I have a WCF service written in C# being hosted on a remote machine, running as the local administrator account. From my machine logged in as an active directory user, I am sending a command that simply tells it to open a file on the network. I have access to the file, but the administrator account on the host machine does not. I'm using...
The company that I work for is wanting to provide a means of allowing our client to provide links to our site for the purposes of allowing their own clients to schedule a payment to them through us. We want the solution to be as seemless and easy to use as possible. Our clients are not likely to have the ability to do any sort of progr...
I feel a little silly for asking this since I seem to be the only person in the world who doesn't get it, but here goes anyway. I'm going to use Python as an example. When I use raw SQL queries (I usually use ORMs) I use parameterisation, like this example using SQLite: Method A: username = "wayne" query_params = (username) cursor.ex...
I’ve got an ASP.NET web app which is trying to execute the CreateRepository method within SharpSvn so that new repos can be provisioned through a web interface. Everything runs fine when executing the app from within Visual Studio as it’s running under my own identity which has rights to the VisualSVN server instance running on my local ...
Hi guys. Please help me the code (Java) to encrypt and decrypt ( will be better if using private key) with SHA256. ^^ Thank you so much! ...
For reasons not in scope of this question I have implemented a .net project in an iframe which runs from a classic asp page. The classic asp site persisted a few sensitive values by hitting the db on each page. I have passed there variables as xml to the aspx page, now I need to make these values available on any page of this .net si...
Recent Visual Studio 2005 security updates may be causing problems for us. We build and internally distribute SDKs written in C++. These SDKs are a collection of header files and static libraries only. After installing the security updates our SDKs now depend on the newer versions of the MSVC CRT DLLs. These SDKs are used downstream ...
Anyone know of any good documentation on securing a JBoss installation? What I'm mainly looking at is disabling the admin console to only localhost or (even better) requiring authentication to access it. ...
What are the practices to prevent XSS in Ruby on Rails? I found many old docs on the web and most of the time it was all about using h/html_escape helper to escape any variable that comes from users. I understood from newer docs that in the version 2.0 and above there is sanitize method that is automatically cleaning the input from su...
Is it supported by Microsoft to simply rewrite the manifest of an EXE or DLL to force the use of a specific version of the MSVC CRT? I am interested in doing this because of recent problems with Visual Studio 2005/2008 security updates (KB971090 and KB971092). I would like to simply rewrite the manifest as a post build step in order to...
I've seen a lot of questions here about specific types of attacks against websites, including SQL injection, denial-of-service, and cross-site scripting. I would like to get a list of the common types of attacks against web sites/services, how to prevent them, how to know if you've been attacked, and how to recover from an attack, all...
I am considering deploying an existing WPF application as an XBAP application. It currently uses TCP remoting which i would likely change to HTTP remoting. What is the best way to secure the communication - will using an SSL certificate on the remoting server be sufficient or are further steps necessary in such a scenario? ...
Does anyone have a good checklist to use when doing a security code review? The majority of the focus will be on C# code with some TSql sprocs reviewed as well. ...
I am sending sensitive data through socket connection over Bluetooth, no pairing involved. The environment is windows mobile 6, Microsoft BT stack, DOTNET CF. Some article I've read suggested that the data link layer handles encryption before L2CAP layer connection is established but I am not sure how does MS BT Stack communicate with th...
Hi Does anyone know how Asp.net membership generates their salt key and then how they encode it(ie is it salt + password or password + salt)? I am using sha1 with my membership but I would like to recreate the same salts so the built in membership stuff could hash the stuff the same way as my stuff can. Thanks Edit 2 Never Mind I mi...
A vulnerability has recently been disclosed that affects WordPress 2.8.3 and allows the admin user to be locked out of their account by changing the password. This post on Full Disclosure details the flaw, and includes relevant code snippets. The post mentions that 'You can abuse the password reset function, and bypass the first step an...
If I allow users to upload PDF documents (and only PDFs) is there any way a malicious user could include some executable script within or attached to the doc? What about standard word documents? What are some best practices if this is a requirement? (sorry that's totally 3 questions I know - but they all apply! ;)) I am using thoughtbot...
I know this is impossible, but how close can I get? I'm creating achievements, and when a user 'gets the achievement' his browser tells him with a javascript popup, and sends a message to the server to update his profile. I'd rather not have my users be able to just hit the webservice and get all the achievements. Signing the requests ...
Is there any way to implement role hierarchy in 5.2/5.3 sitecore? ...
I’m working on trying to port an ASP.NET app from Server 2003 (and IIS6) to Server 2008 (IIS7). When I try and visit the page on the browser I get this: Server Error in ‘/’ Application. Security Exception Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the ...