POST data receives 2 payload parameters: key and data. Where key could be any valid string (even allows extension malicious.bat and data a string or multipart/form-data.GET data will return the data into a downloadable file where the file name is the key parameter and sets the Content-Type to application/octet-stream.danger.bat data: !#/bin/bat\ndb_destroy;' and when retrived, a file on name danger.bat` is downloadable.POST data from 0 in order to don’t destroy current api-clients, so in that part I am quite free but let’s say, can’t do much on the GET data.Best way and how to validate data a scan for possible Malware/virus/XSS(cross-site scripting)/ and other possible malicious content sent via HTTP through an API by client.
What are the possible dangers on letting a client create/read any type of strings into a database without check what’s the content?
With an API a client can connect to endpoint /postdata and currently accepts any Content-Type. The data can be inserted in a form-data or urlencoded base64, anytype of string or bytes. Once the the request is received in the database, there is not check, the data is only converted from a string into base64 bytes and then inserted into a database as bytes databytes, more specifically in a Cochbase database. The user also specify the name of its data with a name.
In another endpoint called /getDatathe client can retrieve that data.
So a sending client can send stuff like (as strings):
virus.html<!DOCTYPE html><html lang="en"><head></head><body><script>alert("Virus!!!!")</script></body></html>virus.bat#!/bin/bash echo "Virus";base64 if as parameter of a URL or as field in a form-data ( multipart/form-data)Also worth pointing out that once this data is in the database, is not proccessed or used, but only released to the client when it requests it via the /getData endpoint.
The challange I’m facing is that currently, there is not checking on the string sent by client, so it could technically send malicious data, however, how can you check a string with all the different possible dangers?
schroeder Actually in the comment made a good example:
how is the risk different from hosting an html file on OneDrive, Google Drive, Dropbox, etc.?
Now, this back-end service that I’m facing this challange is not like the above mentioned apps, however, a similar use case would be with Google Drive and you are the security developer
user_a put in his drive: virus.html and shares it for the web.user_b click on the virus.html on the link, downloads it no problem and is pc blows up, or whatever malicious thing the virus.html was meant forI can see 2
user_a when it uploads virus.html? Can you prevent it somehow?user_b when it download virus.html?For example, someone can send data in a form of html (like above example) and also set it’s name as a html file with file extension.
If then you request that data, the file is downloaded.
I’ve already read and went through these related post, however, they are more specific to file and when adding a file into a folder. However in this case we are adding a file as array of bytes into a database and later retrieved.
Continue reading Malware prevention of data received in a POST endpoint
As part of a project for school I’ve been tasked with designing a secure application that should be able to upload and download files from a database. I have very little experience in the area of security so I’m unsure of where to start so… Continue reading How to design a desktop application that has access to a database via LAN?
I wanna develop cex but have some issue about private key .How can i secure private key (from inside and outside) in db When generated wallets for customers ?
With my team, we have developed a web application that interacts with a MySQL Database that stores quite a lot of information. The application and database runs only in our internal networks and won’t be accessible through Internet.
Around… Continue reading Should I encrypt database data
Should I store credentials (like email, hashed password) in a separate table than the user’s profile information (bio, gender, etc)?
My main concern is that I’ll be sending other user’s information (that doesn’t include credentials) to the… Continue reading Should user credentials and user info be stored in seperate tables?
We discovered a vulnerability with our system. We have a situation a user can log in into multiple devices and trigger a request at once so that checks like this are bypassed.
if(credit > purchase){
// Make api call
If(successful){
// D… Continue reading How to prevent multiple requests from passing database check? [migrated]