magento2 – Headless PayPal Integration – Security header is not valid

I’m attempting to integrate PayPal in a headless Magento environment. This headless environment is interacting with Magento over the Magento REST API. I have another payment system (Authorize.net) that is working. However, I’m getting errors with PayPal.

I’m using the PayPal JavaScript SDK and I’m able to make PayPal transactions directly through JavaScript.

enter image description here

I’m attempting to pass the PayPal confirmation API response back to Magento 2 via the REST API.

POST /rest/default/V1/guest-carts/(customer-quote-id)/payment-information

Body:

{
  "email": "xxxxx@xxxxx.xxxx",
  "paymentMethod": {
    "method": "paypal_express",
    "additional_data": {
        "paypal_express_checkout_token" : "xxxxxxxxxxxxxx",
        "paypal_express_checkout_redirect_required" : false,
        "paypal_express_checkout_payer_id" : "xxxxxxxxxx"
    }
  },
  "billingAddress": {
    "region": "Indiana",
    "region_id": 24,
    "country_id": "US",
    "street": (
      "123"
    ),
    "telephone": "xxxxxxxxxxx",
    "postcode": "xxxxxx",
    "city": "xxxxxxxx",
    "firstname": "xxxxxxxx",
    "lastname": "xxxxxxxx",
    "save_in_address_book": null
  }
}

When I submit the payment, I get the error:

{
    "message": "PayPal gateway has rejected request. Security header is not valid (#10002: Security error)."
}

I have ENABLED Sandbox Mode and DISABLED Enable SSL Verification and I’m getting the same error as above.

encryption – MySQL Security – Is there an easy way to encrypt a confidential data and also that it cannot view or access by DBA?

Stack Exchange Network


Stack Exchange network consists of 176 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Visit Stack Exchange

windows server – Security eventlog from a computer in open cyberspace

Hello security stackexchange.

So this question comes from having to work on a computer in open cyberspace with nothing more than bear bones to protect its self. Its been on constant attack ever since it got up, then it got cracked yeaterday. And here is the first audit Successful log:

Can we trust windows anymore? looks to me there is a crack for logon as NT System.
How can we trace this lead? Soon after success, it will do reads on every users credential manager.


Subject:
    Security ID:        SYSTEM
    Account Name:       nosleep$
    Account Domain:     WORKGROUP
    Logon ID:       0x3E7

Logon Information:
    Logon Type:     5
    Restricted Admin Mode:  -
    Virtual Account:        No
    Elevated Token:     Yes

Impersonation Level:        Impersonation

New Logon:
    Security ID:        SYSTEM
    Account Name:       SYSTEM
    Account Domain:     NT AUTHORITY
    Logon ID:       0x3E7
    Linked Logon ID:        0x0
    Network Account Name:   -
    Network Account Domain: -
    Logon GUID:     {00000000-0000-0000-0000-000000000000}

Process Information:
    Process ID:     0x314
    Process Name:       C:WindowsSystem32services.exe

Network Information:
    Workstation Name:   -
    Source Network Address: -
    Source Port:        -

Detailed Authentication Information:
    Logon Process:      Advapi  
    Authentication Package: Negotiate
    Transited Services: -
    Package Name (NTLM only):   -
    Key Length:     0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The impersonation level field indicates the extent to which a process in the logon session can impersonate.

The authentication information fields provide detailed information about this specific logon request.
    - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.```

vpn – What are reasonable level of security for a interal-use organization application hosted on the cloud?

I’m working on an small web application (Flask). The application is only for distributed internal usage, e.g. only users with credentials created by the organization will have access to the services beyond the Login page and the organization creates the users. It needs to be distributed because some of the user base is traveling. The data hosted on the application is day to day operation stuff, inventories, invoices, clients contacts & similar. It is organization-sensitive in the sense that you wouldn’t want competitors or third parties sniffing it out. No financial transaction, or bank accounts data are stored there.

