Security-Guide | Capture The Flag | HackTheBox | OSCP | Bug Bounty Hunting | | Security Testing library
kandi X-RAY | Security-Guide Summary
kandi X-RAY | Security-Guide Summary
Capture The Flag | HackTheBox | OSCP | Bug Bounty Hunting | Jobs
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of Security-Guide
Security-Guide Key Features
Security-Guide Examples and Code Snippets
Community Discussions
Trending Discussions on Security-Guide
QUESTION
Microsoft warns against using BinaryFormatter (they write that there is no way to make the de-serialization safe).
Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they're processing to be trustworthy.
I don't want to use XML or Json-based solutions (which are what they refer to). I am concerned about file size and preserving the object graph.
If I were to write my own methods to traverse through my object graph and convert the objects to binary could that be made safely or is it something specifically with converting from binary that makes it inherently more dangerous that text?
...ANSWER
Answered 2021-Mar-28 at 19:30BinaryFormatter
?
This question feels like it leads to answers that will be more opinion-based.
I'm sure there are a lot of libraries out there, but perhaps the best known alternative is Protocol Buffers (protobuf). It's a Google library, so it gets plenty of development and attention. However, not everyone agrees that using protobuf for generic binary serialization is the best thing to do.
Follow this discussion about BinaryFormatter on the github for dotnet if you want more info; it discusses the general problem with BinaryFormatter
, as well as using protobuf as an alternative.
Yes. That said, the real question should be: 'is it worth my time to do so?'
See this link for the wind-down plan for BinaryFormatter
:
https://github.com/dotnet/designs/pull/141/commits/bd0a0661f9d248ed31a354d27ad026efd6719690
At the very bottom you will find:
Why not make
BinaryFormatter
safe for untrusted payloads?The
BinaryFormatter
protocol works by specifying the values of an object's raw instance fields. In other words, the entire point ofBinaryFormatter
is to bypass an object's typical constructor and to use private reflection to set the instance fields to the contents that came in over the wire. Bypassing the constructor in this fashion means that the object cannot perform any validation or otherwise guarantee that its internal invariants are satisfied. One consequence of this is thatBinaryFormatter
is unsafe even for seemingly innocuous types such asException
orList
orDictionary
, regardless of the actual types of T, TKey, or TValue. Restricting deserialization to a list of allowed types will not resolve this issue.
The security issue isn't with binary serialization as a concept; the issue is with how BinaryFormatter
was implemented.
You could design a secure binary deserialization system, if you wanted. If you have very few messages being sent, and you can tightly control which types are deserialized, perhaps it's not too much effort to make a secure system.
However, for a system flexible enough to handle many different use cases (e.g. many different types that can be deserialized), you may find that it takes a lot of effort to build in enough safety checks.
FWIW, you likely will never reach the performance levels of BinaryFormatter
with a secure system that offers the same widespread utility (use cases), since BinaryFormatter
's speed comes (in part) from having very few safety features. You might approach such performance levels with a targeted, small system with a narrow set of use cases.
QUESTION
I looked at a lot of resources, but I couldn't find any useful information. Either repos are broken or prepug problems...
...I/O warning : failed to load external entity "/usr/share/openscap/xsl/security-guide.xsl" compilation error: file /usr/share/preupgrade/xsl/preup.xsl line 40 element import xsl:import : unable to load /usr/share/openscap/xsl/security-guide.xsl I/O warning : failed to load external entity "/usr/share/openscap/xsl/oval-report.xsl" compilation error: file /usr/share/preupgrade/xsl/preup.xsl line 41 element import xsl:import : unable to load /usr/share/openscap/xsl/oval-report.xsl I/O warning : failed to load external entity "/usr/share/openscap/xsl/sce-report.xsl" compilation error: file /usr/share/preupgrade/xsl/preup.xsl line 42 element import xsl:import : unable to load /usr/share/openscap/xsl/sce-report.xsl OpenSCAP Error:: Could not parse XSLT file '/usr/share/preupgrade/xsl/preup.xsl' [oscapxml.c:416] Unable to open file /root/preupgrade/result.html Usage: preupg [options]
preupg: error: [Errno 2] No such file or directory: '/root/preupgrade/result.html' [root@localhost upgrade]# yum localinstall redhat-upgrade-tool-0.7.22-3.el6.centos.noarch.rpm Failed to set locale, defaulting to C Loaded plugins: fastestmirror Setting up Local Package Process Examining redhat-upgrade-tool-0.7.22-3.el6.centos.noarch.rpm: 1:redhat-upgrade-tool-0.7.22-3.el6.centos.noarch redhat-upgrade-tool-0.7.22-3.el6.centos.noarch.rpm: does not update installed package. Nothing to do [root@localhost upgrade]# rpm --import http://ftp.plusline.de/centos/7.0.1406/os/x86_64/RPM-GPG-KEY-CentOS-7 curl: (22) The requested URL returned error: 404 Not Found error: http://ftp.plusline.de/centos/7.0.1406/os/x86_64/RPM-GPG-KEY-CentOS-7: import read failed(2). [root@localhost upgrade]# [root@localhost upgrade]# rpm --import http://isoredirect.centos.org/centos/7/os/x86_64/RPM-GPG-KEY-CentOS-7 curl: (22) The requested URL returned error: 404 Not Found error: http://isoredirect.centos.org/centos/7/os/x86_64/RPM-GPG-KEY-CentOS-7: import read failed(2).
ANSWER
Answered 2019-Apr-21 at 17:18Sadly, the upgrade path from Centos 6.x to 7.x has been broken since shortly after 7.x was released, with no fixes to preupg in sight - and at this point, it seems unlikely the official route will work. Further, I don't know of ANY unofficial route that is proven to work well, either.
The only real and trusted upgrade path from Centos 6x to 7x is to install 7 onto fresh hardware/vm and migrate services over.
This surprises folk coming from other distros where, whilst not being trivial, it is usually achievable to upgrade between major versions in-situ, but this does not seem to be the Centos way.
QUESTION
I am trying to implement OAuth2 AuthorizationServer as described in this article but I keep getting the error below. For a spring security config:
...ANSWER
Answered 2019-Apr-28 at 07:04Check your dependency hierarchy tree. Does it contain javax servlet api
. If not, choose a relevant version from here https://mvnrepository.com/artifact/javax.servlet/javax.servlet-api
and add it to your pom.xml
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install Security-Guide
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page