Questions tagged [server]
A server is a machine running a software daemon that is generally accessed over a network by other machines.
594 questions
2
votes
0
answers
53
views
Evaluating Self-Hosted Web Applications
Background:
There are a lot of self-hosted web applications these days, and often, more than one for the same purpose. In my case I am looking for a replacement for GitHub or other big tech/cloud git ...
2
votes
1
answer
281
views
More secure way than sending cookies through JSON from server to server?
In learning more about web security, I was thinking of hiding my tool for managing cookies for auth, but putting it in a backend "API" server, and having the frontend "web" server ...
- 694
2
votes
0
answers
55
views
How to list the devices connected to any website? [closed]
I want to identify the devices currently connected to my web server. How is this done and what are the tools used to do this?
- 21
0
votes
1
answer
81
views
Enabling App Notification, Not Secure?
so im kind of a beginner and i always hear that when i request data from a server only then the server is allowed to send me data, else it would be a security hole to allow a server to send me data ...
- 23
1
vote
1
answer
93
views
In TLS1.3 server hello can the legacy version field set to 0x0304
As part of TLS1.3 handshake client hello sent containing the TLS1.3 version support as part of suppored_versions extension, consider if as part of server hello supported_versions extension is not ...
- 51
1
vote
0
answers
27
views
Can puzzle-based data exchange enhance decentralized network security? [closed]
I'm a student and during one of my classes I came up with an idea about sharing data online. I'll say right away that I'm not an expert, but rather an amateur who wants to share my thoughts and get ...
- 11
4
votes
2
answers
2k
views
Securing HTTP File Transfer over local network
My intention is to transfer files between a computer and a cell phone in the same network. I have created a system consisting of two apps for this purpose (everyone should be able to use the apps): ...
- 41
0
votes
1
answer
77
views
Random Requests Trying To Download Virus On Server?
So, I was hosting my website on fastapi, and then I saw this 2 requests on my server.
I found that there was link, that was linking to file named "shk" on random ip adresses. I tried to ...
- 3
25
votes
4
answers
10k
views
Should I be worried about unusual SSH login attempts from unknown IP addresses?
I've been monitoring my server's SSH logs and noticed a steady stream of login attempts from unknown IP addresses, mostly from different countries.
Heaps and heaps of account names are tried, and with ...
- 3,035
0
votes
0
answers
79
views
Overcoming Middleware: Exploiting XSS to Retrieve Data
I am attempting to perform an XSS attack on my server and have successfully bypassed the CSP. In my server code, I store all users in the following manner:
.get("/users", adminReq, (req, ...
- 13
0
votes
0
answers
136
views
Does using a VPN to allow ssh connections provide better security, especially after seeing how CVE-2024-3094 (XZ backdoor) is done?
For my own (public) servers, is it considered a good idea to only allow ssh connections from VPN connections (OpenVPN, Wireguard or otherwise), to mitigate any possible attacks in the future on ssh?
...
- 1,109
0
votes
1
answer
85
views
Benefits of random responses to exceptions over generic error responses
Attackers can send requests with data that the server does not expect in order to try to get responses that reveal secret data. One common example is when the server experiences an exception. A poorly ...
- 647
0
votes
1
answer
225
views
Passwords/password hashes in plaintext in service configs - why is this common practice?
A while ago I wanted to deploy a service using a OCI (docker/podman) container, and I noticed to me, what seemed like a possibly distributing trend. In the build file for a lot of the containers, the ...
0
votes
1
answer
110
views
Malicious actors on LAN
I was reading this security advise, which says:
The neovim process binds itself to 127.0.0.1, so malicious actors on your LAN should be unable to interact with either your webextension or your neovim ...
- 529
0
votes
1
answer
174
views
How to protect a local app that acts as a webserver from exploits?
For me building interfaces through HTML / JS frameworks is by far easier then any other framework I have tried in the past. It's also not that strange, as by far the most UIs are based on the web ...
- 549
0
votes
1
answer
287
views
How to isolate VMs with internet exposed websites on my home network?
I want to host some websites served from an isolated VM which is on my home network through port forwarding.
Although I believe this is reasonably safe, I want to physically segment internet-exposed ...
0
votes
1
answer
189
views
Connecting my Windows desktop JavaFX app to my external server by VPN or Wireguard
I have a desktop application with JavaFX and I need to connect it to the server in a safer way. Right now, the program connects by mysql and FTP without TLS.