From a security perspective, my thinking is that proper user management system with a solid implementation is a sufficient level of security for this, or more specifically:

  • CSRF protection for anything getting user inputs (which Flask provides if using Flask Forms, or pluggins exists otherwise)
  • XSS protection (Jinja templating goes a long way to protect from that). At any rate, all user inputs are sanitized and no html (or css) is served based on raw user inputs.
  • And basically everything outlined in Flask’s Security Considerations is followed & properly implemented, as relevant in the use case.
  • An ORM is used, so that anything that goes in the DB is properly parametrized to prevent SQL injections.
  • At any rate, only trusted users can connect to this beyond the login page (therefore the above protection would get into play only if, say, a malicious user managed to gain control of a user account, and use it to try to inject code)
  • The application is containerized on Docker. No container runs with root, meaning that any attacker who would infiltrate a container would be able to break out of that container, and all Docker recommendations are followed. In addition, the only container that is actually open to the web (e.g. the only port opened on the host) is the nginx one.
  • App runs on https
  • Nginx for reverse proxy, to provide a layer of abstraction between the server itself and any user, as well to add protection against DDOS (though unlikely in our use case), serve static files etc.
  • As users are also a weakling in any security system, it will be recommended to connect to the application only thru trusted wifi or data from their own simcard/ISP. Humans being humans, this may or not be followed in all cases.
  • There will be different user profiles, each having access only to the parts of the data that are actually relevant for their job.

Seems to me this results in a robust enough application from a safety standpoint. Do I have obvious blind spots here? In which case would a security specialist start to consider “no, that’s not enough, we really need to add a VPN connection on top of this”?

Page not found – Information Security Stack Exchange

Stack Exchange Network


Stack Exchange network consists of 176 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Visit Stack Exchange

centos – Apache 2.2.15 possible security risk?

The version numbers mentioned in the question seem to suggest that you are referring to Centos 6.

Centos 6 is EOL since November 30th, 2020, so the backported fixes that you refer to are now purely theoretical.

It is however correct that, while still supported, the distribution was delivering security updates to their packaged version rather than new versions.

security – Mining Bitcoin 1,000 Times More Efficiently than Anyone Else

Bitcoin secures its network by forcing miners to solve a cryptographic puzzle who’s difficulty increases based on the total hashing power of the network. If someone were to develop an algorithm that enables them to solve this puzzle say 1,000 times more efficiently (faster) than anyone else on the network they would be able to mine most (or a good portion) of new Bitcoin for pennies on the dollar. Assuming the person only uses his knowledge to mine Bitcoin at a much greater speed/efficiency compared to other miners (and does not hack anything or attempt to double spend etc) would the network be able to detect that something like this is happening?

I suppose not, because the hashing power of the network is not something that is known explicitly. It is something that is implicitly calculated based on the assumption that there is no possible way for a single individual to solve the cryptographic puzzle more efficiently than anyone else.

Is my assessment accurate?

Thanks

Known flaws in Signal app’s security

Are there any known exploits in Signal’s encryption protocol that could lead to messages being decrypted, or any other compromising information being released?

SharePoint Online Removing HTTP Headers for Security Reasons

I want to know if it’s possible to hide the below HTTP Headers displayed by SharePoint Online site :

  1. HTTP/1.1 200 OK
  2. Server: Microsoft-IIS/10.0
  3. X-AspNet Version : 4.0.30319
  4. MicrosoftSharePointTeamServices : 16.0.0.20802
  5. It is also observed that OPTIONS, DELETE and GETLIB methods are travelling every time in the application request.

These needs to be removed from security point of view.

Your early response will be highly appreciable. Thanks in advance.

How can i make my custom wordpress api more security?

i made 2 customs apis in wordpress to receive order id, get order from the id and update the order status to a custom order status.

the rv_vendor is the api that receives GET from vendors in dokan to update the order status to a custom order status.
the rv_cliente is the api that receives GET from clients of woocommerce to update order status to completed.

if a hacker know this api in the way it is now, he can change al the orders status by him self easely, so i need to add security, but i dont know how, i thougt about using wp_nonces, but i dont know how to make it and if it would work, can you help me with this?

function rv_vendor($order_id){
    $order_id = $order_id('order_id');
    $order = new WC_Order($order_id);
    if (!empty($order)) {
        $order->update_status( 'enviado' );
    }
}

//function da api do comprador
function rv_client($order_id){
    $order_id = $order_id('order_id');
    $order = new WC_Order($order_id);
    if (!empty($order)) {
        $order->update_status( 'completed' );
    }
}

//criando as apis
add_action('rest_api_init', function() {
    register_rest_route('rv/vendor/v1', 'order/(?P<order_id>(0-9-)+)', array(
        'methods' => 'GET',
        'callback' => 'rv_vendor',
    ) );
    
    register_rest_route('rv/client/v1', 'order/(?P<order_id>(0-9-)+)', array(
        'methods' => 'GET',
        'callback' => 'rv_client',
    ) );
});