I have a complete unsafe mvc application. And now I started to think about security. Cause I use a couple of ajax I will close this securityhole with AntiForgeryToken is this a good way to stop Injection attacks?. Next I thought about authentication and how i could manage my users. Than I decided to use the users of my Domain. But ho...
If so, what is your experience? Do you recommend it? This is the one I am talking about http://ayende.com/Blog/archive/2008/01/22/Rhino-Security-Overview-Part-I.aspx ...
Is there a way how I can configure the Apache web server to return a 404 (not found) error code instead of 403 (forbidden) for some specific directories which I want to disallow to be accessed? I found some solutions suggesting the use of mod_rewrite, like e.g. RewriteEngine On RewriteRule ^.*$ /404 [L] As the purpose of sending 404 ...
For the sake of simplicity I want to use admin links like this for a site: http://sitename.com/somegibberish.php?othergibberish=... So the actual URL and the parameter would be some completely random string which only I would know. I know security through obscurity is generally a bad idea, but is it a realistic threat someone can find...
Is it possible to write some manner of hook in mercurial that will reject changesets that effect a specific named branch in a repository? We have a managed project and would like to allow any developers to push their changes to our repository so long as they are in their own named branch. This allows us to manage a single buildbot and a...
Hello, I'm trying to load an swf file using SWFLoader in Adobe AIR app. The problem is that after the swf loads, Adobe AIR shows me the following error. I know that this swf tries to download an RSS file from the web. SecurityError: Error #2028: Local-with-filesystem SWF file file:///xfile.swf cannot access Internet How can i fix ...
Hi guys, I am writing a small PHP application and I am not sure whether I have a security issue. So this is what the application does: the user can upload either image files (png, gif, jpg, jpeg, tiff and a few others) or zip files I check for mime-type and extension and if it's not an allowed I don't allow the upload (this is not th...
http://www.php.net/manual/en/features.remote-files.php The only time I could ever think of doing include("http://someotherserver/foo.php") would be as some sort of weird intra-server service interface, but even then I could think of a million different ways that were safer to accomplish the same thing. Still, my specific question is, ...
I've got windows authentication enabled on an ASP page so that I can grab the current user's username. This forces the ASP page to run as that user. I want to lock some files down that are currently being accessed by that page. Is there a way to have Windows Authentication enabled and still run the page under the account that IIS is runn...
I'm working on a CakePHP application, running on IIS, using jQuery to handle AJAX requests. (As per usual) everything is working fine in Firefox, but in Internet Explorer (7, at least) my AJAX pagination links fail. I click the link and get this message: This page is accessing information that is not under its control. This poses a ...
I am in the process of building a very simple poll, but i am concerned about people gaming the poll and just submitting the same vote over an over again. I am not talking about somebody double clicking the submit button, but maliciously trying to flood the poll with garbage. While i understand that there's no totally foolproof solution, ...
Passwords have lots of downsides but they remain the only technically straightforward way of giving some authentication to users. Lets talk hypothetically about an education-type system. Lots of people with passwords, lots of people forgetting their password regularly, lots of CS students and others trying to brute others passwords act...
I'm working on StackQL.net, which is just a simple web site that allows you to run ad hoc tsql queries on the StackOverflow public dataset. It's ugly (I'm not a graphic designer), but it works. One of the choices I made is that I do not want to html encode the entire contents of post bodies. This way, you see some of the formatting fr...
I'm developing a web app and currently I'm trying to decide whether or not to let my users to change their email. If an account gets compromised the attacker only needs to change email and then reset password to gain complete control of the user account. However with no ability to change email address, the user can regain control and s...
As all .net developers know its possible to encrypt values in web.config. I have other XML configuration files, that I read in from serialization techniques, not using system.configuration but instead serializing to a strongly typed object. Its now become a requirement for me to encrypt some values in these xml file, not the whole X...
Could someone please explain to me what we refer to as life critical information and to what we refer to as mission critical information. I was searching the internet for hours but I could not find an exact definition, or at least examples of what this refers to. ...
What does the poet try to say? Public Overrides Function GetBytes() As Byte() is obsolete: Rfc2898DeriveBytes replaces PasswordDeriveBytes for deriving key material from a password and is preferred in new applications. Should i replace this one... Dim keyBytes As Byte() keyBytes = password.GetBytes(keySize / 8) ...with what? ...
Hello! I was wondering, and was as of yet, unable to find any answers online, how to accomplish the following. Let's say I have a string that contains the following: my_string = "Hello, I am a string." (in the preview window I see that this is actually formatting in BOLD and ITALIC instead of showing the "strong" and "i" tags) Now, I...
Is there a Silverlight equivalent to signed applets in Java? I'm basically trying to host what would traditionally be a desktop application in a browser*, and I'd rather do it all in a single package (the Silverlight end) rather than delegate privileged actions to an outside (locally running) process. This would require some way of bre...
I moved an ASP.NET application from a XP to a new server and now I have this exception: 'System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, On this line code: System.Threading.Thread.CurrentThread.CurrentCulture = new System.Globalization.CultureInfo("it-IT"); My server is so con...