I'm in the process of building an application (a CMS to be more specific) which allows users to add Javascript to their content. There really is no way around allowing Javascript, and because of it, some security concerns are now becoming quite apparent. What we're mainly concerned about is cookie theft. To explain the system a bit more...
Need to submit some CC data from the View to the Controller where it will be processed, can I just POST it or is there some common way of securing the data in transit? ...
I have users with accounts on Site A. Site A has been around a long time, and it's expensive (but not impossible) to change its code. Site B (I'm working on it now!) hosts a brand new web app for the customers of Site A. The Site B app has a list of the usernames from Site A, and maintains preferences and other information about each of...
I have to create a WCF service which returns sensitive information to the client. I need to ensure that the security of the service cannot be compromised easily. I'll use WCF's built in security mechanisms to protect the data on the wire by using a wsHttpBinding with certificate security. However, I also want to ensure that the service'...
Hi to Everyone!! Is there any other way to get rid of this outlook security message? "A program is trying to automatically send e-mail on your behalf ... and so on" and it gives me an option to select Yes , No & Help. Im currently developing an outlook automation app using Ms Access. Everytime I issue Send command this message popups,...
I have some collegues who have build a WCF Service. Their security settings are the following: security mode="None" transport clientCredentialType="Windows" proxyCredentialType="None" realm="" message clientCredentialType="Windows" negotiateServiceCredential="true" establishSecurityContext="true" security Does it mak...
How do I escape parameters of queries in JDO (Google App Engine)? For example, how do I make the next snippet safe, if the variable name may contain unsafe chars as single quotes (') PersistenceManager pm = ...; String query = "select from Person where name='"+name+"'"; List<Shortened> shortened = (List<Shortened>) pm.newQuery(query).e...
As a developer new to Rails, I'd like to know what checklists seasoned Rails developers might have of things to check before putting a Ruby on Rails web site live. I am thinking that you should probably remove generated views that you aren't using, remove controller actions you don't need, remove default routes and so forth. I'm thin...
Hi, I have deployed an application on IIS Server and Servlet Exec configured. I need run the application with windows User Credentials rather than Anonymous User. I tries changing the username and password of annonmous user in properties/Security but the application stops responding changing it back to default Anonymous IIS user accoun...
How far pre-compiling a website or project in VWD is safe ? I know that Reflector can retrieve the whole thing again (as it will be IL at the end of the day), and I heard that obfuscation won't go so far (not sure) there is tools to deal with obfuscation. Is there a good solution to guarantee that clients don't get to the underlying So...
I have built an executable which launches a dialog box in which is embedded the IE web browser active-x control (C++). I want this control to allow cross site scripting. One frame on the web page loads local html, the other loads from a server. I then want the server page to call a javascript function that lives in the local html file...
I implemented the ASP.NET security model and I am allowing/denying access to users in the web.config based on what roles they are in e.g. <system.web> <authorization> <allow roles = "Admin" /> </authorization> </system.web> When I try and visit a page I don't have access to, it prompts me to log in but I'm already logged...
I have a Java Web Start Application which communicates against my server via a web service (over https). I want to restrict the usage of the webservice to my app only, so that 3rd party apps don't work. What strategies to I have? This question is somewhat broad, but running in JWS disables some options, like doing a checksum over all ja...
Are there any security issues when communicating between applications on the same machine over sockets? ...
It seems to me that a lot of the problems with DNS, particularly security problems, have the root cause of DNS being implemented over UDP; for example the responder doesn't have to be who he says he is. I don't know the details of mDNS protocol (which I assume is much newer than DNS), maybe it takes care of these problems in its applica...
So, I had a site running (http://servername) and wanted to add another URL, http: newURL to get to the same content. I wanted both sites to use the same active directory domain for users/authentication. I extended my existing web application so that the new URL would work. I configured the authentication provider for the new zone to b...
Is it recommended to create a column (unique key) that is a hash. When people view my URL, it is currently like this: url.com/?id=2134 But, people can look over this and data-mine all the content, right? Is it RECOMMENDED to go 1 extra step to make this through hash? url.com?id=3fjsdFNHDNSL Thanks! ...
We all know how hip it is to make our Ajax calls using address routing and HTTP-Get with parameters in the URL because the client side can cache those calls and thus server load is reduced, but where do you guys think the line is between "a neat way to address resources" and "disclosure vulnerability"? I'll give some examples- Let's say...
I'm implementing a password + password hint code I and want to prevent the user from making the password hint reveal the actual password right away. Here are the scenario that I want to prevent: Lets say that the password is: foobar123 Then the password hint can't be: "foobar123" "The password is: foobar123" "f-o-o-b-a-r-1-2-3"...
Hi Guys I'm trying to implement a custom RoleProvider in my ASP.NET MVC application. I've created a custom MembershipProvider and it works, in that I'm able to successfully validate the user. The next step is to implement the RoleProvider to restrict access to certian Controllers to Admin users only. Can anyone provide me with a quic...