Desktop Application Security [on hold]

I’m developing a Hospital Information System using Java. However it’s a Desktop Application and not sure how to make it as secure as possible. Focussing particularly on data privacy and availability of the app.

I’ve looked at the Java Secure Coding guidelines https://www.oracle.com/technetwork/java/seccodeguide-139067.html , but not sure they’re within the scope of my project.

Any help would be much appreciated, Thanks.

Should Anti Virus and Anti Malware layer be the first layer in web application stack or can it seat behind services?

Can you have Anti Virus and Anti Malware layer sitting deep with the microservice layer and have the malicious file flow through all the services ? Argument being the file is in memory and not getting processed until the service we will put the Anti Virus and Anti Malware layer on.

Shouldn’t this be stopped at the routing layer of the application?

How to Detect Cognitive Friction on a Mobile Application?


I’m researching Cognitive Friction on my thesis and found out there’re only 2 works academically studying the topic.

1.The Fiction of No Friction: a User Skills Approach to Cognitive Lock-In

2.Irritating CAT Tool Features that Matter to Translators

Even I’m mostly interested in detecting the subject in an academical manner, I’d also love to learn all the ways practically applicable and you’ve tried to figure out.

Note: There is no proper scale has been studied for this topic.

Since I have to study the topic on an existing mobile application which does not belong to me, I’m framed with the idea of creating scenarios for users and apply it in a lab to observe them where eyetracking possible.

I’m either doubtful about eye tracking because it would not provide any direct details about user’s exact state of determination or failure in this situation.

Instead,

  1. I’m planning to make users rate the overall User Experience of 3 randomly choosen mobile applications with a pre-defined UX scale
  2. Then make them use and rate the same scenarios for each application to score more accurately.
  3. And last, making further survey with the lower-graded-scenarios to detect for any cognitive friction.

Besides commenting what to do avoid, I’ll appreciate if any other ways you use to detect it in your products and in your case provided.

Error the Application

When i’m start GSA SEO Indexer and Search Engine Ranker always show this notice..
i’m already send bug report but nothing have respond for my problem.
Anyone can solve my issues?
Note : I can’t reinstall my software, because i’m lost license key, username & mail.

How should UX review the completed web application and prepare a report about it?

How Should a UX guy review the completed app? What are the main credentials and How do you report If something is not working like expected? Do you have some check-list during your review or a template to write a report about the issues with the app? I’m looking for a path/suggestion to follow. Is there any source that can help me to review the app?

Different application of arden theorem leads to different answers

So, I have to solve for the following set of equations

$ q_1$ = $ q_1$ a + $ q_2$ b + $ \epsilon$

$ q_2$ = $ q_1$ a + $ q_2$ b + $ q_3$ a

$ q_3$ = $ q_2$ a

There are two ways to do this

I did this

$ q_1$ = $ q_2$ b + $ \epsilon$ + $ q_1$ a

$ q_1$ = ($ q_2$ b + $ \epsilon$ )a* Applying ardens theorem

Now substituting in $ q_2$ the values of $ q_1$ and $ q_3$

$ q_2$ = $ q_2$ ba*a + a*a + $ q_2$ b + $ q_2$ aa

$ q_2$ = a*a + $ q_2$ (ba*a+b+aa)

$ q_2$ = a*a(ba*a+b+aa)* Applying ardens theorem

$ q_2$ = a*a(ba*+aa)*

Now substituting in $ q_3$ , the answer should be

$ q_3$ = a*a(ba*+aa)*a

However, the correct answer is

(a + a(b+aa)*b)*a(b+aa)*a

which can be obtained by first substituting $ q_3$ in $ q_2$ , and then substituting $ q_2$ in $ q_1$ , and finally solving $ q_2$ , $ q_3$ from the obtained regular expression for $ q_1$ .

Can someone tell where I have gone wrong in the above method, or am I applying ardens theorem in the wrong way ?

