I know there are a lot of client-side solutions for nasty adware and their recursive links, but I was wondering if it is possible to use a script in the html to prevent the links from displaying in a user's browser who has adware on their machine and is visiting my web site? I am NOT a programmer. I am designer, and I know just enough t...
I am using Visual Studio 2008 to build an MSI install package. Within the install I have numerous custom actions. Within the OnAfterInstall custom action I attempt to start an exe which is deployed by the install. The exe starts ok, but runs within a security context of NT AUTHORITY\SYSTEM (i.e. under the elevated privileges granted t...
I have a process which is running within the security context of the local system account. From C#, how can I start (using System.Diagnostics.Process.Start) a process that will run within the security context of the currently logged-on user, not the system account? ...
I have a web form and I'm using PHP. I'm aware that forms can be manipulated (I believe it's called replay attack or a man-in-the-middle attack). So I'd like to use some authenticity token as a hidden field. The threat possibilities that I'm aware of are: Attacker hijacks the legitimate user's form (this I believe is the man-in-the-m...
Suppose I have static ip in a subnet that has DHCP server. If i gonna send DHCPINFORM message to the server, what will happen ? amit ...
Say the path of your URL is: /thisisa"quote/helloworld/ Then how do you create the rel=canonical URL? Is this kosher? <link rel="canonical" href="/thisisa&quot;/helloworld/" /> UPDATE To clarify, I'm getting a form submission, I need to convert part of the query string into the URL. So the steps are: .htaccess does the redi...
I'm using Python's xml.dom.minidom to create an XML document. (Logical structure -> XML string, not the other way around.) How do I make it escape the strings I provide so they won't be able to mess up the XML? ...
Hi, I just discovered that one of my site was considered by Chrome as a malware. Here's what is Google Chrome is showing: The website at ___ contains elements from the site ___, which appears to host malware – software that can hurt your computer or otherwise operate without your consent. Just visiting a site that contains malware ...
When we say dictionary attack, we don't really mean a real dictionary, do we? My guess is we mean a hacker's dictionary i.e. rainbow tables, right? My point is we're not talking about someone keying different passwords into the login box, we're talking about someone who has full access to your database (which has hashed passwords, not p...
I have a website registration page, and I'm trying to compile a list of what I need to do to protect it. If you know of an attack, please name it, and briefly describe it preferably with a brief description of its solution. All helpful answers/comments receive an up vote. Here's what I have in mind so far: (and adding what others are s...
When using the standard authentication module in django, a failed user authentication is ambiguous. Namely, there seems to be no way of distinguishing between the following 2 scenarios: Username was valid, password was invalid Username was invalid I am thinking that I would like to display the appropriate messages to the user in thes...
Is it a huge security flaw to allow user to connect to your server via Remote Desktop? Right now i have a setup where i only allow a couple of ip-addresses to connect via the RDP port but i am thinking of removing this and allow all IP's to connect so i can RDP with my iPhone if there is some problem when I'm not at home. So as long as ...
I have some PHP source code that I'm hosting with hosting company XYZ. I'm using a PHP encryption software like Zend Guard or ionCube to protect the source from being viewed by anyone (sysadmin or hacker that hacks the sysadmin). How easy/hard is it for someone who has full access to the system (like the sysadmin or hacker that hacks t...
I currently have an open WCF service running w/ netTcpBinding; however, I need to encrypt this channel. Does WCF support 3DES, or should I just handle the encryption/decryption on my authorized client/server? Thanks; ...
I want to be able to do a code comparison between stored procedures in production and code in QA to visually verify what is about to be implemented. Then, once implemented, I want to be able to compare production code to QA to verify that everything was deployed as expected. To do this, I need read access to db objects in the producti...
I am creating an Asp.net MVC application and I'm currently using the built in Authentication/Authorization code that comes with the sample MVC app. For the most part this is working ok and I kinda understand what's going on. What's concerning me though, is that now I kind of have my users stored in two different tables across two datab...
I need to block access to my entire site via IP Address except the url /api which should be open to all. I am currently using ... <LocationMatch /admin> Order Deny,Allow Deny from all Allow from [MY IP] </LocationMatch> this blocks access urls starting with /admin. But I want to block all urls except the ones that start /...
I am using trying to utilize some code found here to store and retrieve username and password. However, when I add the class (SFHFKeychainUtils) I get the following errors: "_kSecAttrAccount", referenced from: _kSecAttrAccount$non_lazy_ptr in SFHFKeychainUtils.o "_SecItemDelete", referenced from: +[SFHFKeychainUtils dele...
Hi, I have a WSGI application running in PythonPaste. I've noticed that the default 'Server' header leaks a fair amount of information ("Server: PasteWSGIServer/0.5 Python/2.6"). My knee jerk reaction is to change it...but I'm curious what others think. Is there any utility in the server header, or benefit in removing it? Should I f...
During registration, I'm debating how I should set user password: Let the user choose it. If i do this, I have to enforce some standards (length, weakness, may involve regexes, etc.) What do you normally do when you choose this way and why? Is there a library available for PHP for this? Auto-generate the password for the user and email...