I have a bit of a hybrid situation on my hands. I'm writing an intranet asp.net web app. I don't want to use full blown Windows Authentication, because I don't have proper groups set up in Active Directory to be able to authenticate users simply based on what group they are in. Up until now, I had created a membership database, and was m...
As a follow up to an earlier question that attracted a whole zero answers, I'm wondering about the possibilities of allowing a web server (apache) to write to its own document root (Linux), in order to dynamically create meta-redirect files. Of course, this sounds incredibly dangerous, and I'm wary of going the whole hog and granting th...
I start a .Net server side program on my local workstation, but soon it throws a security exception. I searched the web for answers, but no quick fix was found / worked. I just want to run my program. How do I get rid of the exception? I fully trust the program, because its mine. Edit: Oh, yes, I do run the program from a mapped folder ...
Greetings! I am trying to check directory write-permissions from within a Windows MFC/ATL program using C++. My first guess is to use the C-standard _access function, e.g.: if (_access("C:\mydir", 2) == -1) // Directory is not writable. But apparently on Windows 2000 and XP, _access can't determine directory permissions. (i.e. the...
This may be a dumb question, but between a http POST and GET, what are the differences from a security perspective? Is one inherently more secure then another? I realize that POST doesn't expose information on the URL but is there any real value in that or is it just security through obscurity? What is the best practice here? Edit: Over...
Does anyone know if it is possible to reliably determine (programattically C/C++...) whether or not a firewall or IP filtering software is installed on a Windows PC? I need to detect whether a certain server IP is being blocked in my client software by the host OS. I don't need to worry about external hardware firewals in this situatio...
What is the best practice for storing keys, and or passwords for a website. These keys are for various 3rd party web services. Is it best to have them in the Web.config file, or in the database, or encrypted somehow? ...
I'm looking for best practices for performing strict (whitelist) validation/filtering of user-submitted HTML. Main purpose is to filter out XSS and similar nasties that may be entered via web forms. Secondary purpose is to limit breakage of HTML content entered by non-technical users e.g. via WYSIWYG editor that has an HTML view. I'm ...
I have a client who is in need of a file based encryption / decryption application to be used between Linux / Windows 2003 Server. The goal is to have a single file compressed nightly on a linux platform and secured using a script, transmitted over FTP, decrypted on the Windows 2003 server and available for other import routines such as...
We are using standard asp.net forms authentication. Certain pages require a user to be logged in; and least some of these pages are delivered by https. There is a search control at the top of each page. When this is used, we don't care whether the user's session has expired, even if the current page requires a log in. However, curr...
Real UID, effective UID, and some systems even have a "saved UID". What's the purpose of all these, especially the last one? ...
My web application is relying on container-managed security and I'm wondering if it's possible to use salted passwords at all. As far as I can tell it's easy enough to store digested passwords in a database by just configuring a JDBC or DataSource Realm, but there's no way to add a salt to those digest. Any suggestions? Edit: it seems...
I'm copying a file from folder A to folder B and then trying to copy the file permisions. Here are the basic steps I'm using: CopyFile(source, target) GetNamedSecurityInfo(source, GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION) Print source SD using ConvertSecurityDescriptorToStringSecurityDescriptor SetNamedSecurityInfo(target...
I've been working with jQuery and *.asmx web services lately, and I'm trying to be security-conscious in doing so. I figure it would be possible to submit an AJAX request -- even when logged-out -- to a resource that should only be accessible while logged-in. Thus, I include special keys and hashes with each of these AJAX requests in o...
We have a high security application and we want to allow users to enter URLs that other users will see. This introduces a high risk of XSS hacks - a user could potentially enter javascript that another user ends up executing. Since we hold sensitive data it's essential that this never happens. What are the best practices in dealing wit...
I wish to ensure a user has access to an aspx page by 'Zone'. For example, "Financials" is a Security Zone which some users should not have access to. The result should not involve patterns such as MVP, MVC, MVVM, etc. I'm looking for something that's light and quick to do. To make things easier I have a base class which each aspx page...
I'm in the process of testing my application with respect to security. Aside from fiddler,charles and poster (firefox plug in). Are there any other free to use https interception (and editing) applications out there? Especially ones which can be installed w/o admin privileges. Achilles comes to mind, but I don't think it can han...
I have a business requirement that forces me to store a customer's full credit card details (number, name, expiry date, CVV2) for a short period of time. Rationale: If a customer calls to order a product and their credit card is declined on the spot you are likely to lose the sale. If you take their details, thank them for the transacti...
I work for a team that's looking for a replacement for our online password management package, which we use to keep track of various ftp accounts and so on. Our current solution is shaky at best (it's PHP-based, the master password is hardcoded into the login checking function, etc). A lot of the passwords are out of date anyway, so we...
I am attempting to do something simple (I thought) - securing my application using roles-based security using ActiveD groups in our Domain. Specifically, I need to show/hide items on a page depending upon whether the currently logged in user is part of "domain\groupA" in ActiveD. For some reason, it is difficult finding information on u...