If I receive user input, does it make any difference if I validate first and then sanitize before saving it to the database? Or is there any risk in validating unsanitized input? (when I say 'sanitize' I mainly mean stripping out any HTML tags) UPDATE & CLARIFICATION: I wouldn't put HTML tags into the database. I would sanitize the i...
I am trying to get exec working on a Windows server and receiving the error message "unable to fork". After googling the issue a bit, it seems the recommended fix is to give the IUSR account READ and EXECUTE permissions to c:\Windows\System32\cmd.exe. But that has got be a major security hole right? Is it safe? Is there another way to e...
Hi, I need to generate UUID to eventually store in a database. Can I generate theses UUID from Javascript on the client browser (There are some examples here)? Is there any security risk of doing it this way? I understand that anyone can modify the UUID before it's passed to the server for storing. So i'll need to check if they are tru...
I have some methods that need to run as a certain service account, so I do the normal thing: public DoSomeWorkAsServiceAccount() { ... // assume I am given tokenHandle WindowsIdentity newId = new WindowsIdentity(tokenHandle); WindowsImpersonationContext impersonatedUser = newId.Impersonate(); ... // do the work...
How do you configure/setup your .dll file so that when its hosted in IE and a user hits the page it just prompts them to 'trust' the application and install it and run? Currently all the doco I can find talks about adding the site to the trusted zone and running "caspol" on the command line to modify your .net security settings, which w...
I have deployed my application to a server running IIS6 using the method which invloves changing the routes to: public static void RegisterRoutes(RouteCollection routes) { routes.IgnoreRoute("{resource}.axd/{*pathInfo}"); routes.MapRoute( "Default", // Route n...
I'm dealing with a client who is "concerned about security" and they're demanding all files containing ports and IP addresses (config information essentially) must be encrypted. My view is that IP addresses and ports are essentially public. The file may give away the nature of the server but this sort of "partial secrecy" to me doesn't...
Hi, I'm trying to write an application that runs as a daemon and monitors running X sessions. Right now I'm struggling to find documentation regarding the X security model. Specifically, I'm attempting to connect to running X displays from my daemon process. Calling XOpenDisplay(dispName) doesn't work, I guess because my process doesn't...
I have a WCF Service talking to a web application. In the web.config files I want to encrpyt the connetion string section. I'm using aspnet_regiis -pe "connectionStrings" -app "/WebAppFolder" for the web applications web.config and this works fine. But when I do the same for the WCF service I get an internal server error when I try a...
Could you please advise me some easy algorithm for hashing user password by MD5, but with salt for increasing reliability. Now I have this one: private static string GenerateHash(string value) { var data = System.Text.Encoding.ASCII.GetBytes(value); data = System.Security.Cryptography.MD5.Create().ComputeHash(data); return ...
i am new to windows services programming. I have confusion about what to set the Account type while writing a windows services. how to choose or how to determine to which account type we need to set while writing a service. ...
How does one create an administrative network share [1] with read-only permissions from C/C++ or Python under Windows XP? [1] Necessary in order to access C:\Program Files over the share. ...
Hi all, i want to know what are the vulnerabilities while using the GET and POST variable directly. ie with out trimming and addslashes function and mysql escape string something like that. My Question is What more we need to take care of while playing with GET and POST. What kind of attacks are there like SQL injection? ...
Hi there, I am developing an e-commerce website where some customers will be making frequent online purchases. With that said, I am trying to find a solution that will allow me to securely store credit card information, using Website Payments Pro, so customers do not need to re-enter credit card information every time that they make a p...
I need an application to run only from a specific USB flash drive. I made some test with the WMI Win32_Diskdrive class and the PNPdeviceID property. It is a very good idea to enroll the application into a license server (web services) with this data, but I'm searching for a second method to reenforce this one in order to make the process...
Most people would be aware of OWASP WebGoat or Foundstone's Hacme Books and Hacme Bank. These are deliberately insecure applications to teach beginners about common security vulnerabilities. On the contrary I have not been able to locate any application that is intentionally secure. Granted that no such application is completely secure,...
I have a JSON web service that I only want to provide for certain sites. It's a service that would be called through JavaScript using JSONP. How would I go about preventing (or at best making it more difficult for) unauthorized sites from accessing it? Requiring a user/password won't work because that would be plainly visible in JavaS...
I need to have the ability to have a Global variable/class that stores some basic information about the currently logged in user including that user's preferences, security rights, UserID, etc. This information will be needed by any/every part of my application. In the past I have either used a Public variable/class in a vb.net module ...
On a website I'm working on, I would like to collect a user's name and email address to add to a mailing list. My question is NOT how to do this, I know that part. What I would like to know is, how would I do this so as to avoid spam, robots, etc? I would like to prevent as much non-human interaction as possible, while keeping the HTM...
Are there any special security measures to take when deploying a Drupal site to a production server? For instance: I can imaging that we need to remove install.php from the root directory. Are there any more actions? Or is there maybe a module available which checks the site for "world readiness" ...