Hi All, I am working on a .NET application where I am trying to build the database scripts. While building the project, I am getting an error "Cannot create SSPI context.". This error is shown in the output window (inside VS2008 screen) and the building process failed. Please help on this. SQL Server is configured to work on Windows aut...
Ok, Im really going to show my stupidity regarding the ASP.NET security model here but here goes. I have a WCF web service and I have managed to hack my way around to having it pipe through my custom membership provider. My membership provider overrides "ValidateUser" in which I attempt to load a user object with data from our SQL se...
Working on a login system - the point where customer chooses their password for site access. Beyond using RegEx to ensure that the password is strong enough, normally on our system all data that will wind up in the database is checked against injection etc and a reasonably restricted character set is enforced on all fields. I don't rea...
how can I protect my assembly, because once I deploy the setup, assembly will be deployed too, and there are chances that user will get the assembly from Program Files, and may add reference to any other project or create new project based on it ! any solution or help would be appreciated thanks. ...
I set django's settings.py file to chmod 600 to keep felonious folks from spying my database connection info, but on import python compiles this file and writes out settings.pyc as mode 644. It doesn't take much sleuthing for the bad guys to get the info they need from this compiled version. I fear my blog entries are in grave danger. B...
Im trying to design a payments API, and it requires the sending of CC info over the wire. So for this I was thinking of using a public key to encrypt the CC info and decrypt it on the server. Keep in mind that the connection is https also. Any suggestions on the topic? ...
Hi folks, I am having a tough time finding an answer to my codesigning issues. We have an application for Mac OS written under Cocoa. Finally - we did our codesigning, but i would like to add an extra security check - within the executable itself. My idea is to validate the fingerprint of the certificate with which the current executa...
I have an application where I need to store 3rd party credentials to services like Amazon S3, FTP, SFTP, etc.. I know that it is possible to access some of those systems without passwords, but that has its own issues. If our customers gave us access to their S3 buckets via ACL we would still need to verify which bucket belongs to which ...
I'm experimenting with creating a simple AJAX Java webapp. I'd like to use the container managed security provided by the Servlet container, but having investigated it have a feeling that it isn't going to work how I'd like it to. Basically I'd like to be able to have a login prompt on the main page, without the user having to navigate...
I'm attempting to call methods on a secured EJB from an unauthenticated source (a Message Driven Bean hooked up to a queue). The MDB has an EJB injected into it via @EJB, which is fine, but the target EJB has @SecurityDomain("stuff") and @RequireRole("user"), and on execution generates huge stack traces around: 17:14:03,275 ERROR [STD...
what are the advantages and disadvantages of using asp.net custom handlers such as http handlers and etc? what kind of security issues will I face? ...
Isn't having all of the files in public view a bad thing? Surely things such as /system/application/config/database.php should not be publicly visible! ...
Hi, I have a list of books obtained from the database. When a user selects a book, I'd like it to retrieve the information for that book and display it on screen. However, I'd like to keep the ID of the book hidden from the client-side, so what would be the best way to transfer the ID of the selected book? I think my brain has melted,...
I have an ASP.Net app .net 3.5 SP1, running in Win7 . During the login process, something within the ASP.Net login control is causing a write to the security log (this sounds acceptable to me) in the event log. The problem is that it seems the app doesn't have permission to do this. There error is: Description: The application attempted...
This may seem like an obvious (or not so obvious) question, but let me explain. I'm coding up a Google App Engine site using Google's database technology, BigTable. Any App Engine coders will know that Google has its own limited query language called GQL. As a result, I am tempted not to do any checking for SQL (or GQL) injection in my a...
Comcast has changed their login process so it happens in two steps. Instead of two input boxes for username and password, you submit your username first. Then on a second page you enter your password. https://www.comcast.com/Customers/CustomerCentral.cspx Due to some recent security improvements, we now require you to enter yo...
My partner on a PHP project objects my practice of always sanitizing integer values in dynamic SQL. We do use parameterized queries when possible. But for UPDATE and DELETE conditions Zend_Db_Adapter requires a non-parameterized SQL string. That's why I, even without thinking, always write something like: $db->delete('table_foo', 'id = ...
I'm using the following to clean up input from my contact form: <?php $name = strip_tags(stripslashes($_POST['name'])); //this is repeated for several other fields, then: if(isInjected($name)) { die(); } /* see isInjected function below */ // send the mail ?> I'm using this function: <?php /* function from http://phpsense.com/p...
Hello, Have some Javascript that I need to work via the following: ://localhost ://servername :/www.domainnamefortheserver.com When I run the script from http://servername with an IFRAME referencing the domain - it does not load. Is there a way to get the Javascript security model to recognize the server name, localhost and the dom...
I have been reading up on session fixing/hijacking recently, and understand the theory. What I don't understand is how this would be exploited in practice. Would you have to tamper with your browser to make use of the stolen cookies? Append it to the URL and pass it to the web application? Or would you write some sort of custom script ...