I need to "impersonate" a user in a VB.NET 2008 WinForms application, so that the application can accept the Active Directory login of any user on a PC regardless of who is actually logged in to Windows. I want the application's My.User to be the AD account of the person who logged in to the application. I succeeded in this with the foll...
Assume I have a webpage where people submit java source code (a simple class). I want to compile and run the code on my server, but naturally I want to prevent people from harming my server, so how do I disable java.io.* and other functions/libraries of my choice? A regexp on the source code would be one way, but it would be "nicer" if ...
I am curious, if I have many files, some as big as a few k, some as little as 2, 4, 8 bytes. Will there be a security hole? What if I have 10,000 files on a single disc all encrypted with the same algorithm (lets say SHA512 since I know SHA512CryptoServiceProvider exist) Would that be a security vulnerability? Since so many files use th...
Hello, Apologies for the seeming obviousness of this question, but for whatever reason I haven't been able to find a definitive answer in the Apple documentation about where and how Settings.bundle password info is stored. My question: if I need to store some credentials for an app, and I use a Settings.bundle so that the password is en...
I have a private folder on my domain like http://example.com/protected and i stored lot of images and pdf file there /protected/pad1.pdf /protected/pad2.pdf /protected/pad1.png /protected/pad1.png supose these are the files, how can i hide or protect access to there files with the help of .htaccess file. allow only users those...
I am thinking writing an app to encrypt many files before burning to disc. I burnt a disc with truecrypt and had problems copying the good files when the volume have bad sectors (http://serverfault.com/questions/48839/backup-on-disc-using-truecrypt-corruption-problem). I am not doing a complex application nor want to replace truecrypt an...
I've always wondered why websites don't offer a "variable password" option, in which a user's password is constantly changing based on the day of the week or time of the day. e.g. "my password is 'foo' followed by the current hour of the day, always expressed as two digits". I understand basic security 101, the need for trapdoor functi...
I need to store hashes of passwords on disk. I am not entirely sure which hash function to use (they all seem somewhat troubled at the moment), but I am leaning towards SHA-256. My plan is to take the user's password and combine it with their user ID, a random user-specific salt, and a universal site-wide salt. Should I concatenate thes...
I'm trying to figure out how to use PowerShell V2's Send-MailMessage with gmail. Here's what I have so far. $ss = new-object Security.SecureString foreach ($ch in "password".ToCharArray()) { $ss.AppendChar($ch) } $cred = new-object Management.Automation.PSCredential "[email protected]", $ss Send-MailMessage -SmtpServer smtp.gmail.c...
WCF has a rich security model, I hope everyone can agree upon that as a given. I recently came across a situation where our client applications (WCF based applications that leverage the user's credentials within the domain) needed to communicate with services we had to deploy to a data center outside of our domain and control. Conseque...
I want to set up TFS permissions to better reflect the responsibilities and levels of clearance of different roles within my organization; I'm finding that the default Reader and Contributor groups are too coarse-grained for my needs (and too loosely named). To keep maintenance overheads to a minimum, I'm therefore thinking of replacing...
I have a 2-step form. The second step is quite lengthly and the visitor may want to complete it at a later time. What I have done is generate a uid with sha1 using a combination of details: firstname, email address, salt and I email the visitor the link eg: http://www.mysite.com/form/step2/[sha1 uid] so when they click the links they c...
In one android application, I created a database file in data/data/com.rams/databases/dbfilename. If I created a second application with the same package name (com.rams) and I access the database file created with my first application, the second application is able to access the database contents. How can I secure the database file cr...
Is there a reliable way, using PHP, to determine if a request comes from the same host that the PHP script is hosted on? In other words, is there a way to determine if the client and server computer are the same? ...
I am developing an Asp.NET site for a customer, and want to make sure I am using a secure authentication scheme. In my user table, I have an authentication hash column that is calculated as sha1(salt + username + password). The site is being served via HTTPS. To log in, the user submits their name and password via HTTPS. The web serv...
I have a php script PayPal eStores/dl_paycart but it has PayPal eStores "settings.php" Security Bypass Vulnerability I would like to know if I can prevent direct access to a php include file. Would this help? defined( '_paycart' ) or die( 'Access to this directory is not permitted' ); Thank you ...
For HTML input, I want to neutralize all HTML elements that have inline js (onclick="..", onmouseout=".." etc). I am thinking, isn't it enough to encode the following chars? =,(,) So onclick="location.href='ggg.com'" will become onclick%3D"location.href%3D'ggg.com'" What am I missing here? Edit: I do need to accept active HTML (I...
<?php session_start(); // After user logged in session_regenerate_id(); $_SESSION['logged_in'] = 1; $_SESSION['ip'] = $_SERVER['REMOTE_ADDR']; $_SESSION['agent'] = $_SERVER['HTTP_USER_AGENT']; // Session Checking function session_check(){ if(isset($_SESSION['logged_in']) && !empty($_SESSION['logged_in'])){ if(isset($_SES...
Say I have a database containing Books and Users and these users have certain permissions on books(like editing, deleting, etc.). Now I would write methods like the following and expose this as both an API and WebService. [WebMethod] Book GetBook(User login, int id) { if (!CheckLogin(login)) throw new Exception("Login error"...
I have a windows Application that stores certain files in a directory. I would like to know if there is a way in .net that I can restrict users not to have access to that directly (by just going to that directory in windows, and grab files) so only my application can add/verify/delete a file in that directory. ...