I've thought to connect it by VPN, but the ...
- 1
0
votes
0
answers
355
views
Refresh-token rotation without additional frontend requests
I'm implementing a refresh-token rotation mechanism. For the sake of simplicity in implementing the frontend I would like to remove the need for requesting a new access token when an old one expires.
...
- 101
0
votes
1
answer
610
views
Getting a couple of remote login and calls into Ubuntu server?
I have a ubuntu server (Ubuntu 22.10 x64) on Digital Ocean. And I am using fastapi, uvicorn, gunicorn and nginx as I used it for my backend api calls from my frontend and my frontend IP is dynamic.
...
- 1
0
votes
1
answer
312
views
HIPAA Compliance for Frontend Hosting
I am using a non-HIPAA-compliant vendor (Vercel) for the hosting of my site. This includes serverless functions on Vercel's infrastructure that serve HTML/CSS/JS. However, the entire backend/database ...
- 143
0
votes
0
answers
971
views
sql injection in Microsoft SQL Server 2017 problem retrieving db names
While I was pentesting, I came across a blind sql injection in a website that uses IIS. I tried this payload " AND 11=11 AND ('Hlua'='Hlua" and it works and it gives success page then i ...
- 1
0
votes
0
answers
7
views
Server directory bruteforcing [duplicate]
Recently I saw hundreds of strange requests from different ip addresses in my server logs.
These requests were trying to bruteforce directories for example:
GET /admin/admin.php 404
GET /admin/...
- 1
0
votes
1
answer
1k
views
Does a DDoS Attack affect the internet connection apart from the service it's attacking?
Lately I've been experiencing some crashes related to my internet connection, I'm on the process of pin-pointing what is causing the issue and one of those possible causes might be a DDoS attack, ...
1
vote
1
answer
3k
views
Renewing Enterprise CA certificate
I have just renewed my Root CA certificate and having issues renewing my Enterprise CA certificate.
My setup is the Root CA is offline with online issuing CA server.
When I do the renewal nothing ...
0
votes
0
answers
76
views
Need of Transaction SIGnature (TSIG) record
Can't we simply send the shared secret key along with AXFR query?
A hacker can easily use sniffed TSIG record to authenticate himself. Then how it's called SECURED zone transfer?
- 85
2
votes
2
answers
444
views
How can I prevent visitors from exposing their personal IP addresses to my server?
I'm running an Apache server on an Ubuntu EC2 instance for some online friends, but they don't want me to be able to identify them in real-life. The hosted webapps require login, so it'd be easy for ...
- 23
1
vote
1
answer
481
views
Is running PHP file_get_contents on random user-generated links safe?
In one of my PHP apps, I have a part where it scrapes the content of random links on the internet using file_get_contents, and then it runs a regex on this content to find all the email addresses in ...
- 352
1
vote
0
answers
187
views
Implement Replay attacks in python [closed]
For an assignment I have to implement a proof of concept and (optionally attack it). The part of OCSP is working so far. I have a client that sends the request to a server, the server verifies if the ...
- 11
1
vote
1
answer
311
views
Should old versions of TLS be disabled at the OS level and the server level?
My environment has a variety of operating systems (Windows, Linux, etc.), servers and applications. Infrastructure scans are showing old versions of TLS that need to be disabled at the OS level, while ...
- 143
1
vote
0
answers
162
views
Going about sharing 2FA key between multiple login methods on a Synology NAS + browser & SSH authentication
I've recently acquired a Synology server (DS720+) and have it accessible outside my LAN via a VPN. I have 2FA on for logins to the server via the web portal, but I have found many use cases for ...
- 11
2
votes
1
answer
2k
views
How to remotely check if SSL 3.0 is enabled on server?
I would like to remotely verify whether SSL 3.0 is running on several servers.
Previously, this command:
openssl s_client -connect example.com:443 -ssl3
Would have worked but now I am getting the ...
- 23
18
votes
5
answers
9k
views
Is having the name of web server software in HTTP response header a serious problem?
How serious a security problem is it to have the name of the web server in the HTTP header (Apache, Nginx etc.)?
I am discussing this with a system administrator and he told me that deleting version ...
- 182
0
votes
1
answer
73
views
validating the authenticity of messages from public client without authentication
Say I have a game, when you finish playing you put your name in and your score is synched with a public scoreboard. Assume also that I own the server and its code. How can I verify that the scores ...
