I am using $_GET, $_POST and $_COOKIE variables in method calls, SQL queries and file calls - and it is necessary to escape / rewrite this user-data for better security (avoid injection attacks and the like). How would you recommend this is done? Some ideas from built-in escape function ... to get the juices flowing: Add backslashes t...
Hello, I need to encrypt several parameters in a request (with Java, AES(cbc), 128 BIT Key): String toencrypt = "name+birthdate+appid+userid" I have to assume that an attacker can guess all the values. What does this have for an impact on guessing/finding the symmetric key? Are symmetric Keys nevertheless secure even if the content t...
Currently Many of my passwords are stored with a mixture of md5's and sha1's however I've just been introduced to salting, and wanted to know the breakdown of what might be the most secure. I'm certin that a simple md5() can easily be revoked, however what about md5(sha1(md5($var))); Does this combo provide more difficulty, or is more n...
I am looking for some best practices on how to handle the following scenario - flowing permissions from WCF service layer through to UI: I have WCF services with methods that have been decorated with the PrincipalPermission attribute. I would like a means to allow a client to check if they have the required permissions before invoking t...
I have to expose/provide the service method in which I have to implement the Soap Headers Security. Below is the Sample SOAP Header which I have to implement in my Service Method. I am using Axis 1.4, Tomcat 5 and Java 1.5. Response XML :please ignore ' from XML. please consider it as XML. '<'S:Header'>' '<'wsp:authentication'>' ...
I was wondering whether there is any difference between a session and an encrypted cookie (configured to expire as the session cookie does). Aren't they the exact same thing? Or Rails provides extra security for sessions? ...
I want to create a portal website for log-in, news and user management. And another web site for a web app that the portal redirects to after login. One of my goals is to be able to host the portal and web-app on different servers. The portal would transmit the user's id to the web-app, once the user had successfully logged in and bee...
Hi. i have a website, some folders on the websites contains images and files like .pdf , .doc and .docx . the user can easly just type the address in the url to get the file or display the photo http://site/folder1/img/pic1.jpg then boom.. he can see the image or just download the file my question is: how to prevent this kind of acti...
I attend in process of designing JEE web application. It consist of: - backend module (EJB 3.0) - 3 web modules (JSF) Our application must be secure, so some colleagues claim that it must be splitted into two or more separate servers - backend in one server, webapps in other(s). In our case performance isn't a problem but this architecu...
I've read several stackoverflow posts about this topic, particularly this one: http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords but I still have a few questions, I need some clarification, please let me know if the following statements are true and explain your comments: If someone has access to your d...
I have a self-hosted (console app for the time being) WCF application that needs to be hosted on a machine that is separate from the clients - So there is no security link via a Windows Domain between the server and clients. What options are there for using Message-level security with this set-up? A colleague has told me that the commun...
Hi, I want to prevent downloading the zip file from my site. Only allowed for some times(at the time of payment). How can it me possible to expire that link or somthing like that to prevent my zip files. How the rapidshare.com working? we can see the url but not possible to download ?? ...
Are Flex/Flash based applications susceptible to XSS attacks,what are the different ways in which the attack can happen and how to prevent/detect such attacks. ...
Is there a way I can configure my asp.net web service to work with only some applications? In other words, I am saying "only these applications have access to this web service and can therefore use it. Others can't". When other applications tries to discover the service, it shouldn't even show up, or at least it should conceal it web me...
I'm trying to compile a complete list of all restrictions placed on unsigned Java applets (defined as things a normal Java application can do, but an unsigned Java applet cannot). This is the list I've compiled so far: An unsigned Java applet ... Cannot access the local filesystem. Cannot access the system clipboard. Cannot initiate ...
I have an MVC application that is using a mix of windows and forms. The database is on a hosted server and I'm using my local IIS (5.1). Everything works fine until I try using IsInRolw("role") - I get: The trust relationship between this workstation and the primary domain failed. I suspect this may be OK when the application is depl...
I'm working on an admin page in PHP in which a user system seems like overkill. I was thinking of just requiring one password to access the admin page, but I'm not sure if would be safe to do so. I can't see any specific security problems that this might pose, can anyone else think of any? Edit: By "a user system is overkill" I meant th...
Hi, We have a J2EE webapp deployed to JBoss. This webapp is used for authentication purposes. Now we would like to have other webApps that are not written in java to communicate and authenticate against this webapp. The reason we want to do this is: Suppose we have a small webapp that does simple task for the user. This webapp could be...
What are the major security issues to consider when accepting image uploads, beyond the normal stuff for all HTTP uploads? I'm accepting image uploads, and then showing those images to other users. How should I verify, for example, that the uploaded image is actually a valid image file? Are there any known vulnerabilities in viewers th...
hi! i'm doing a bit of research on this, so is there any security risk if we have the SSL certificate installed at the load balancer instead of the server? and what is the industry best practice to install SSL certificates? on server, load balancer, or ADC? thanks a lot! ...