My website was recently attacked by, what seemed to me as, an innocent code: <?php if ( isset( $ _GET['page'] ) ) { include( $ _GET['page'] . ".php" ); } else { include("home.php"); } ?> There where no SQL calls, so I wasn't afraid for SQL Injection. But, apparently, SQL isn't the only kind of injection. This website ha...
We're currently building an application that executes a number of external tools. We often have to pass information entered into our system by users to these tools. Obviously, this is a big security nightmare waiting to happen. Unfortunately, we've not yet found any classes in the .NET Framework that execute command line programs whil...
Hi there, I am pretty new to the Unity Application Block and am a little stuck trying to implement the following. I have a parent and child container. When i resolve a new instance of the child container i want to inject a new UnityContainer into the constructor using the CreateChildContainer method. public class RootContainer { ...
I've got a simple java class that looks something like this: public class Skin implements Serializable { public String scoreFontName = "TahomaBold"; ... public int scoreFontHeight = 20; ... public int blockSize = 16; ... public int[] nextBlockX = {205, 205, 205, 205}; ... public String backgroundFile = "...
I have an ASP.NET website. Very huge! The latest addition I've made, everything is JavaScript/AJAX enabled. I send HTML and JavaScript code back from the server to the client, and the client will inject the HTML into a DIV - and inject the JavaScript into the DOM using this: $('<script type="text/javascript">' + script + '</sc' + 'rip...
I have a windows exe app that used to sends packets to a server in the clear. This app (lets call it the client app) is definitely close sourced, but some clever hacker hex-edited the binary, and made it send packets that are scrambled. Now, obviously, those packets are scrambled in a way that is decipherable (otherwise the server would...
Once in a while my shared hosting environment gets compromised because, well, I failed to keep the portfolio of my installed apps patched up. Last week, it was because of an old and unused installation of a PHP application called Help Center Live. The result was that every single PHP file on the server (and I have several Wordpresses, Jo...
We all know that in the web tier there is the possibility that only a single instance of a given Servlet exists which services multiple requests. This can lead to threading issues in instance variables. My question is, is it safe to inject an EJB using the @EJB annotation into a servlet as an instance variable? My initial instinct woul...
My ASP.NET website has a global error handler that sends an email to me (and another developer) when there is any kind of error in the web app. We recently received an error which contained a CC to an email address that we'd never heard of. The scary thing is that the list of developers that the error email is sent to is hard coded in ...
It's a well known truth, that you don't can trust user inputs. These inputs can be even an security-problem, if they are used unfiltered. XSS and SQL-injections are possible problems coming from using unfiltered user-input (or input, that can be changed by the user). To avoid such problems, you have to control all strings, that can be i...
Hi all.. Been reading up on various injection-type attacks, and it seems like the best way to get rid of these vulnurabilities is to encode all user input to remove / replace some characters with others (< > ; etc). What's my best bet here? Are there any nice libraries out there to aid me with this? Or something that could help me spot...
Hey everyone, I'm trying to inject some CSS that accompanies some other HTML into a C# managed WebBrowser control. I am trying to do this via the underlying MSHTML (DomDocument property) control, as this code is serving as a prototype of sorts for a full IE8 BHO. The problem is, while I can inject HTML (via mydomdocument.body.insertAdj...
I'm working on a project which injects JS+CSS+HTML over web pages which I do not have control over. I am concerned about the host page styling my injected code -- I want my injected code to only obey my styling, and not theirs. At the moment the only method to do this I can think of involves explicitly specifying every possible tag for...
Hi there. I am currently researching how to write .NET code that can be injected into another .NET process and override function return values. The idea is that my code would alter the return values of a method call, like this: Public Function DoSomething() As String Return "Value" End Function My code would intercept calls to DoSo...
Something like the following xmlns:jsp="http://java.sun.com/JSP/Page" seems to not work, any hint? alternatively how can I inject beans into JSF lifecycle flow at startup without the filter usage? ...
I am trying to hook for example Notepad without sucess. Making a global hook seems to work fine. Testing on XP SP2. Edit: Amended code works now. MyDLL code #include <windows.h> #include <iostream> #include <stdio.h> HINSTANCE hinst; #pragma data_seg(".shared") HHOOK hhk; #pragma data_seg() //#pragma comment(linker, "/SECTION:.share...
What's considered the best practice these days for sanitizing data from a PHP email form? I'm currently using something like this... $msg = $_POST['msg']; $email = filter_var($_POST['email'], FILTER_VALIDATE_EMAIL); $name = $_POST['name']; $subject = "Message from the MY_WEBSITE website e-mail system"; $message = "From: " . $name . "\...
So the other day, I saw this: http://www.edgeofnowhere.cc/viewtopic.php?p=2483118 and it goes over three different methods of DLL injection. How would I prevent these from the process? Or at a bare minimum, how do I prevent the first one? I was thinking maybe a Ring 0 driver might be the only way to stop all three, but I'd like to see...
I am having problems getting JBoss to inject an environment variable value into a bean. Here is my bean class: package com.topcoder.test; import java.util.ArrayList; import java.util.List; import javax.annotation.Resource; import javax.ejb.EJBContext; import javax.ejb.Remote; import javax.ejb.SessionContext; import javax.ejb.Stateles...
There are loads of profilers and static code analyzers out there for C# assemblies. Just wonder if there are any methods to prevent being analyzed, because it does make me feel a bit nervous when being stripped. I have searched all over the Internet and stackoverflow. There seems none for my wonder. What I've got are only some even ...