There are several different web services -- various technologies used, such as Java, .NET, Python, Perl, and possibly more in the future -- belonging to different organizations, and the access to those web services has to be restricted. The idea is to have a central authentication and authorization server, only responsible for granting ...
Say I've written a .Net dll and want to distribute it with my application. How can I prevent any user with the savvy to install a copy of VS from adding a reference to this dll to their own applications? ...
I have $_GET['tags'] = "apples, oranges, bananas, grapes, cherries" I need to place the data into an array ($tags). What is a quick way to trim each item and perform security functions (stripping html, special chars)? ...
Hi guys, I got stuck with this. I need to get permission info of NTFS files with Java or C++. Those info should be stored in Access Control List (ACL), but I don't know how to retrieve them with Java or C++. Thanks for your help! ...
I'm trying to do a secure FTP file upload and keep getting errors. This is compounded by the fact that my target site is using a self signed certificate. I've tried ignoring any issues ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback((obj, certificate, chain, policyErrors) => { retur...
How do I go about implementing a secure password reset function without sending the user an e-mail? There is another secure bit of information that I store and only the user should know, but it seems insecure to just let the user update a password just because they know a 9 digit number. Note that user data is stored in a simple SQL tab...
Notice, this is a remote server, I don't have access to it, only to the FTP. I want to do this using purely PHP, not .htaccess. Is there a way similar to .net, where you put the web.config file and you set who can access it and their password? ...
Whenever you authenticate, your application should change the session identifier it uses. This helps to prevent someone from setting up a session, copying the session identifier, and then tricking a user into using the session. Because the attacker already knows the session identifier, they can use it to access the session after the user...
Hi, We recently had a scenario in which an iframe snippet on a server A was pointing to url on server B. There were some malwares being installed by server A on some clients. Can this iframe be the cause. As in hacker injected his url in the iframe's src. What can be the alternatives to iframe etc. ...
I have been to some css/html/js discussing board which provide a text box to enter the html and a "Run it!" button to run the html in new pops up window. I want to make one also, which is easy in jQuery: function try_show_result() { var code = $("#try-input").val(); if (code !== "") { var newwin = window.open('','',''); new...
I just starting out learning PHP, I've been developing web apps in ASP.Net for a long while. I was wondering if there are any PHP specific security mistakes that I should be looking out for. So, my question is what are the top security tips that every PHP developer should know. Please keep it to one tip per answer so people can vote up...
I have a string in my code that I use as a secret when I communicate with my server. What is the best way to encypt this string to ensure that a hacker will not be able to find it out by searching my binary or looking into the memory during run time? (if possible to prevent at all?) What are some measures you would suggest to at least m...
I know the .NET library offers a way of storing a string in a protected/secure manner = SecureString. My question is, if I would like to store a byte array, what would be the best, most secure container to hold this? ...
I have a C# web service on our website and I only want to be able to call it locally where its hosted - restricting access from the outside world. Whats the easiest way to do this without a login form? We cannot restrict the web service directory per ip (because I don't believe its static) ...
I am wondering if there is a way to check a users permissions against an ACL in c#. I am building a large system that is going to use active directory for authentication and I would like to use as much of windows security plumbing as I can. After spending the last couple of hours browsing the System.Security.AccessControl I am not sure t...
Hi guys, I was wondering whether if I need to create three xml files for 3 config file which im trying to encrypt. Or do i need 1 xml file for 3 config files. In other way Can I use the same xml file to decrypt all the 3 config files. ...
Currently I have a graphical application that has two levels of access, operator and administrator. The login and authentication is all homebrewed and I'd like to switch the application to use PAM instead. I'm not sure what the right way to do that is. Correct me if I'm wrong, but it seems that PAM boils down to a "yes" or "no" check--y...
I am looking for a set of guidelines or a checklist that you can go over for securing a public ASP.NET MVC Website. I just want to make sure that I am not making any of the obvious and well known issues when deploying a website. Thanks. ...
Ok now I am confused. I have been getting advice from SO users on libraries to use with codeigniter for authentication. I have explored dx_auth and simpleloginsecure (I think I will use the latter due to its supposed secure hashing and small footprint). BUT, what about hashing the password on the client side? I haven't seen any mentio...
I’m looking for a bit of feedback on the practice of requesting users to authenticate to an intranet based web app by entering their AD credentials directly in form fields. For example, using domain\username and password fields as opposed to using the native browser based challenge window for integrated authentication. In the form based ...