Why do browsers apply the same origin policy to XMLHttpRequest? It's really inconvenient for developers, but it appears it does little in actually stopping hackers. They are workarounds, they can still include javascript from outside sources (the power behind JSONP). It seems like an outdated "feature" in a web that's largely interlinke...
I have a site of user-submitted news articles, and an idea I had for a feature was to grab the favicon on the target site to display along with the link. The methodology for grabbing the favicon would be checking for the favicon.ico file on the target server. Would displaying that icon as an image open any hole? Could there be some so...
First off, I realize that there is no such thing as a perfectly secure solution (and even if there were, its usability would be crap). That said, how do you protect your MySQL database from being compromised by someone downloading your code and picking through it? Based on my experience with PHP, it seems obligatory to store it within ...
Hi all, i have the following method in a WCF service, that has been deployed to SharePoint using Shail Malik's guide: [OperationContract] public string AddItem(string itemTitle, Guid? idOfListToUse) { using (var portal = new SPSite(SPContext.Current.Site.Url, SPContext.Current.Site.SystemAccount.UserToken)) { using (var web = po...
Hi, I have a method in java which generates a serial code based on a number of parameters. Now I would like to have another method which accepts the same parameters + the serial code, and tells me whether or not this serial code is correct. However, I do not want to expose the serial code creation method, so if someone knows the method...
I am going to be creating a web service that will be passing confidential information across the network. What would be the best way to secure the web service? how do I know if the application requesting the information is who it says it is, and it's not another application that is using another's user name and password? ...
I want to set up include paths (and other paths, like view script paths) based on the module being accessed. Is this safe? If not, how could I safely set up include paths dynamically? I'm doing something like the code below (this is from a controller plugin.) public function dispatchLoopStartup(Zend_Controller_Request_Abstract $reque...
Hi, is there some pretty way to check if some specific user (not the one that is logged in) has some specific role? Here is grails example (generally the same for plain Java but syntax): def user = User.get(1) //Get user with id 1 if (ifAnyGranted(user,"ROLE_ADMIN")) { //This is the line I need to implement somehow ... } Thanks in a...
I just installed Microsoft WPL (Web Protection Library) v1.0 on top of an installation of Ektron CMS400. The insallation consists of running the WPL installer and then running a configuration program that updates the web.config with some additional parameters. When testing, all the content pages looked fine but when I logged into the ad...
Hi, I'm not sure whether my SQL code and practise here is any good, so hopefully someone could enlighten me. In order to try and separate my DAL from the Business layer, I'm not using an SQLDataSource on the page. Instead, I've created a gridview to display the results and called an SQL command to retrieve results. I have the followin...
I am developing an application which need to handle a massive amount of REST requests. Using basic auth will save a lot of computing resources since I don't have to compute the signatures. Also, the documentation will be a lot simpler. What are your thoughts? ...
Hello all, I am a Computer Engineer, fresh off graduation, and I would like to educate myself on a broad range of technological fields and aspects. I am the kind of person who is easily distracted while reading from a screen, and so I would like to ask fellow daniweb members about the best books for computer related topics. I consider my...
I am looking for a training class or conference to go to by the end of year for web application security training. We do mainly ASP.NET development so something specific to .NET would be nice but a general security best practices class would work. The location would need to be somewhere in the US, south central US if possible. Anyone ...
Years ago I programmed a magazine-style site in ColdFusion. It had a site search function to full-text search (using SQL Server) the articles and blog posts. It worked fine, but then we were hit with a SQL injection attack (my fault). The site owner decided to take down the search, and only recently asked me to make it live again. I kno...
I need to store a hash of a single password in a .Net WinForms application. What's the most secure way to do this? In particular: Salt, HMAC, or both? How much salt? How many iterations? What encoding? (The password is plain ASCII) I assume that the algorithm should be either SHA512 or HMACSHA512. ...
I'm looking for a way to pass some sort of credentials or Authorization token from a VB.Net Client to an ASP.Net web application that allows the Client to auto-login to our Forms-Authenticated website. If a user is logged into a local application, I want them to be able to view some web pages without having to login to the website as we...
I have a client who is deploying a simple affiliate program. Currently, if a visitor comes through the affiliate link, a cookie is set on a third party domain that does the affiliate tracking. If the person purchases something, a tracking pixel is fired that sends the record to the 3rd party domain. Obviously this is completely insecur...
The official Web Agents user documentation does not state what version of SAML is supported. I am trying to integrate this with a Policy Server that is not running Sun's OpenSSO policy server, so my only requirement is to support SAML 2.0. Has anyone had experience with this type of setup? ...
Hi folks, I have an incredibly frustrating problem cleaning up my site at the moment. On the same hosting space I have Umbraco (ASP.NET) and Blab Lite (PHP Chatroom) installed. The former talks to SQL 2005, and the latter to MySQL 5. On my Umbraco site I had a guestbook with an entry form. Upon postback it does an Akismet check and ski...
Hi, Is there any way to restrict access to my (.NET) web service without modifying the actual web service code and/or the calling app? Basically, I have the web service on one subdomain and would like to be able to call it from different app in another subdomain, both on a same machine. Regards, Ondrej Edit: Important information I fo...