Risk of getting MySQL database compromised while accessing it with a windows application

I want to make an windows software for clients that clients can register inside the software and it will store the registration to an online MySQL.

However when i googled “how to do this”, I found that to establish such a MySQL connection I should provide a sql user with the right to modify the sql database. And I would also provide that sql user’s password. (All these should be in my code)

This comes to a problem, if someone decompiled my application, he can get my code, and get my sql user and password, and he can see and do anything to my sql database.

Is there anyway to prevent this?

Leaking details about the user in web application

Hope I will be able to describe my question, because I don’t know much about IT security.

Imagine a web application, which is used for getting og tags from url. User can submit a form, which has single url input. Server opens the url in a headless browser, get og:title, og:description and og:image values and sends it to client.

I was told that if og:image is not cached on server, linking the image like that will leak details about the user who sees the preview.

I don’t understand what details can be leaked. Can anybody explain this issue a bit?

Could a desktop application disclose location even if a VPN is used?

When using a proper VPN to access a remote server, the server should not be able to resolve your country of origin using your IP address because the IP provided in the request will be the one of the proxy.

Now let’s talk about a desktop application able to run system commands: even if you use a proxy to hide your origin country, could the malicious application perform a traceroute and provide the output to the remote server, allowing it to resolve your origin country?

Traceroute was the first example coming to my mind. Any other tool/technique proving the point could be used to answer the question (except locales about languages/keyboards/etc…)

How exactly works this SQL injection example related to the DVWA application?

I am a software developer converting do application security and I have some doubts about SQL injection example.

I am following a tutorial related the famous DVWA: http://www.dvwa.co.uk/

So I have the following doubt (probably pretty trivial).

I have this PHP code defining the query and the code to perform it:

<?php  if( isset( $  _GET[ 'Submit' ] ) ) {     // Get input     $  id = $  _GET[ 'id' ];      // Check database     $  getid  = "SELECT first_name, last_name FROM users WHERE user_id = '$  id';";     $  result = mysqli_query($  GLOBALS["___mysqli_ston"],  $  getid ); // Removed 'or die' to suppress mysql errors      // Get results     $  num = @mysqli_num_rows( $  result ); // The '@' character suppresses errors     if( $  num > 0 ) {         // Feedback for end user         $  html .= '<pre>User ID exists in the database.</pre>';     }     else {         // User wasn't found, so the page wasn't!         header( $  _SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );          // Feedback for end user         $  html .= '<pre>User ID is MISSING from the database.</pre>';     }      ((is_null($  ___mysqli_res = mysqli_close($  GLOBALS["___mysqli_ston"]))) ? false : $  ___mysqli_res); }  ?> 

As you can see the query is definied as string concatenation:

$  getid  = "SELECT first_name, last_name FROM users WHERE user_id = '$  id';"; 

So I can inject what I want into the $ id variable and perform extra SQL code as:

$  id = 1 OR 1=1 

that will be always true. Ok this is clear.

My doubt is different:

Inserting a valid value (such as 1) into the form) I obtain this URL: http://localhost/DVWA-master/vulnerabilities/sqli_blind/?id=1&Submit=Submit#

The query is performed correctly and I am obtaining the following message result: User ID exists in the database.

If I try to insert a totally wrong ID in the form, for example “ABC” I am obtaining the following message error: User ID is MISSING from the database.. Ok, and this is ok

But if I try to insert a “wrong” value such as 1′ in the form, the following URL is generated: http://localhost/DVWA-master/vulnerabilities/sqli_blind/?id=1%27&Submit=Submit#

And I obtain a valid message: User ID is MISSING from the database.

So it seems that the query was correctly executed searching for the user with ID=1.

Why the char is not brocking the query? I was thinking that it have to search a user with ID=1′ that is not existing in the database (as the case of ID=ABC).

Why? What am I missing? Probably it is a trivial question but I want to understand it in deep