security - w3toppers.com

How to hash a password with SHA-512 in Java?

you can use this for SHA-512 (Not a good choice for password hashing). import java.nio.charset.StandardCharsets; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; public String get_SHA_512_SecurePassword(String passwordToHash, String salt){ String generatedPassword = null; try { MessageDigest md = MessageDigest.getInstance(“SHA-512”); md.update(salt.getBytes(StandardCharsets.UTF_8)); byte[] bytes = md.digest(passwordToHash.getBytes(StandardCharsets.UTF_8)); StringBuilder sb = new StringBuilder(); for(int i=0; i< bytes.length ;i++){ sb.append(Integer.toString((bytes[i] & 0xff) + 0x100, … Read more

Setting cookie in iframe – different Domain

Since your content is being loaded into an iframe from a remote domain, it is classed as a third-party cookie. The vast majority of third-party cookies are provided by advertisers (these are usually marked as tracking cookies by anti-malware software) and many people consider them to be an invasion of privacy. Consequently, most browsers offer … Read more

Improve password hashing with a random salt

An attacker is “allowed” to know the salt – your security must be designed in a way that even with the knowledge of the salt it is still secure. What does the salt do ? Salt aids in defending against brute-force attacks using pre-computed “rainbow-tables”. Salt makes brute-force much more expensive (in time/memory terms) for … Read more

How to check if class exists somewhere in package?

Not sure about android but in standard JDK you would do something like this: try { Class.forName( “your.fqdn.class.name” ); } catch( ClassNotFoundException e ) { //my class isn’t there! }

Javascript – key / certificate from USB Token

It is not possible for now. The WebCryptoApi does not support using keys stored in external keystores like smartcards, Mozilla keystore or Windows KeyStore (used by Chrome and Explorer), and reading the comments of the last conferences, it is not a current priority. There is another Javascript API specification of W3C to be used with … Read more

Shredding files in .NET

This code from codeproject may be a good starting point. Eraser has been around for years, you could call out to it by using System.Diagnostics.Process, or at least review the algorithm there.

Limiting user login attempts in PHP [duplicate]

I saw a creative approach to this once… For each login attempt, that fails, the lockout time increases… exponentially. attempt | lockout time ====================== 1 | 2s 2 | 4s 3 | 8s 4 | 16s 5 | 32s 6 | 64s 7 | 128s 8 | 256s 9 | 512s 10 | 1024s In … Read more

How to block external http requests? (securing AJAX calls)

There is no way to avoid forged requests in this case, as the client browser already has everything necessary to make the request; it is only a matter of some debugging for a malicious user to figure out how to make arbitrary requests to your backend, and probably even using your own code to make … Read more

Has Hardware Lock Elision gone forever due to Spectre Mitigation?

So, TSX may be disabled not to mitigate Spectre, but as a part of another vulnerability mitigation, TSX Asynchronous Abort (TAA). Here’s relevant article on Intel website: Intel® Transactional Synchronization Extensions (Intel® TSX) Asynchronous Abort / CVE-2019-11135 / INTEL-SA-00270 Which links to two more detailed articles: TSX Asynchronous Abort (TAA) CVE-2019-11135 Microarchitectural Store Buffer Data … Read more

Memory randomization as application security enhancement?

It increases security by making it hard to predict where something will be in memory. Quite a few buffer overflow exploits work by putting (for example) the address of a known routine on the stack, and then returning to it. It’s much harder to do that without knowing the address of the relevant routine. As … Read more