I am writing a web application and for certain actions the user needs to enter a One Time Pin (OTP) - similar to most banking websites. So I basically need to generate a random string, store it somewhere, send it to the user and then validate the entered pin against the one I stored. Is it safe to store this generated string in the ASP...
I need to grant a db_datawriter before executing SqlBulkCopy and remove it after: try { "EXEC [db_mod].[sys].[sp_addrolemember] N'db_datawriter', N'my_user'" // via SqlCommand bulk.WriteToServer(table); } finally { "EXEC [db_mod].[sys].[sp_droprolemember] N'db_datawriter', N'my_user'" // via another SqlCommand } but I'm getti...
So let's say that in your application you have to handle data content security, in such a way that application defines several "Entities" that have to be secured so that user cannot view, edit etc. certain code ranges. Let's say we have secured entities such as Location, Department, Division, ProductLine etc. and each user gets associat...
OK. So here's my simplified scenario. We have a system which handles orders for a number of clients. We want staff users to be able to view all orders and we want client user to only be able to view orders which relate to them. When attempting to view a particular record we make use of the following function in our OrderSecurity class: ...
I don't know much about poking at servers, etc, but in light of the (relatively) recent Wordpress security issues, I'm wondering if it's possible to obscure which CMS you might be using to the outside world. Obviously you can rename the default login page, error messages, the favicon (I see the joomla one everywhere) and use a non-defau...
I have made an application in java. Now I want to deliver it to several clients. I want that each client must purchase a serial key to use that software. Without that key, the software shouldn't be run just like other softwares in the market. How can I do that? I know that I can't protect it fully. I just want a simple serial key func...
I realize that the OAuth spec doesn't specify anything about the origin of the ConsumerKey, ConsumerSecret, AccessToken, RequestToken, TokenSecret, or Verifier code, but I'm curious if there are any best practices for creating significantly secure tokens (especially Token/Secret combinations). As I see it, there are a few approaches to ...
I know i can use stored procedures to eliminate sql injection attacks but it would bloat the code by more than I'm willing to accept and making it costly to maintain. In my dynamic sql query, I would like to search a string of text in 2 columns in one of my tables but before that happens, I would like my business layer, which is written...
When in a page triggered by an exception, what vulnerabilities is a php page open to? I am using Kohana and am used to triggering exceptions (404, runtimes, etc) But I recently read a book (19 Sins in Software Security) that says a site in an unstable state(i.e. in an page triggered by exception) is open to critical attacks. I am worr...
I am relatively new to Spring and Spring security. I was attempting to write a program where I needed to authenticate a user at the server end using Spring security, I came up with the following: public class CustomAuthenticationProvider extends AbstractUserDetailsAuthenticationProvider{ @Override protected void additionalAuth...
I am relatively new to the Spring Framework and Spring security. I have used a custom authentication scheme, HTML: <form action="j_spring_security_check"> <input type="text" name="j_username" value="abc"/> <input type="text" name="j_password" value="abc"/> <input type="text" name="myCustom1" value="pqr"/> <!-- maybe type="h...
If it is good style and security to store passwords securely and properly, then shouldn't the same be for web pages that require a user to enter a password? consider this example <script> function copy() { var text = document.getElementsById('text'); var pass = document.getElementsById('pass'); text.value = pass.value; } ...
We're developing a set of applications that need to communicate with each other on the user's session. These applications do not require any administrative privileges to run, but as soon as one of them tries to open an http listener - it fails due to lack of the administrative credentials. On the other hand, since user doesn't have any a...
Hello all, I would like to know the paths of certain files that a user is about to upload using my form. I know this isn't allowed using JavaScript for secruity reasons but the system I am building is an internal one for staff. Is there maybe a JavaScript certificate or something that I can place on our servers to say that I can do this...
We are planning to buy a product that's developed on ASP.NET MVC, JQuery, SQL 2005. .basically latest MS stack. This product is going to store some of very highly sensitive data. So, we need to evaluate that product in terms of security. But I'm confused as in How can I certify that this product is secure and we can buy it. I don't ...
Running MySQL Ver 14.14 Distrib 5.1.37 on Mac OS X 10.5. Logs contain the following message Suspicious setup: User "mysql" maps to user: _mysql Should I be concerned? ...
From a C# WinForm project, I want to call a .NET COM method that already exist. I've added the reference to the COM, but I can't get rid of the SecurityException "That assembly does not allow partially trusted callers". Both projects are strongly named. I've added [assembly: AllowPartiallyTrustedCallers] at the top of the COM project, b...
I save data in a cookie to authenticate users for the next login (remember me option). This data is encrypted and hashed. But here's the problem: Anyone can take this cookie and put it on another machine and it will work. I heard that is called cookie poisoning How do I overcome this? ...
Hello, According to the Linux man page for mprotect the function has 3 Arguments: int mprotect(const void *addr, size_t len, int prot); but while running ltrace on a program that I'm analyzing I see that mprotect is called like this: mprotect(0x8049000, 4096, 3, 1, 0xb7e057ac) = 0 what are the 4th and 5th argument for?? Edit...
I need to set some users up to be able to create stored procedures with READ access only. Also, in production they cannot have SELECT, only EXECUTE on the procs they created. In development they would have SELECT so they could create their procedures. I've set up a schema called Reports. The owner of that schema is a login - Report_A...