web-application

  1. do I need to restrict origin in an API app?
  2. How should I create a system for verifying personal information without revealing them?

  3. How does a NG Firewall do application visibility and classification of TLS traffic without TLS interception and how reliable is this
  4. AD authentication / authoraztion + WAM
  5. How to make this script run from image?
  6. Is anybody using client browser certificates?
  7. Something hits autodiscover/autodiscover.json on my web application
  8. Is it safe to use an AD account to run an App Pool in IIS in order to provide SQL read/write permissions to a web app?

  9. Storing basic financial data
  10. Can malicious sites use session data from iframes?
  11. How can I fingerprint Yii framework version?
  12. Web Application Firewall using web app source code analysis

  13. Best way to store AES keys (web api) while dealing with multi tenants (key per tenant)

  14. when a web application is vulnerable to RFD (Reflected File Download)?
  15. What is the difference between https://google.com and https://encrypted.google.com?

  16. Is PHP unserialize() exploitable without any 'interesting' methods?
  17. Is it possible to exploit PHP unserialize without classes?

  18. Why is this response splitting attack not working?
  19. Why does OWASP recommend "Disable Web Browser Cross-Tab Sessions"

  20. Basic Authentication with WebAPI and HTML/JS Client?
  21. Is sending recaptchaPublicKey & RecaptchaToken in the post request a potential security threat?
  22. Back button navigation problems because of CSRF token?

  23. Why are two CSRF tokens (hidden field and cookie) necessary to mitigate CSRF attacks?
  24. Why should XSS filters escape forward slash?
  25. Better alternative to WAF path whitelisting?

  26. Blacklisting vs. whitelisting characters to prevent XSS?
  27. What is the security flaw in this example of "magic parameters"?

  28. Can you export a report from OWASP ZAP based off a individual website?

  29. Is login limiting still needed if we employ multi-factor authentication?
  30. Securing the backend of your web application?

  31. Reference "non-secured" web application?

  32. Would Insecure Direct References and SQL Injection be solved by using Row-Level Security and Per-User Connection Strings?
  33. Why do most live chats start in new windows?

  34. Should stored XSS prevention be client or server-side?

  35. How can I edit HTTP request in OWASP ZAP and send the edited request?

  36. What is best way to pentest an AngularJS web app with a REST backend?

  37. How to securely store 3rd party API keys directly on web server
  38. Why do ID attributes need stricter validation?

  39. Is it safe to check password against the HIBP Pwned Passwords API during account registration?
  40. How can I restrict my iframe to only use local content?

  41. URL escape before inserting user data into HTML URL parameter values?

  42. Is this code vulnerable to XSS or Open Redirection etc?
  43. What features should I look in vulnerability testing services?
  44. How to prevent MITM session fixation attack over plain HTTP upon first request?
  45. Should the password field be cleared after an unsuccessful login attempt?

  46. Malicious NPM Package - Does it fit into OWASP Top Ten 2017

  47. How to find out what programming language a website is built in?

  48. AWS Tenant Restrictions
  49. How to proceed with IoT Vulnerability assessment?
  50. Is it possible for first party cookies set by a.com to somehow know that the user also visited b.com (i.e. able to read the url)?
  51. Changing session id after login
  52. What are the risks to sharing login to other subdomain websites through cookies?

  53. Webgoat missing function level access control lesson
  54. Secure flag for ASPXAUTH Cookie in MVC
  55. What does the tilde (~) mean at the end of a file extension?

  56. Evaluating security of 3rd party <script>

  57. Securing pattern for tool for customer frontend

  58. Is my authentication method secure?
  59. If I login using browser X, will CSRF work in browser Y?

  60. How can I protect a WordPress installation?

  61. Safely changing text links to HTML anchors
  62. Mobile Website Security
  63. Building a website with MAXIMUM website security
  64. Should CSRF 'Double Submit Cookie' technique have a different seed value for the cookie versus the HTTP POST?

  65. Pentesting web applications with unique strings in URL

  66. Should I use AntiForgeryToken in all forms, even login and registration?

  67. SQL injection for a username/password form?
  68. How to prevent CSRF if you want to include Flash plugins in your form like Uploadify in your form?
  69. How can I use phpinfo.php file to find new files on a server
  70. After a full web vulnerability scan, do we need to test each & every similar field for possible injections?

  71. How does XSS work?

  72. Whitelisting DOM elements to defeat XSS
  73. What is the correct way to implement anti-CSRF form tokens?

  74. What provides better safeguards against decryption/hacking: HTTPS or a well-made mobile app?

  75. Is filtering of user input data enough, or should it be parsed?
  76. Security of assets/media on s3
  77. Why should double submit CSRF tokens be cryptographically strong random numbers?

  78. CSRF possible if params are not passed through query string?

  79. Why is cross site scripting in URL dangerious if I don't use cookies?
  80. XSS when <, > and " are escaped?

  81. Why is an XSS payload in the address bar executed?
  82. What can I do when a whole core of my CPU are run out when I just visit a specific website?

  83. userWorkstations attribute in AD preventing users from logging into WebApp

  84. Why do people still use/recommend MD5 if it has been cracked since 1996?
  85. Force browser to not URL encode specific characters?

  86. Severity and priority rank of Insecure Direct Object Reference bug
  87. Should CSRF token without session cookie work?

  88. Electron app generating one-time access codes vs server generated codes

  89. Difference between XML external entities and Remote File Inclusion attacks

  90. How to exploit open redirect vulnerability?

  91. OWASP Mutillidae II responds extremely slow when accessed over host-only network in VirtualBox?
  92. Handling sensitive data for a web application

  93. Does Chrome respect the X-DNS-Prefetch-Control header?

  94. Storing password to use later
  95. What risks should I be aware of before allowing advertisements being placed on my website?
  96. Importance of a short expire time on JWTs

  97. Are browsers still vulnerable to Cross-Site Cooking?
  98. Why banking websites always ask me to authenticate my PC even after I'd chosen to "Remember my Computer"?

  99. Security risks of running a php application on PHP 5.4

  100. How should web app developers defend against JSON hijacking?