What does SSL do for web applications
Does SSL provide any type of security other than simply encrypting the content of the HTTP request for web applications? ...
security
jinja2: html escape variables
how do I html-escape dangerous unsanitized input in jinja2? Can I do it inside the template or must it be done in python code? I have a variable that may contain da<ngero>u&s chars. How do I escape it in jinja2 ...
Verifying Resftul Authentication through a Non Ruby App
I'm trying to do Authentication against restful_authentication from a php application, however I understand it uses a SHA1(digest--salt--password--RESTFUL_AUTH_KEY). The issue is regardless of how much I try I can't get the hash to match. Reading through the documentation I see the digest is just the restful auth key, but that's where I ...
HTTP Authentication Security
My client needs a simple database CMS faster than I can tackle the ins and outs and security flaws of register globals, sql injection, and cookie filtering. I installed phpMyEdit and secured the edit page with .htaccess. For the security experts, does this provide at least a moderate level of security? ...
Secure communication between django server and iphone app
I'm writing an iPhone application that needs to send small bits of information (two strings of under 128 characters each, at a time, and this doesn't happen too frequently) to a server when users interact with it. I would like this information to remain confidential, so I'm thinking of some sort of encryption or secure connection would b...
What can I do to handle bad behavior from users on a website?
I am working on a project with a group, and we are making an experimental site that involves heavy user interaction. In a nutshell, the nature of the site involves heavy user posting and commenting. Based on the theme of our site, we are expecting to get controversial posts and most likely offensive material. My question is what algori...
Run.Cs or.Vb files without calling the in asp.net
By security reason I ask this... Can .cs or .vb files to run in any way without calling those in asp.net? ...
Secure custom login control ASP.NET
Problem: I want to create a custom log in control that posts securely to HTTPS without affecting other submit buttons on the page. If I had been writing this in ASP.NET MVC or any other language for that matter, I would just create a new form tag with an form action="https://...". Now I'm stuck in a ASP.NET web forms site. That means th...
Why shouldn't I give outsiders access to my database?
Lots of sites today have APIs that allow users to get data from the site as XML or JSON using a GET HTTP request. Flickr and del.icio.us are example of sites with APIs. These APIs require the server to access the database, and then output the result as either XML or JSON. Why do we need this translation though? Why not just create a us...
Custom certificate validation in WCF service
Hi. I want to check client certificates in my WCF service. My goal is to allow only clients with certificates with specific thumbprints to be able to communicate with my service. My WCF service is hosted in IIS, I'm using basicHttpBinding and security mode="transport" with credential type "Certificate". IIS requires client certificat...
SHA512 vs. Blowfish and Bcrypt
I'm looking at hashing algorithms, but couldn't find an answer. Bcrypt uses Blowfish Blowfish is better than MD5 Q: but is Blowfish better than SHA512? Thanks.. Update: I want to clarify that I understand the difference between hashing and encryption. What prompted me to ask the question this way is this article, where the autho...
What's the harm in giving full trust to a website when ACL's are in place?
Some websites require full trust for whatever reason like using third party controls which require full trust. This is the scenario: say you're hosting a site with full trust and the site owner decided to do something nefarious on the system. The site can only connect to its database. The site is running under a user which is only used...
Is it safe to store (hashed) passwords in a cookie?
I've read some articles and questions on SO (e.g. here) that say you shouldn't store a user's password in a cookie. If the password is salted and hashed, why is this insecure? In particular, why is it less secure than using sessions, the alternative usually suggested? If the user wants to stay logged in then surely this new cookie (with...
What permissions are needed to install and update an ActiveX control?
We are developing a web-based point-of-sale application, which, while it mostly runs in a browser, also requires integration with hardware devices such as credit card readers. In order to provide hardware integration, we have implemented several simple ActiveX controls in C++ using ATL. We are not experienced Windows developers, and are...
Secure way to include page from GET parameter?
I'm working on a set up where the URLs will be along the lines of: http://example.com/index.php?page=about In reality they will rewritten to that from a simpler URL. index.php will include another page, using this code: if ( isset( $_GET['page'] ) ) { $page = $_SERVER['DOCUMENT_ROOT'] . '/pages/' . $_GET['page'] . '.php'; if ( is_f...
Scripting Local Security Policy
On a servers Local Security Policy I need to give a user rights to "Allow logon locally". How do I do that through a script? ...
(ruby) does one escapse using h() in view files only for security, or in controller files as well?
I receive input in the form of URL strings (aka controller/action?example=yes), and I'm wondering if I need to escape the content of the string for security. For example, if I assign the param to a variable: example = params[:example].to_s do I need to escape anything? or do I only apply h() when I put the value of :example back in t...
Securely Connect MySQL via PHP in ActionScript 3 using AMFPHP framework
My Flash movie would like communicate with MySQL server to fetch and save data between MySQL and SWF. I know AMFPHP can help with the communication, but is there a secure way to encrypt the texts sending between 2 sides (other than hashing password in MD5)? As far as I know, by default, AMFPHP sends out data in plain text. Also, I heard...
SSL and php logins
Hai all, i successful configured a self signed SSL certificate and configure it in the MAMP server, now if i type https://localhost:443/ it will show the certificate, now i would like to configure a httpsdocs (like htdocs) and implement a secure login, can any one help me to run a simple page using SSL ...
ASP.NET Trace.axd File Security
When I use the following code in web.config to trace the application, does the tracing actually store any information in a file on the machine? I just want to make sure that information displayed in Trace.axd is not stored anywhere else for security reasons. <trace enabled="true" pageOutput="false" requestLimit="200" localOnly="true"/> ...