Stack Overflow
Stack Overflow

Questions tagged [secure-coding]

Topics related to coding patterns and best practices for avoiding common bugs and security holes.

Failure to adhere to secure coding practices may result in various classes of vulnerabilities such as buffer overflows, integer overflow or wraparound, command-injection, improper sanitation of data, and more. Requirements and best practices for secure coding will differ across programming languages. Manual code reviews and automated evaluation using tools for static or dynamic code analysis can help improve code quality and promote more secure coding.

211 questions
3
votes
2 answers

Input_Path_Not_Canonicalized - PathTravesal Vulnerability in checkmarx

I am facing path traversal vulnerability while analyzing code through checkmarx. I am fetching path with below code: String path = System.getenv(variableName); and "path" variable value is traversing through many functions and finally used in one…
dev29
  • 31
  • 1
  • 2
3
votes
2 answers

Can reflected XSS (cross site scripting) attack happen on a REST API which serves non HTML response

Can reflected XSS (cross site scripting) attack happen on a REST API which takes in a XML request payload, serves a XML response. There is no html content in the request or response. I have gone through quite some documentation on XSS, now I am of…
Abhishek Sharma M
  • 107
  • 2
  • 7
3
votes
1 answer

How to achieve memory safety while writing C code?

I was recently asked in the following question in an interview: "What are all the possible ways to achieve memory safety while writing C code?" I replied about secure versions of APIs. The interviewer said that there are more approaches than that. I…
Jake
  • 16,329
  • 50
  • 126
  • 202
3
votes
2 answers

Java - How can I completely clear a variable

I have a Spring Boot application that uses a CredentialsService class to store credentials as GuardedStrings and return them when requested by other classes. Where the problem arises is in the fact that we use Checkmarx to scan our code and catch…
dgc1222
  • 31
  • 1
  • 3
3
votes
2 answers

How to secure my android app against RESKIN?

After a long hard work in developing an app, with a creative idea, then put it in the app store. I was shocked that my app was duplicated and reskined. OMG. those peopple they just change the color theme and the app name then they put our app in…
azdoud
  • 1,229
  • 9
  • 17
3
votes
1 answer

Front-end-side encryption: Where to store password throughout session?

currently we're working on a small application where we store a bunch of JSON data coming from a JS-based graphing editor (think of a spiced-up version of this) in a Rails-based backend. We want to allow users to store the data encrypted (AES, RSA,…
A. Neumann
  • 488
  • 2
  • 15
3
votes
2 answers

.Net Core Store Private keys in AWS

I am implementing a secured system( using .Net Core 2.0 ) where there is a requirement of key pair ( public and private ) generation and transmit the public key to a recipient. At the moment I do generate the key pair( using the .Net Core Crypto…
user3496510
  • 96
  • 8
3
votes
1 answer

Runtime error dividing by -1

I don't doubt the need to check for division by zero. I've never heard of checking for division by negative one though! if( *y == 0 ) return 0; //undefined else return *x / *y; x, y are pointers to int32_t, I include this detail in case of…
OJFord
  • 10,522
  • 8
  • 64
  • 98
3
votes
1 answer

How does the race condition in TOCTOU work?

The following code is supposed to be vulnerable to TOCTOU attack: public Period(final Date start, final Date end) { if (start.compare(end) > 0) { throw new IllegalArgumentException(""); } this.start = start; this.end = end; …
user1071840
  • 3,522
  • 9
  • 48
  • 74
3
votes
1 answer

How do I prevent format string attacks and buffer overruns on iOS?

Apple's Secure Coding Guide documentation provides guidance on: format string attacks buffer overflows What is not clear (to me, anyway) is how to prevent format string attacks and buffer overruns when using NSString. How do I go about defending…
Scott McKenzie
  • 16,052
  • 8
  • 45
  • 70
3
votes
1 answer

snprintf vs std::stringstream

I am working on removing SECURITY CODING violation in my product. My code has lot of sprintf, coverity tool is suggesting me to use snprintf, But C++ also has std::stringstream. Will it be a good idea to use std::stringstream in place of snprintf
Avinash
  • 12,851
  • 32
  • 116
  • 186
2
votes
1 answer

does codesourcery include secure version of standard functions (strcpy_s,sprintf_s etc.)

Quick question: I use codesourcery g++ lite for arm-none-eabi. I made a search in the include folder to see if there is secure function like strcpy_s and sprintf_s, but I got no result. Does codesourcery provide theses secure function (maybe under…
Martin Allard
  • 283
  • 1
  • 7
  • 16
2
votes
2 answers

Double extension will bypass extension check rules

It is said in many article about securing file upload that it is better to prepare a white list of extension instead of a blacklist. But it seems this method has some problem with double extension files. For example I have a whitelist like…
hd.
  • 17,596
  • 46
  • 115
  • 165
2
votes
0 answers

checkmarx medium severity: May unintentionally allow setting the value of method in the object

I am getting below medium vulnerability highlighted in checkmarx: The rModificationRequest at r-config\com\mycompapi\RController.java in line# may unintentionally allow setting the value of saveAndFlush in modifyR, in the object…
nanosoft
  • 2,913
  • 4
  • 41
  • 61
2
votes
2 answers

How to resolve XSRF Cross-Site Request Forgery (CSRF) in API controller after SAST Checkmarx

I have done the scan my project java spring boot with Checkmarx tool. The tool found about 23 XSRF occurrences with Medium severity. The issue found is marked on Rest API method POST on @RequestBody List lineups In attached the screen-shoot…
Stefano
  • 1,439
  • 4
  • 23
  • 38
1 2
3
14 15