All Questions
Tagged with permissions web-application
14 questions
0
votes
1
answer
848
views
refresh token without client_id and client_secret
I was reading the OAuth protocol docs https://datatracker.ietf.org/doc/html/rfc6749#section-6 where it implies that you don't need a client_id and client_secret to refresh an access token, just a ...
- 113
1
vote
0
answers
96
views
Securing multiple systems accessing the same data
I'm hitting a roadblock when it comes to security for managing scoped permissions for servers.
Right now I run a community which can create sub-servers. So community A can allow certain users to ...
- 11
1
vote
2
answers
259
views
Is it ok to allow a web application to write its own executable files?
Usually I setup my Ubuntu server to have at least 2 users:
A user behalf which the web server (Apache or Nginx) runs, e.g. www-data in group www-data
A user that updates and maintains the web ...
- 111
68
votes
7
answers
18k
views
User can't navigate to webpage through the UI due to permissions, but are able to navigate to page by pasting the URL. How do I protect against this?
In my application, users have certain roles which have permissions. These permissions dictate which UI elements are available to them at the home screen. Many of the elements link to other pages, ...
- 851
2
votes
4
answers
458
views
Why there are so many web servers which get exploited by generating obfuscated files?
TL & DR
How do those obfuscated files many users complain on this SE-site about get on their systems? And after that, even more interesting how they get executed?
Is this caused by the way php ...
- 721
1
vote
0
answers
208
views
Potential security issues in a two-part upload process
I use a pre-signed URL approach for uploading files to a private S3 bucket. A CloudFront distribution is configured to use this bucket as the source.
The upload process is only available to ...
- 171
13
votes
1
answer
4k
views
Security of IFTTT
IFTTT looks like a powerful service but I'm also highly sceptical of its security. Could somebody give me a brief rundown of how you think it works and what the security implications are please? I've ...
- 131
13
votes
4
answers
957
views
Custom socket server on the internet running as root
We are writing a custom socket server which runs on a high port. Until recently, it has been running behind a corporate firewall. Now, it has been decided that the server should be taken outside the ...
- 231
0
votes
1
answer
173
views
What technique should I use to prevent unpermitted access to my REST API
I need to build an REST API that can be accessed via HTTPS when given valid credentials.
How should I implement those credentials?
I am looking for advice whether I should use plain old passwords, ...
- 151
5
votes
1
answer
908
views
What are the dangers with creating MySQL databases on the fly?
I am building a site where people set up small, private, social networks. For ease of administration and portability, I would like each network to be stored in a different MySQL database.
I ...
- 161
2
votes
3
answers
1k
views
What is the most secure way to set up web server user permissions? [closed]
The default Debian way of setting up a common web server (Nginx) is to run the main process as root and unprivileged workers as www-data. In order to allow for the worker processes to read/execute web ...
user31679
11
votes
3
answers
5k
views
What kind of attack was this?
So our website was hacked, and these are the things that were done:
Some entries in the database were changed. I don't know if this was via SQL injection, or direct database access (only root is ...
- 253
1
vote
1
answer
183
views
Securing Downloadable Files on Website Per User
I have an ASP.NET website serving up private PDF documents. The PDFs are stored unencrypted on a share on the internal network. The user logs in and navigates to the download page. The web server ...
- 45
13
votes
4
answers
728
views
Sensitive information was placed in a publicly accessible folder. Who is responsible and how to proceed?
Background
We have an IT staff who manages our server and a web developer who is not on the IT staff and has no root access to the server. All involved do very high quality work and I do not consider ...
- 255