- 133
0
votes
2
answers
148
views
Dismissing 500 errors in logwatch
Logwatch shows those attacks giving a 500. Given that 500 is an internal server error, does that mean I need to examine further or dismiss?
421 (undefined)
/: 4 Time(s)
500 Internal Server Error
...
- 202
0
votes
0
answers
315
views
Path Traversal with rawurldecode and dots validation
I'm trying to check if it's possible to bypass a two dots verification to perform a Path Traversal, downloading files out of the allowed folder. The problem is that it uses rawurldecode when ...
- 121
0
votes
2
answers
321
views
What's so bad about including "backdoors" to a Website?
I have a fundamental question about the harm of leaving a backdoor in one of my public websites / plattforms. I do not want to discuss the details why I wanted to do that, I just want to understand ...
- 861
2
votes
1
answer
2k
views
Missing Linux Kernel mitigations for 'iTLB multihit' hardware vulnerabilities
I don't know how to mitigate iTLB multihit vulnerability.
/sys/devices/system/cpu/vulnerabilities/itlb_multihit | KVM:
Vulnerable
Found this: iTLB multihit,
But i have no access to the host machine ...
- 41
0
votes
1
answer
137
views
Ways to inject malicious content during a HTTP file transfer
Assume an Apache server (http, no authentication just hosting static files) is running in my local network which is hosting some zip files. Assume User A is requesting a zip file from the Apache ...
0
votes
1
answer
176
views
Site "can't" change username, why? [closed]
There's a website I have an account on, and I needed to change my username. They said they were unable to change that. I requested to just have my account deleted, and then I would create a new ...
- 1
0
votes
1
answer
154
views
Big old project getting hacked
My website is being hacked for the last 2 days. I'm an amateur who built it back in 2007ish and it still has some poor code. Was a hobby project that suddenly became very popular and lived to this day ...
0
votes
1
answer
2k
views
Gzip only request body of HTTPS request security BREACH?
I'm not an expert of security.
I heard it's not recommended to enable GZIP compression for HTTPS requests, that would open a security issue (see SO answer: https://stackoverflow.com/a/4063496/17307650 ...
- 135
1
vote
3
answers
328
views
Should deprecated versions of TLS not be used
I'm setting up an server, the default configurations allow for connections with deprecated TLS versions. Should I remove deprecated TLS versions from my server? What is the difference between a ...
- 235
-2
votes
1
answer
134
views
Is there any way to make the Government not find out geolocation from the hoster? [closed]
The government can find servers very quickly by contacting the hoster that hosts your VPN server, and the service provider might give your IP address.
But what if I use torsocks ssh -d? I don't know ...
- 109
2
votes
1
answer
153
views
Defining scope of a software pen test
If I own a software and I want to conduct a pen test with pen testers, should I define the scope or do the pen testers assess the software first and they define the scope? How does scope definition ...
- 105
1
vote
1
answer
257
views
How to prevent shopping cart alterations in another tab when paymentintent is already created?
Has anyone figured out a solution to this? I seem to have gotten to the same conclusion with no solution.
If I were to go the my app's checkout page, the payintent is created in the backend (explained ...
- 11
1
vote
2
answers
1k
views
Is an Ethernet FTP server on a local network safe if an attacker can't access the router?
I'm having trouble understanding certain security concepts and I was wondering if someone could help me out with some questions.
Imagine this setup:
A home router with a very strong password, that ...
- 13
3
votes
1
answer
124
views
Is a client server model to do root operations without asking for password everytime secure?
I'm writing a python application that will do some operations that will require root privileges. Instead of asking for user password every time i decided to use server client model.
A python script ...
0
votes
1
answer
201
views
Secure file transfer between server
I have two servers (server1 & server2)
Server1 needs to send a file to server2 for it to process.
How can I make a secure connection between these two servers so I'm sure that the file is sent ...
1
vote
1
answer
247
views
Does Re-Encryption make our data more secure?
We are focusing on mobile phone and hard drive encryptions. This idea can be extended to any data encryption also.
iPhone and recent Androids are all encrypted. We know that changing the password will ...
- 111
2
votes
1
answer
134
views
Chatting server that doesn't know who the end clients are
I am thinking of creating a small chatting server. I want it to be as secure as possible so I found it to be very helpful if some expert could guide me a little bit.
Has there been any research on or ...
- 121