Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
I want to determine or guess the underlying OS a website, for example stackoverflow.com, is using.
I have searched multiple statistic websites, but the OS question is answered by few and if, they provide only a general summary, e.g. "50% of ll websites use ...", and no website-individual information.
I Expect there must be some kind of guess based on the HTML-code probably, that allows for that conclusion. I kindly ask for some hints.
The HTML doesn't tell you anything at all about the underlying server or OS. It isn't a useful fingerprinting method unless you were to know that a certain type of web application only ran on a particular OS.
The web server will often identify itself in the HTTP response headers. This sometimes contains OS information. However, this information is self-reported and can be changed by anyone.
Beyond that, certain systems often have certain quirks in how they behave, which can be used for fingerprinting. For example, a malformed request may result in a certain error page that can be used for identification.
See this project for more examples: https://github.com/scipag/httprecon-nse
Finally, note that any sort of fingerprinting isn't 100% accurate. Most fingerprinting relies on a certain default configuration that can be changed. It's also possible to emulate another system.
You really can't know with certainty what OS a server is running.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
I have a website where I put music, but I do not want anyone downloading it, or it gets harder and just listening online, like YouTube.
Unfortunately, no. It is a bit like trying to prevent someone from recording an on-air broadcast. When you send video data over the internet to someone's player, they can simply store the information being sent to the player unless you obfuscate it and make it so that the player will only work under certain circumstances and will not share the data. This, by definition, is DRM.
What DRM attempts to do is control the reading of the data entirely, so that it can not be copied. This has varying degrees of success and rarely, if ever, works particularly well. It may keep honest people honest, but if you are sending someone data in a way that they can access it, measures to try to stop them from copying it are... difficult. The most advanced systems use special display drivers and encrypt the data right up to the point it is being displayed on the screen (HDCP), that way other software on the computer can't directly pull the information off the frame buffer being prepared for the screen.
There may be some ways you can mildly obfuscate the access to your video, but ultimately, if you send it in the clear, it is trivial for a knowledgeable viewer to store the datastream. If you use DRM, it is substantially harder, but still likely to be able to be worked around by a dedicated attacker.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
I am new to IOS development.
I am going to make a Bilingual Dictionary App for IOS. I have two options in front of me for choosing database. SQLlite and MySQL.
If I choose SQLLite then I believe I will have to pack the database with the app. Every user who will use this app the database will be downloaded to his device.
is it a good approach ?
or I should use MySQL ? that stays on the server and app will connect back and forth to get data from it.
Please guide which database should I use for Bilingual Dictionary Mobile app ?
Or If there is anything else I am missing ?
Thanks in advance !!
There are advantages and disadvantages to each, depending on the functionality and user experience you prefer. Unless you plan to update the content frequently, you wouldn't expect it to change constantly, so there isn't an essential need to provide dynamic content. However, hosting the content online can save a lot of space, which for some mobile users may be limited.
However, to me the most important factor to consider is that as a bilingual dictionary, you may have a substantial market of people who are travelling. People who are travelling often don't have data service, and thus must rely on wifi if they want to access this dictionary. As someone who travels with my cellphone, having a dictionary which does not require a data connection is a major functional advantage, and as a designer I would want to provide this functionality, even if just as an option. This may change if you expect that the greater part of your market is not going to use it while travelling.
Agree with Mitch Goshorn's answer. I don't know if you're worrying about the "security" of your database or you just want to save space on device. But I suggest the local one (SQLite). In case that you don't want user to steel your database by hijacking the application folder, you may want to think about encryption. Sorry if this is not considered to be an answer cause I don't have enough reputation to comment.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
What is the name where the application shows messages of any updates available whenever the update is available?
Is it called web service?
For example, I have installed an antivirus (avast); sometimes a small popup message shows that an update is available.
I have very vague idea about it, it must be contacting the server periodically for checking the new updates are available or not.
I do not know what the application name is so I was not able to search.
It's called an auto-update software feature. It's part of the software itself usually - If you'd like to look at some API's regarding implementing them into your application, find out more here. WinSparkle is also something you could look into if your doing Windows development.
Those are vendor dependant solutions. It is usually not a separate software checking for updates. All they do is query a web service that replies with the 'current' version. At least as long as talking about MS-Windows. More elegant and efficient solutions exist in the Linux environment.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
I am developing an open source desktop twitter client. I would like to take advantage on the new xAuth authentication method, however my app is open source which means that if I put the keys directly into the source file, it may be a vulnerability (am I correct? The twitter support guy told me).
On the other hand, putting the key directly into a binary also doesn't make sense. I am writing my application in python, so if I just supply the pyc files, it is one more seconds to get the keys, thanks to the excellent reflection capatibilities of Python. If I create a small .so file with the keys, it is also trivial to obtain the key by looking at the raw binary (keys has fixed length and character set).
What is your opinion? Is it really a secutiry hole to expose the API keys?
Security hole? In broad terms, yes. Realistically though, these aren't nuclear launch codes we're talking about.
About the worst thing that could happen is that someone could take and use your app's keys to do something against Twitter's TOS that will end up getting the keys banned. No user data would be vulnerable since you're not distributing the user tokens (that would be much worse from a security standpoint). Since anyone can register an app in 2 seconds at no cost, the only reason to do that kind of impersonation would be specifically to besmirch the reputation of you or your app.
One thing you could do is leave them out of the source code but make it clear that user's compiling from source need to obtain their own keys and put them in the appropriate place, but leave them in the binary version that you distribute. Not 100% secure, but makes it that little bit harder that will deter a certain number of n'er-do-wells.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
Like, testing for :
invalid inputs (strings containing "'"s)
giving random id's in url parameters to access "unauthorized" pages
prevent sql injection
...
I would recommend reading this brilliant book to learn more about the test plans.
In particular a test plan is much more than a list of techniques like you mentioned (these should most likely go into the details for the security testing)
It should at least contain:
The answers to the main questions:
why bother (what is gained by testing)
who cares (who are we working for)
how much (..testing will be done)
You would not go wrong providing also:
Platforms
Methods (positive testing, load testing etc)
Functionality you're planning to test
Acceptance criteria
And there is plenty more things to talk about in the plan.
Test responses for:
For integers - strings, null, values more than those allowed, negative, zero..
For strings - strings of lengths longer than that allowed
For invalid values, you can check if the response being returned is informative enough.
Test to see that your application logs these errors. If it doesn't you won't be able to identify and debug problems easily when they occur in production.
Also fuzz testing is a must for web applications.
If you want to make a list, you can add "Trying simple javascripts within a textarea field to see if the site saves and executes them"
this is what i use
Quality Test Plan
its very simple, straight-forward. covers many common web flaws (e.g. broken links, etc)
you might think its too basic, but im always surprised how many bugs it reveals
--LM