34
votes
Accepted
Why create a CSR on my own server to have it signed by a 3rd party?
My question is: What could the reason be that we (the previous sysadmin) would create the CSR etc, instead of just letting the customer create the certificate fully on their side, and when it's ...
- 18.8k
15
votes
Why create a CSR on my own server to have it signed by a 3rd party?
What could the reason be that we would create the CSR?
In the first phase you do not create just a CSR, but a key pair. The CSR is derived from the public key of that pair, to be signed with the ...
- 19.7k
11
votes
Accepted
Risk of allowing the string "xss" in query string
That is just cargo cult security filling no real purpose.
Any attacker who finds an XSS vulnerability could easily bypass that. Actually, probably they will never run into it the first place since ...
- 65.9k
7
votes
Which cipher is more secure TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA or TLS_RSA_WITH_AES_256_GCM_SHA384?
Neither cipher suite is good. Which one is the least bad depends on your threat model.
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA has two problems:
It uses SHA-1 to authenticate the server's signature. SHA-1 ...
6
votes
Accepted
How could ASP.NET forms authentication session leak into a different site?
The most likely reason is that a machineKey node is set in the web.config for each of the web applications, and the node has the same values for both. This node contains the key for encrypting and ...
- 36.1k
3
votes
Can enforcing a website to serve SSL requests only prevent SSLstrip from working?
Going HTTPS-only doesn't help protect you in this case. This other question should help illustrate why. In short, if an attacker can force a client to communicate over HTTP then the attacker can get ...
- 609
3
votes
Can enforcing a website to serve SSL requests only prevent SSLstrip from working?
Will that be sufficient enough to prevent the attacker from using SSLstrip to downgrade HTTPS to HTTP?
No.
I would assume the webserver will fail to serve non HTTPS traffic, correct?
No.
The MitM ...
- 2,105
3
votes
TLS 1.2 and HTTPS
TLS 1.2 is a protocol. HTTPS is HTTP over TLS. While TLS supports some methods to protect the connection without certificates, browsers don't - the certificate is required to make sure that the ...
- 213k
3
votes
Accepted
Is this test enough to proof that the web application is vulnerable to Login CSRF?
Yep, indeed the scenario is enough to say that the web app is vulnerable to Login/Logout CSRF.
ViewState and EventValidation are not meant to protect against CSRF (I guess it's a .net/asp(x) ...
- 2,677
3
votes
Which cipher is more secure TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA or TLS_RSA_WITH_AES_256_GCM_SHA384?
I agree with @schroeder, I don't think you can do a direct "which is better?" comparison with cipher suites.
That said, Mozilla's TLS Recommendations currently lists DHE-RSA-AES256-GCM-...
- 59.6k
2
votes
Accepted
2-way SSL - is it possible to accept multiple client certs on one IIS site?
Side note: this question is probably better suited to ServerFault.
Yes you can! There's full steps for setting everything up here, but the short version is that you need to use the IIS "Configuration ...
- 53.9k
2
votes
2-way SSL - is it possible to accept multiple client certs on one IIS site?
You can surely do this with open source. So I think it is possible with IIS as well. Assuming you mean ** TLS Client Authentication** (2-way SSL).
With Apache2 Client Authentication works by exposing ...
- 2,035
2
votes
Security Log Analyze
There is benefit to using a full-cycle platform that allows SIEM Engineering (e.g., Splunk ES) and Security Automation (e.g., Splunk Phantom), but these can also be performed using open-source ...
- 19.2k
2
votes
Deny access to IIS Server from IP local range
In IIS Manager, (if the sub-feature has been installed) there is a node for IP Address and Domain Restrictions which will allow you to determine which IP addresses you want to allow and/or deny either ...
- 36.1k
2
votes
SSL cert for securing on-premises IIS web application
We have a customer, let's call them ABC123 Ltd, who have an existing website on abc123.ie hosted by some hosting provider or other. It's just an informational site with no login\commerce function so ...
- 9,462
2
votes
Can I get an SSL certificate even if external DNS does not resolve
The certificate and DNS record for IP public are irrelevant, you can buy any certificates without publish your sites. All you have to do is to prove you are the owner of that domain by clicking the ...
- 116
2
votes
Accepted
IIS Application - service account permissions
The only one of those that is even potentially a major risk is starting services, because services run as their own user instead of inheriting the security token of the process that started them. If ...
- 53.9k
2
votes
Accepted
django-python3-ldap Does TLS Encrypt AD Passwords When Site is Hosted on http
If you setup the web server with HTTP only the password will not be protected. The setting of LDAP_AUTH_USE_TLS=True only covers the protection of the connection between the server side part of your ...
- 213k
2
votes
Accepted
Can you start a shell with a service account in Windows?
Yes you can start a shell with a service account . Can they login all depends on what permissions and checkboxes the admin selected when he created the account so yes again it could've be possible . ...
- 1,006
2
votes
Is SSL still secure if SSL Settings in IIS is set to ignore or accept only?
Client certificates are not needed to keep the SSL/TLS connection secure. They are only used to authenticate the client. If your web application does not need to verify that it talks to the correct ...
- 213k
2
votes
Accepted
Content-Type and Code Execution
IIS, like most web application servers, automatically recognizes requests for URLs that contain server-side code and executes that code on the server. This means that, if I can upload a .ASP or .ASPX ...
- 53.9k
2
votes
Accepted
Exploit user controllable C# code in webapp
...Total system compromise? "Arbitrary code execution" on a server - typically abbreviated "RCE" for "Remote Code Execution" - is generally considered to mean, in essence,...
- 53.9k
1
vote
Accepted
How to best limit SQL injection attacks that are being funneled through an Apache proxy I control
Now I am thinking of hardening my code by adding some time sensitive
(hindering) factor into the equation. The idea is to send them a
redirect to somewhere else (fbi?) for a set time period, after an
...
- 8,590
1
vote
How to make use of a exploit that is not available in metasploit?
Is it possible to make use of these vulnerabilities?
Theoretically yes, As you mentioned the exploit doesn't exist in Metasploit framework, check if exploits exist on exploit-db site or POC for the ...
- 573
1
vote
IIS FTPS Best Practise
You should not worry about the source being Any. It is the common way for public server side protocols like FTP or HTTPS. Simply you should ensure that only the expected server(s) is (are) reachable ...
- 27.1k
1
vote
Secure AWS instance metadata against potential SSRF
Indeed, if you want to restrict access to the instance metadata service -- so that only a specific list of users can query it, you need to have an OS-level control instead of a network-level control.
...
- 3,771
1
vote
Vulnerable framework and IIS server version's are being displayed in an error page of a 3rd party application
The source file path is not necessarily an issue. However it is bad practice and leaks information that may be useful for exploiting other issues.
IIS server version (7.5) which has exploits as per ...
- 11k
Only top scored, non community-wiki answers of a minimum length are eligible