How do I create a user account in SQL Server 2000?
My project needs a SQL Server 2000 User Id and password created for an ASP.NET website. How do I create a user account in SQL Server 2000? ...
security
Linking with Apache XML-Security causes unresolved references
I'm trying to build a project on Linux with GCC where one module (my own) require XML-Security (Apache's) as well. However, when linking, I get unresolved references to some functions that are in the XML-Security library. I'm attempting to link statically (or I think so, at least -- I've provided no extra parameters, and I'm using the .a...
The difficulty in designing a FIN scanning program
I want to implement a Linux C program to do the following task: it uses FIN scanning to scan all the open ports of a host. Here's a short description for the FIN scanning(skip if you already know it):Wikipedia: FIN scanning In FIN scanning, an open port will not respond in any form, while closed port will send back a RST packet. And ev...
How to cache SSL client certificate password in client application using libcurl
We have a (multi-os) application which communicates with a https server using libcurl and uses SSL client certification. When the client certification is password protected, the application must ask the user to input password. The application sends hundreds of different https request to the server, so we can not ask the user to input pas...
How to stop Apache from listing the contents of my user directories
I recently ran some penetration testing software on my web site and was surprised for it to report that one of my directory listings was publicly accessible. It is the directory of the root user which is available. http://www.example.com/~root/ Results in this page content: Index of /~root * Parent Directory * cgi-bin/ Pla...
Windows user profile seems to be blocking certificate auth on webservice calls
I have a Delphi app that's running on Windows Server 2003. The app communicates with a webservice on another server that is protected by a Cisco ACE XML Gateway requiring a certificate for client authentication. When I run my app as a local administrator on the box I have no problems connecting to the webservice. When I run it as a me...
How To Make WCF Sessions More Secure?
let's say we have a WCF service like the one from msdn examples -- c#, calculatorservice, with all the service settings on default. if i were a hacker and i knew that calculatorservice was something important, that i want to make it stop working, i could simply hack the code for service references and make an application of my own that ...
SVN: Global and project-specific passwd files for single repository
I would like to configure my local SVN server to support both a global passwd file and a project specific passwd file. I have a global passwd file set up that is currently used to administer all accounts. The only problem is, sometimes we want to an outside developer to a single project. With our current setup, we have to grant them acc...
Is this method of checking a "gift code" secure?
I have a backend that generates gift codes, each with a certain number of uses. Give these to a blogger or whatever, and their readership can redeem the code for a promotional item. I'm working on the best way to check a codes validity without having collisions/dupes, or anything like that. I need to 1) validate the code 2) collect ship...
when should I use "apache:apache" or "nobody:nobody" on my web server files?
Background: I remember at my old place of employment how the web server admin would always make me change the httpd-accessible file upload directories so that they were owned by apache:apache or nobody:nobody. He said this was for security reasons. Question: Can you tell me what specifically were the security implications of this? Also...
Displaying PDF to user
We're providing a web form whereby users fill in their personal information; some of it is sensitive information (SSN, Birthday, etc). Upon user submission, the data is prefilled into a PDF which is then made available via a link. We are creating the PDF in a folder that has write access on the website. How can we safely create an...
What are some advanced and modern resources on exploit writing?
I've read and finished both Reversing: Secrets of Reverse Engineering and Hacking: The Art of Exploitation. They both were illuminating in their own way but I still feel like a lot of the techniques and information presented within them is outdated to some degree. When the infamous Phrack Article, Smashing the Stack for Fun and Profit,...
Online Password managers security from programming point of view?
Hello, Do you, as programmers who create such tools, think online password managers (like Passpack) are really secure? ...
How to set WCF security to require client certificate?
I have WCF service. I demand clients to authenticate with certificate. This is service configuration: <system.serviceModel> <services> <service name="FilmLibrary.FilmManager" behaviorConfiguration="FilmService.Service1Behavior"> <endpoint address="manager" name="certBinding" binding="basicHttpBinding"...
php secure login
what do you think about this login procedure? is it pretty safe? When they login i first check that the username exist, if it does i grab the salt (every user have unique salt) from the user, that i re-hash with posted password $pass = hash('sha256', $salt . $posted_password); and then i just compare with $check = mysql_query("SELE...
Integrating 3rd-party forum software to member-based website
When using some existing forum software in a larger web-site, how easy is it to: 1)Make your site's login functionality log the user into the forum 2)Make your site's registration functionality create forum login data I suppose in a way it might be easier to ONLY use the forum's database for maintaining users, but that means trusting ...
.NET XmlSerializer Compiling Type Schemas Reader/Writer
For my application, I need to serialize data to file using XML, so I read Introducing XML Serialization on MSDN. One thing that concerns me is under the Security Considerations for XmlSerializer Applications section it reads: The XmlSerializer creates C# (.cs) files and compiles them into .dll files in the directory named by th...
Facebook Connect - Authentication and Security
I would like to develop an external website using Facebook Connect instead of an own login and registration process. First: Please don't answer "See documentation on facebook.com" or so. I've read all pages there several times I think. But I can't find an answer. For my login button I use this code: <fb:login-button v="2" size="large"...
Is there a way to check with calls into my web-application API came from my distributed client???
Hi, Is there a way to check with calls into my web-application API came from my distributed client??? That is if I have both a thick client (windows forms client say) and the server side web application that exposes a HTTPS interface (assume user puts username/passwork into the client configuration for authentication), is there a way t...
Get domain groups for a specified user and permissions for a specified file using .Net
I want to return a list of group memberships for a specific domain user. Something like... string[] UserGroups(string domain, string domainUserName) { // query domain info // return a list of accounts the user is a member of } Also, I want to be able to see which domain accounts/groups have access to a specified file/folder. ...