I have a mobile application where I would like to store private keys securely. The security requirement implies that it should be very hard for attackers to be able to obtain the private key even if they had unlimited access to the mobile device. In order to achieve this level of security, the application employs symmetric cryptography w...
I successfully built my first html/PHP form that passes variables between multiple pages using the _POST global variable and then emails me the results using the mail() function. I'm sure this form is incredibly insecure as it is now and vulnerable to all matter of exploits and I want to know how to patch up the holes, however I'm prett...
This is a feature request for our networking switch where a customer wants complete binary dump of the entire contents (including white space) of all the non-volatile storage we have on our equipment (like compact flash/eeprom) to a server over a ssh v2 connection. What is the best way to do this ? ...
I get this message when I am trying to access a web service from Jquery located in SAME the URL (but different directory). I know it is IE security setting. The question is, how do I suppress it...surely, people don't put web services in the same web site, same directory.... ...
I know a few sits (such as my bank and my school) that kill a session after their has been idle for a set amount of time. It is my understanding that session activity is determined by users following links or at the very least from some kind of active interaction, like updating a form via ajax. Basically the server gets a request to do s...
If I have a valid SQL string; is there anyway I can execute it in my PL/SQL - but guarantee that it is a SELECT statement only...without doing complex parsing to ensure it doesn't have any escape characters/nested commands or any of that jazz? EDIT: What I'm really trying to accomplish is a generic, built-in to my application, querying...
I was asking myself about the security of using the php function htmlentities() against XSS attacks, and maybe of related functions such as htmlspecialchars. thanks a lot :) ...
Suppose I'm writing some environment which execute clients code (Java). Clients send jar with manifest information. Environment creates some class instance from jar (suppose instance of Runnable) and run it in some thread. But I need guarantee that clients code will not start own threads or create own ExecutorService and so on. Is there...
Hi, I was reading this blog(http://googlepublicpolicy.blogspot.com/2009/06/https-security-for-web-applications.html) posted by google on not enabling HTTPS for gmail by default. One of the paragraph says as below. Unless there are negative effects on the user experience or it's otherwise impractical, we intend to turn on HTTPS by defau...
What forms of e-commerce compliance such as PCI-DSS apply when the card details are processed by a third party such as Paypal? Am building a bespoke shopping cart system that uses Paypal Express, so the card details never hit my server. I do however retain customer details so what compliance - both at a code and hardware level - must or...
ok...so most of the sites we were serving were down, parsing errors in the index.php file...looking at the file, our previous versions of the said file were prepended with: <?php @register_shutdown_function("__sfd1260709780__");function __sfd1260709780__() { global $__sdv1260709780__; if (!empty($__sdv1260709780__)) return; $__sdv126070...
How can I add a crossdomain.xml to the root of my Hudson server? I'm working on a Flex->Hudson bridge and I'd like to access it directly, instead of relying on a proxy to do it for me. Thanks; EDIT: This is standalone Hudson, not running on any application server. ...
Can someone explain this paragraph on page 258(Pro ASP.NET MVC 1.0 Chapter 6: Using the HTML Helpers)? If you're writing a third-party library(as opposed to a web application) that uses the HTML helpers, never call the overloads that accept anonymous objects. Always call the overloads that accept dictionaries. Otherwise...
I'm relatively new to WCF and would like some opinions on what's the best (or most correct) way to implement authentication on an application that exposes its' business layer operations through WCF? Is a token supposed to be passed, encripted username/password and verified each time...or what? Also any links would be appreciated. Tha...
Hi all, First, the background: I am creating a Flex application with a component that displays various dynamically loaded SWFs, one at a time (kind of like a kiosk). These loaded SWFs are created in Flash IDE, not Flex. They will not be created by us (we will provide a .fla template but that's it), so I am loading them into a separat...
I'm thinking how to implement following task using Aladdin HASP SRM APIs. I'll explain on specific example. HASP Network Hardware Key enables to run 10 copies of application concurrent (HASP Key enables 10 licenses). Each license enables 1 Feature. Feature has Expiration date. Problem: Expiration Date will be the same for all 10 li...
What approach should I take to develop software to block traffic at the desktop level (windows) to sites based on their domain name. Messing with a host file was easy, but the browser seems to have too long of a delay before it recognizes changes in the host file. My ideal solution would be a simple ruby script to disable sites during ...
What is the easiest way to load up an assembly, instantiate a class from it, but do so in a way that the assembly has limited privileges (sandboxed)? The code should not be able to communicate across the network, write to the file system, or execute processes. UPDATE I just stumbled upon Assembly.LoadFrom(string assemblyFile, Evidence...
I'm working on a large ASP.NET software product. We'd like to allow users to enter expressions rather than constants for certain fields. Typically something like: (Price * 1.175) + 25 The obvious solution seems to be to embed IronPython, create a Scope, pass in the "Price" (and other) variables and then execute the above as IronPython...
I'd like to create following functionality for my web-based application: user uploads an archive file (zip/rar/tar.gz/tar.bz etc) (content - several image files) archive is automatically extracted after upload images are shown in the HTML list (whatever) Are there any security issues involved with extraction process? E.g. possibility...