security | Security Research Lab | Security library

I encountered a problem while trying to get my java project running on my Debian 10 server. Everything seems to work, but java throws an error when i try to get an instance of a MessageDigest with "SHA256".

It occurs in this line:

MessageDigest digest = MessageDigest.getInstance("SHA256");

The exception:

java.security.NoSuchAlgorithmException: SHA256 MessageDigest not available

Is there a way to install SHA256 functionality or another way i can create a sha256 hash?

First time actually using anything to do with swing - sorry for the poor code and crude visuals!
Using swing for a massively over-complicated password checker school project, and when I came to loading in a JMenuBar, it doesn't render properly the first time. Once I run through one of the options first, it reloads correctly, but the first time it comes out like this: First render attempt
But after I run one of the methods, either by clicking one of the buttons that I added to check if it was just the JFrame that was broken or using one of the broken menu options, it reloads correctly, but has a little grey bar above where the JMenuBar actually renders: Post-method render

The code for the visuals is as follows:

I want to use the built-in secrets feature in .NET Core and it is not working for me and I don't understand why I am doing exactly what is needed. I would appreciate it if you can help me and let me know what is missing.

In the developers commands I run this:

I'm working on a Chrome extension that integrates with a website. My users can do actions on this website when they are logged in to it.

I have a Socket.IO server that delivers commands to my Chrome extension. Once a command arrived, the extension invokes a local function from the host website. Then, the host website, which has an authenticated active session with its own API, will invoke some update/insert call.

I recently realized a potential security issue, which is - if anyone spoofs my server address on my extension clients organization, he can easily abuse it to send his own parameters on behalf of my server (image 2).

Is there any smart way to ensure my client communicates with the real server and not an imposter?

I'm running boto with python3 and I'm running an ansible playbook to setup some ec2 instances. Everything is fine, creating instances, security groups, key pairs, everything in eu-west-2. When the task for Elastic IPs runs it fails with this message: Region eu-west-2 does not seem to be available for aws module boto.ec2. If the region definitely exists, you may need to upgrade boto or extend with endpoints_path

I'm running ansible with -e ansible_python_interpreter="/usr/bin/python3". I have latest boto installed.

I created a new Quarkus app using the following command:

I want to use firebase auth for my android and ios applications with custom backend. So I need some way of authentication for api calls from mobile apps to the backend.

I was able to find following guide in firebase documentation which suggests to sent firebase id token to my backend and validate it there with firebase Admin SDK. https://firebase.google.com/docs/auth/admin/verify-id-tokens

But this approach does not seem to be a security best practice. For example here https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/ it is said that for API access one should use access tokens rather than id tokens.

Are there any good pattern for using firebase auth with my backend?

How to prevent phpunit from launching functions that I don't want?

I'm running the below sqlpackage command against my sqlserver: