When building a Java Applet are there any steps that can be made to prevent a user invoking internal methods? Theoretically most objects can be analysed and methods can be invoked on a client machine. In addition to obfuscation are there any other steps that can help prevent this? My situation is to secure a game where the top score i...
We have one browser-based application where we want to make the user reauthenticate when they enter it. So when they access that URL we want them to be presented with the PIN prompt so they have to reauthenticate. Is there a reasonable way to do that? Added info: This is for a CAC card and the workstations have ActivIdentity and Tumble...
I am starting to dabble with ASP.Net MVC. One question I have is on best practices for protecting user data. For example in the scenario of Sales people, they should only be able to view their own data. e.g. SalesData/Edit/14 It is very easy to change the "14" to view other data which they may/or may not have access to. At this poi...
I want my code to be as secure as possible. ...
Hi All, Is there a "clever" way of stopping direct page calls in ASP.NET? (Page functionality, not the page itself) By clever, I mean not having to add in hashes between pages to stop AJAX pages being called directly. In a nutshell, this is stopping users from accessing the Ajax pages without it coming from one of your websites pages i...
Using AntiForgeryToken requires each request to pass a valid token, so malicious web pages with simple script posting data to my web application won't succeed. But what if a malicious script will first make some simple GET request (by Ajax) in order to download the page containing the antiforgery token in a hidden input field, extracts...
I want to build a fairly simple security sandbox for an application hosting service - the main goals are thus: Applications running "in" the sandbox cannot install anything onto the system outside of the directory the executable is running in. Access to the system in general is denied (registry access, et al.). Access to the file syste...
Hi, I have a custom web application that integrates with a SharePoint (MOSS 2007) solution. I would like to add role-based access to pages in this custom web application, with only users in a specified SharePoint group or with a specific role being able to access them. Other users being sent to the default OOTB web page, giving the mes...
Has anybody seen a framework which is either written to work with Guice or a library that integrates an existing security system (ie: Acegi) with Guice? I have found the following thus far... http://code.google.com/p/warp-security/ (I think this abandonware) http://code.google.com/p/warp-security/ (no documentation) ...
Hi, My client want me to convert their windows media server based service to flash video because of active-x. Their customers are having hard time to install active-x (windows media player). One of thier concerns is security. They told me that customers start downloading their contents if they convert protected wmv to flv. my question...
Which is the best security solution for grails among acegi, jsecurity and Stark security? regards Josh ...
I would like to allow my webapp users to save custom CSS through a text field to modify the look of their GUI. I guess there are some evil CSS hacks out there. What should I take care about? ...
Hi, In one of my recent questions about using CreateDesktop() API call to create a new desktop and execute my own application inside and prevent other applications to be executed in my Desktop someone pointed me to use security descriptors! Is someone here who could tell me how to do that? Thanks in advance! ...
I'm desperate to find the ShmooCon talk by HP's Prajakta Jagdale on SWFScan and flash decompilation. All I could find was the HP white paper itself. Anyone who can help, would be greatly appreciated. ...
Hi I am creating an application in c# in which I want to give certain rights to admin and some to users. Since admin is the main owner so he has rights to access any user profile and alter it according. I knew that both have different login but how can I restrict the access for the user without altering anything without rights? Any ref...
If anyone can suggest secuirty techniques for php coding? how to make your php code more secure ? Thanks ...
I am working a lot on a PHP-based CMS at the moment, and while I'm at it I would like to move all the handling and sanitation of user input to one central place. (At the moment, it's a $_REQUEST here, a $_GET there, and so on). I like filter_input() very much and would like to use it for basic sanitation, but I'm unclear as to whether t...
I'm creating a MySQL database with registered users, and I'm thinking to use md5 not only for passwords but for e-mails too. I think this choice can improve user security, but I'm not yet an expert with databases and I'm not sure if this is wise or not! I hope this isn't a stupid question! ...
I can open as many instances of IE7 as I want and I get prompted for a cert each time (but no PIN). However, if I close any of the instances of IE7, then on the next open I get the PIN prompt. So it seems to me that the IE7 program is doing something when it is closed to tell the smart card to "expire" the current PIN. I would like to ...
Hi, my app is creating a directory so I can store log files in if, however i'm adding a user security to the directory but i don't know how to make it propagate, example i'm adding the user everyone to the directory, read and write access, but when my app then stores a log file in it this directory the log file has not inherited the ever...