Able to do the custom ldap authentication for external db authorities. But when i am trying to test wrong password the authentication failure url is not showing instead my browser prints the exception details.Below is my securitycontext.xml and exption given <logout logout-success-url="...
I want to block access of my site from one particular IP address, how can i do that.? using htaccess or ? ...
I carry my laptop with my projects and db's, some of them may contain some sensitive data, i to know how to encrypt some folders, i've just downloaded androsa file protector, but it's too slow, with over 60.000 files and several GB's of data it takes forever, someone know something faster?? ...
Lets just say I want to test the security of a server (http://www.testserver.com) for directory scanning/reading vulnerabilities. I would normally try to search for a file say /etc/passwd (or something more interesting:)) by doing something like http://www.testserver.com/../../../../etc/passwd and see if it throws up anything. Now thi...
I need to give read only permission to a couple of users on the database so that they can get an understanding of the schema, logic in SPs, etc. But I do not want them to modify anything. I tried assigning the db_datareader role but it doesn't allow viewing SP name or code. What is the right role-combination to do this or do I need to wr...
Hi all, I am really new to online web application. I am using php, I got this code: if(isset($_GET['return']) && !empty($_GET['return'])){ return = $_GET['return']; header("Location: ./index.php?" . $return); } else { header("Location: ./index.php"); } the $return variable is URL variable which can be easily changed by hacker. E...
I'm putting user privileges identificator in user sessions after authentication. How to restrict access to some parts of the site depending on user privileges. For now I'm checking privileges within page handlers but how to make it better? Are there any existing templates of doing this? Could you give an example? ...
I have a login system requiring a username and a password. I want to display a captcha after a certain amount of failed login attempts. What is the proper way to implement this? I've read around on this site and some solutions suggest having a 'failed-attempts-count' added to the users table. However, I need the failed attempts to no...
Hi, My team is working on an ASP .Net project that also uses an SWF file on certain pages. This SWF file accesses COLLADA models located in a resources folder in the project directory. The SWF file works just fine when launched from the Flex builder IDE. When I try to launch the enclosing aspx page from Visual Studio, the SWF file is loa...
I have a site... let's call it mysite.com. On this site, there's the sign up section which I think should be the secure part of this site. a) Should I enable ssl on the entire site, or just the sign up part (e.g. signup.mysite.com) b) What are the pros and cons of enabling it for the whole site? ...
Could any of you experienced programmers / ethical hackers out there recommend some blogs or books on security/encryption? The only blogs I look at now are .Net Security Blog (http://blogs.msdn.com/shawnfa/archive/2009/03/17/authenticated-symmetric-encryption-in-net.aspx) Laptop Security Blog (http://blog.absolute.com/cybercrimes-more-...
Hi all, Does anyone know if these patches http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx and http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx will apply to software built using one of the 'pure' (ie. not managed C++) .NET languages? I believe the answer is that they are unaffected as this seems to be a...
This an example problem to illustrates my point. I'm not looking for a solution to this problem but instead the general idea behind it. Lets just say I've got a project that lets people load in dynamic assemblies -- the idea being "plug-ins". Lets say it runs on a Web Server. They inherit from the abstract plugin class and define a few ...
A CSRF/XSRF can be prevented using a number of techniques. One of the technique is to use a token unique to the client session with every request being sent by the client to the server; which is being validated on the server side. If the request token and the token on the server side matches, the request is allowed to enter the applica...
Can it make the x509Certificate not expire?? If so, how?? ...
Hi. I use GnuPG and C# to encrypt files with imported public keys. But when I try to make encryption, GnuPG encrypt file with public key of main user. I'm sure that I pass right recipient. Any help is appreciated. Thanks. ...
This question is inspired from Joel's "Making Wrong Code Look Wrong" http://www.joelonsoftware.com/articles/Wrong.html Sometimes you can use types to enforce semantics on objects beyond their interfaces. For example, the Java interface Serializable does not actually define methods, but the fact that an object implements Serializable sa...
Lets say I have "admin" folder in my public_html and I don't want anyone except me to be able to access it. What if instead of password protecting it (using apache htaccess) I just rename it to "admin-7815696ecbf1c96e6894b779456d330e" and leave it open (with disabled folder indexes of course)? People usually freak out from such "soluti...
hi is there is any book on php site security and on scalability ...
I have a bit of code that needs to run with elevated privileges (more that I want the rest of my code running at). I have my code that sets up the Impersonation working, but it requires a username, domain and password. As my code is in C#.net I know that the password can be found by anyone determined enough. Is there a way to encrypt ...