Morning, Does anyone know how to configure WCF (any binding type, we are currently using WSHttpBinding but am happy to move to a CustomBinding or alternative if necessary) to use Web Services Security Kerberos Token Profile 1.1 the details of which can be found here: http://www.oasis-open.org/committees/download.php/16788/wss-v1.1-s...
I want to check that a file system path is valid and safe to use relative to another path. So I want to know if there are any other special characters like /../ and /./ which might cause a path to actually point somewhere else. If that is all I have to worry about then a quick replace of those chars followed by something like this to ch...
Hi, i have a very small utilty app written in c# that works fine on my local machine but if i put it on a network drive and try to run it from there i get the following securityException.. Request for the permission of type 'System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c...
Question: Is this API authentication technique easily hackable? apiKey = "123456789" apiCallId = "1256341451" apiSecret = "67d48e91ab2b7471d4be2a8c2e007d13" sig = md5(apiKey + apiCallId + apiSecret) = 09c297a354219f173bfc49c2e203ce03 where apiKey: some unique identifier for the user apiCallId: a unique integer that ...
Best practice is to use unique ivs, but what is unique? Is it unique for each record? or absolutely unique (unique for each field too)? If it's per field, that sounds awfully complicated, how do you manage the storage of so many ivs if you have 60 fields in each record. ...
I am creating a rails application that needs to store a large amount of sensitive data. To assure my customers that the data is being protected, I want to encrypt it on a per-user basis. I have done research looking for gems that can accomplish this. So far I've found strongbox and safe. Together, this would seem to provide a solutio...
The title says it all: Are there any secure alternatives to XDMCP (A Linux remote desktop protocol)? I'd like to set up some thin clients -- UI heads (old computer + mouse + keyboard) connected to VMs on a fast server. ssh -Y doesn't quite cut it, since this would be for non-savvy computer users. I'd like it integrated with kdm/gdm if p...
Hi, i've always wanted to make some of our companies products open-source..but we have a lot of things in our source code that would make us vulnurable. How is this handled in most open source projects? For example, we use some custom web services to do actions to our database (Add accounts, delete accounts, ect). The source code woul...
I'm having asp.Net barf at me when I submit the a form with a value like <a_ (underscore is a space). This is bad - at the very least I want to be able to gracefully handle the error, ideally I'd like the user to be able to submit anything they like and have it work as the user expects. I could set validateRequest="false" in the web.c...
I'm developing a commercial project on an ARM based embedded board with a custom Linux kernel on it, using Ruby. Target workspace of the project and the device is a closed-environment, no ethernet, inernet, I/O devices etc... I want to protect my code/program so that; it'll only work on the specific machines I let (so; people cant just c...
This is an odd question. I have a friend who is working on an application. There is a table with 4 fields that holds a word and a definition among some other things. On a website there is a textbox in which a user can enter a string and the database is queried and looks for similar content while the string is being entered in the box. (A...
Hi, what's the best way to pass data between two ruby programs over the internet? The data is small and needs to be passed frequently. Also, since this happening over the internet, it needs to be secure. I'd appreciate any help, extra points for a pointer to some guides on this topic. ...
Recently, I had an audit run on some of my sites by a client. One of the things they came back with was that I could be sanitizing the input data a little better as people could still cause potential harm to the database. The function below is what I am currently using (a leftover from the old developer) but I cannot see where the pot...
I have a .NET2.0 assembly on a network share for everyone to access. I've enabled FullTrust on everyone's machine for LocalIntranetZone. However, on SOME machines (not all... that's the part that's driving me nuts) the app crashes. The error I get is below. I'm completely stumped at this point. Any thoughts would be GREATLY appreciate...
I have a GlassFish web application. I am authenticating users using a remote service. The service only authenticates a user, my application needs to handle the authorization part. I am thinking of just making a table with the users' names and roles. Is this a fine plan? ...
I need the ability to automatically check if the current user has a certificate installed from a specific issuer in the Firefox certificate store on Linux. Ideally I'd like to be able to this from outside of Firefox however doing it from a plugin is also an option. The best I've come up with so far involves chaining certutil and grep bu...
Hello, As I understand it, the best practice for generating salts is to use some cryptic formula (or even magic constant) stored in your source code. I'm working on a project that we plan on releasing as open source, but the problem is that with the source comes the secret formula for generating salts, and therefore the ability to run ...
Hello there, I am working on a WCF Service(implemented with Fluent NH), and it is hosted as a Windows Service. I am using a console application to test calling service methods. Now, when I set connection string in hibernate.cfg.xml as <property name="connection.connection_string">Server=dev;Initial Catalog=DBTest;Integrated Security...
For security purposes, I would like to create a security token for every CRUD operation on a site running a LAMP stack. The security token would be attached to the a href URL and would be verified after the user clicks on the link before displaying or doing anything. First of all, are using security tokens a good first step in securing ...
We store two objects in session. Somehow, one of the objects from another users got loaded into a different users session. The user should have had no access to this particular data, and as soon as they saw it they knew something was very wrong. We have visual proof of the data that was presented to him, and there is certainly no way ...