I know that in PHP I need to validate/massage any input that goes into an email header (eg the recipients email address). Is there anything I need to be aware of with ruby on rails/ActionMailer as regards email security? ...
I am working on an update function for a pet project of mine, and was wondering if I need to spend the time to make sure my connections are secure? Basically the client sends the version number of the software on the users computer to a server, the server checks the users version against the latest version available, and if a newer vers...
I’ve been working on a few small scale Access projects that have turned large scale rather quickly. The original designer implemented next to zero security and everyone can just walk in with a simple shift enter, way beyond just a security hole for nuclear submarines to dive through and that has always drove me bonkers. With that said,...
I've got a Java servlet that handles file uploads, but resides in the "intranet" instance of JBoss. It needs to write files to a directory in the "internet" instance of JBoss (on the same machine). The Java servlet can't be moved to the other instance. This is with JBoss 4.2 on a Solaris box. Is there a way for this to happen? Can there...
Hi guys I have read about password salting, but this might sound a little odd. But how do I store and secure the salt. For example in a multi tire architecture say I use the client machine’s GUID to generate my salt then the user gets restricted to a single machine but if I use random salt it has to be stored somewhere. Few days back I ...
My system has 2 subsystems. Each subsystem has different set of users. Each user has an extra field "SystemName" that can be used to know which system this user belongs to. In the login forms (1 form for each subsystem) I added a hidden field specifying the type of the form (containing the SystemName value). Generally, the check is rat...
I understand that Java can load/execute DLL code, but I'm wondering if there are any security checks to prevent untrusted code from the system being called by a JVM. Couldn't this destroy the system -- are there any OS features that prevent this? Or can someone just write in Java itself some method that prevents untrusted code from being...
I want to create a website where people can solve programming tasks and eventually upload their solution (in any JVM-language) in order to verify it and share it with others. I figured OSGi (learning it right now) might be a good tool to handle this task (is it?). But obviously I'm a little anxious about letting other people executing t...
Sun's PKCS11 JCE security provider is lacking some functionality we need. So I wrote an enhanced version of it using the original sources. Unfortunately the JCE infrastructure rejects the new provider "JCE cannot authenticate the provider" because it is not properly signed. javax.crypto.JceSecurity.verifyProviderJar(...) throws. (it ca...
I have a WCF 3.5 service and it runs great. It is using basicHttpBinding and IIS 7 hosted. I'd like to add some minimal security to it, maybe a username and a password. Can someone give me some really basic instructions? What do I need to add to my web.config file? ...
A Note I have a very good understanding of sessions and the theory of secure web-based authentication, etc., so please don't start with the basics, or give ambiguous answers. I am not looking for Best Practices, because I am aware of them. I am looking for the real risks behind them, that make the Best Practices what they are. I have r...
If I have the DecryptionKey and ValidationKey set to AutoGenerate in the machineKey section of the machine.config, how do i look up from .NET the actual generated keys which have been created? We wish to use the same keys to encrypt and validate our own cookies. Any clues/tips gratefully received. ...
When a user enters a web url in a comment, that url becomes a link. How do I prevent attacks from those links? any measures I can take? thanx ...
I'm writing a comprehensive authentication system for an application and I was planning on logging failed authentication attempts in order to implement better security. I would like to check failed passwords for both brute force and dictionary attacks, however the only method I could think of doing this is by storing the raw password. ...
I've read a ton of information about hashing and salting passwords, do's, don't etc. The problem I see is this: If a hacker is going to go through the efforts of stealing the list of hashed passwords, doesn't he then have access to all the data that is password protected? It's like storing the combination to a safe, in the safe. Brea...
Are there any special considerations we will need to take into account for Mac scenarios? Furthermore, with features such as COM interop which aren't applicable on a Mac, how do you give visibility of these capabilities to your code? if (Silverlight.Environment.SupportsCOMInterop) { // do stuff } More generally, could your code de...
When I include ckeditor aka fckeditor (version 3.0.1 revision 4391), which I downloaded from their site last week, into a page that is SSL encrypted, I get the Firefox broken lock icon and the warning "Warning: contains unauthenticated content". However, IE8 doesn't give this error at all. I checked the headers (Live HTTP headers), and e...
I'm searching for the best way to handle view-level authorization (where you hide markup based on a user's roles). The typical way to do this is with the Acegi Security authz tag, as follows: <authz:authorize ifAnyGranted="ROLE_FOO, ROLE_BAR, ROLE_BLAH"> <!-- protected content here --> </authz:authorize> The problem with that appro...
Using SQL Server, what is a simple but effective means of denying access to data older than a certain date, for some users? We can do this at the application level (a web application) but this leaves us vulnerable to scenarios such as IIS being hacked or bugs in our application. Ideally only certain SQL users should have access to certa...
Hi, I'm creating an application that is able to generate xml licenses. The application is secured by forms authentication. Now the problem is that if I create a physical xml file that file can be downloaded even with the security enabled. How would you guys secure this license file? ...