The purpose of using a Javascript proxy for the Web Service using a service reference with Script Manager is to avoid a page load. If the information being retrieved is potentially sensitive, is there a way to secure this web service call other than using SSL? ...
From what I have gleaned from reflector, RunWithElevatedPriveleges simply reverts the current thread identity to the base (non-impersonated) identity. This makes perfect sense in the case of code running inside the WSS application pool, since the base service account is a super-user. Does it have any effect when running in an external ...
I am working on a password validation algorithm that needs to check potential passwords against the dictionary. If the password or any part of it can be found in the dictionary, reject it. The function is easy enough, but where do I get the word list? Is there a web service already out there for looking up words? I have poked around ...
Hi, I have a desktop Human Resource (HR) application developed in WPF(C#|.NET 3.5) that does some employee management work for the HR,I need to implement user groups based security,meaning that I need to manage users who can access the system(username /password) and also give them CRUD Right and Screen Rights.Is that any basic framework ...
I've recently purchased an IBM Thinkpad that came with a fingerprint scanner. That got me thinking: are fingerprint scanners a good way to protect your code i.e. if someone takes your laptop or goes on your laptop while you're away, would they still be able to get in? The question also applies for other biometrics techniques that the ne...
Is there a way to prevent someone from faking a mime type on a file upload and then running a php/exe/etc... I have to make the file upload directory writeable and executable so that the files can be stored, but this allows anyone to run a script after. One thing I can do is add random data to the file name so they can't guess the file...
Hello all, We have a project that generates a code snippet that can be used on various other projects. The purpose of the code is to read two parameters from the query string and assign them to the "src" attribute of an iframe. For example, the page at the URL http://oursite/Page.aspx?a=1&b=2 would have JavaScript in it to read the...
How would I go about creating a web app login handler in C#? In Java I would use a JSP that posts the username and password to a servlet, which then delegates to a POJO - for the db lookup and validation. If validation fails the servlet forwards onto the login.jsp for another attempt, if successfull then forwards to the secure resour...
Is there a catchall function somewhere that works well for sanitizing user input for sql injection and XSS attacks, while still allowing certain types of html tags? ...
I'm using Amazon's tools to build a web app. I'm very happy with them, but I have a security concern. Right now, I'm using multiple EC2 instances, S3, SimpleDB and SQS. In order to authenticate requests to the different services, you include your Access Identifiers (login required). For example, to upload a file to S3 from an EC2 inst...
Hello!If you were the administrator of an Apache web server, what protocol(s) would you prefer to provide, for the web developers to upload static files (html/gif/css/...), with the goal of maximum security ? If you were the web developer/graphic designer, what protocols would you prefer to be available at the Apache server, to upload st...
I wrote a PHP web-application using SQLite and sessions stored on filesystem. This is functionally fine and attractively low maintenance. But, now it needs to run on a shared host. All web-applications on the shared host run as the same user, so my users' session data is vulnerable, as is the database, code, etc. Many recommend stori...
Hi, I am wondering what security concerns there are to implementing a PHP evaluator like this: <?php eval($_POST['codeInput']); %> This is in the context of making a PHP sandbox so sanitising against DB input etc. isn't a massive issue. Users destroying the server the file is hosted on is. I've seen Ruby simulators so I was curious...
Is TLS 1.1 support included in Windows XP SP3? ...
What is the best way to secure an intranet website developed using PHP from outside attacks? ...
I'm looking for the best/easiest way to add extensions to an existing protocol (can't change the actual protocol easily) to allow the user to do windows authentication (NTLM?) in .NET. I looked at the AuthenticationManager class already but it requires that I use Web(Http)Request which isn't an option. NegotiateStream is an option either...
Let's say I have code like this: $dbh = new PDO("blahblah"); $stmt = $dbh->prepare('SELECT * FROM users where username = :username'); $stmt->execute( array(':username' => $_REQUEST['username']) ); The PDO documentation says The parameters to prepared statements don't need to be quoted; the driver handles it f...
I've been hearing conflicting facts about this topic. What is correct? ...
Hi, Is it possible to secure only the Login.aspx page (and the postback) and not the whole site in IIS? We are looking to do this specifically with a SharePoint site running Forms Based Authentication against our Active Directory. Links to this will be helpful. This is what we have done so far: 1. Setup SharePoint to use FBA against ...
When I download my program from my website to my windows 2003 machine, it has a block on it and you have to right click on the exe, then properties, then select the button "Unblock". I would like to add detection in my installer for when the file is blocked and hence doesn't have enough permissions. But I can't eaisly reproduce getti...