Which Type of Input is Least Vulnerable to Attack?
Which type of input is least vulnerable to Cross-Site Scripting (XSS) and SQL Injection attacks. PHP, HTML, BBCode, etc. I need to know for a forum I'm helping a friend set up. ...
security
Java RMI: Client security policy
grant { permission java.security.AllPermission; }; This works. grant file:///- { permission java.security.AllPermission; }; This does not work. Could someone please explain to me why? ...
New site creation and security/authentication,- should I use ASP.net Membership Provider?
There seem to many ways to skin this particular cat - but which is the best and easiest to implement. It would seem that the ASP.net Membership Provider is the one that will save more time, so my questions are: What are the pros/cons of Membership? How do you integrate the auto generated user db with your own custom made db? e.g custo...
JavaScript ClientSide vs. ServerSide Validation
Which is better to do client side or server side validation? In our situation we are using - jQuery and MVC. - jSon data to pass between our View and Controller. Alot of the validation I do is validating data as users enter it. For example I use the the keypress event to prevent letters in a text box, set a max number of character...
How to replay soap message?
I would like to replay soap message against my server. I've recorded a few messages and i've tampered with Timestamps, soapbodies etc and now I would like to see that my SecurityAssertions lites up like xmastrees. The deployed server will use clientcertificates and servercertifivcates for authentisation, and the whole messageflow will go...
Sql Server 2005 how to change dbo login name
I have a database with user 'dbo' that has a login name "domain\xzy". How do I change it from "domain\xzy" to "domain\abc". ...
What applications or services should I target for object-capabilities lobby?
Object-capabilities are an amazing solution/paradigm to provide security, both flexibly and robustly. Ever since I discovered them and got to understand them, I'm bothered that there are pretty much no widely used tool using or providing them, and I'd like to lobby a bit for their adoption, possibly by either designing a system with them...
Does the classic ASP has its own security framework or does it use that of IIS?
I'm supporting a site that still uses mixed ASP.Net and classic ASP. The user receives a 'You are not authorized' error page while accessing certain classic ASP page. I've checked her active directory account and she could had access other pages in the said site. I wonder if it could be arttributed to classic ASP or to IIS. ...
Retrieve list of defined roles in java ee 5
I was wondering if it would be possible to retrieve the complete list of security roles defined in a web.xml file in the java code? And if so how to do it? I am aware of the 'isUserInRole' method but I also want to handle cases where a role is requested but not defined (or spelled differently) in the web.xml file. ...
What kind of damage could one do with a payment gateway API login and transaction key?
Currently, I'm in the process of hiring a web developer who will be working on a site that processes credit cards. While he won't have the credentials to log into the payment gateway's UI he will have access to the API login and transaction key since it's embedded in the application's code. I'd like to be aware of all the "what if" scen...
How do you enforce strong passwords?
There are many techniques to enforce strong passwords on website: Requesting that passwords pass a regex of varying complexity Setting the password autonomously, so that casual users have a strong password Letting passwords expire etc. On the other hands there are drawbacks, because all of them make life less easy for the user, meani...
How to enforce locking workstation when leaving? Is this important?
Within your organization, is every developer required to lock his workstation when leaving it? What do you see a risks when workstations are left unlocked, and how do you think such risks are important compared to "over-wire" (network hacking) security risks? What policies do you think are most efficient to enforce locking the workstat...
IIS Returning Old User Names to my application
Here's my scenario. I created an application which uses Integrated Windows Authentication in order to work. In Application_AuthenticateRequest(), I use HttpContext.Current.User.Identity to get the current WindowsPrincipal of the user of my website. Now here's the funny part. Some of our users have recently gotten married, and their n...
Using the .NET Framework security system
I was wondering - do any of you actually use the various classes in the System.Security.Permissions namespace? I mainly develop desktop/server-side components (i.e., no web) and the general assumption is that FullTrust is always available and no testing is performed on environments for which this is not the case. Apart from MS source c...
what are strategies for shielding off web resources based on business logic
I have a scenario where I'm not really sure my approach is the best one, and I would appreciate feedback / suggestions. scenario: I have a bunch of flash based (swf) 'modules' which are hosted in my aspnet application. Each flash has it's own directory on the filesystem, which contains assets for the flash. Consider this simplified site...
What are the best-practices around resource list authorization?
Publishing and/or collaborative applications often involve the sharing of access to resources. In a portal a user may be granted access to certain content as a member of a group or because of explicit access. The complete set of content could include public content, group membership content, and private user content. Or, with collaborati...
Row Level Security with Entity Framework
I've been trying to consider how Row Level Security could be implemented with the Entity Framework. The idea is to have a database agnostic means that would offer methods to restrict the rows coming from the ObjectContext. Some of my inital ideas have involved modifying the partial classes created by the EDMGEN tool and that has offere...
Anyone really using Code Access Security to protect their assemblies and/or methods?
Seems to me most of developers completely ignore this features. People prefer handling security exceptions as generic ones relying on standard windows roles and rights instead of learning to use CAS ways of enhancing security - probably because CAS is quite confusing in its logic and naming. Can anyone suggest any general rule-of-thumb/...
Apache Webserver security and optimization tips
Hi. I'm about to deal with managing and running my first Internet connected Apache webserver and I was wondering if there are any sys admins and developers out there that would like to share some of their knowledge regarding security and optimization tips for running Apache webserver. Maybe you can share your top five (or ten) list of ...
What symmetric cypher to use for encrypting messages?
I haven't a clue about encryption at all. But I need it. How? Say you have a system of nodes communicating with each other on a network via asynchronous messages. The nodes do not maintain session information about other nodes (this is a design restriction). Say you want to make sure only your nodes can read the messages being sent. I ...