I need to access the VBA code of Office documents (Excel workbooks, but it's not relevant) through .Net / C#. I know how to do this, but this requires the Office user to have granted trusted access to the VBA project object model through the Office app. This makes me uncomfortable, because there is a risk that the user leaves things set ...
Whenever I see it being talked about, it sounds like one simply 'turns on' SSL and then all requests/responses to/from an online server are magically secure. Is that right? Is SSL just about code - can I write two apps and make them communicate via SSL, or do you have to somehow register/certificate them externally? ...
Is 1024 bit rsa secure, or is it crackable now? Is it safe for my program to use 1024 bit rsa? I read at http://pcworld.about.com/od/privacysecurity1/Researcher-RSA-1024-bit-encry.htm that 1024 bit encryption is unsecure, but I find 2048 bit slower, and also I see that various https sites (even paypal) use 1024 bit encryption. Is 1024 bi...
I have a native C++ windows app that i would like to edit. Are there any open source tools for me to do this on Windows? I want to edit the executable directly. ...
I use a web application that forces you to reauthenticate with the application even if you open a new browser window that shares the same session, e.g. File, New Window in Internet Explorer. I was surprised since I thought that if you opened a new browser window from File, New in both IE and Firefox (vs. starting a new browser process) ...
I receive numeric variables in my queryString. I'm doing validation with the following code: if (!String.IsNullOrEmpty(Request.QueryString["num"])) if (!int.TryParse(Request.QueryString["num"],out value) throw SecurityError; Is that validation safe enough? Is it the most efficient? (Let's assume that every int number I ge...
how to prevent security leaks in my own created form which data I write into my db? Basicly I thought to replace the dangerous chars ('',"",~,....)... but I don't know how to do that in a clean way for each formular element ( more than 20)... I don't know if asp.net provides an easy thing for that.? Ok the validators I do already some ...
I'm writing a web service (mostly in .NET, but there's some unmanaged code, too). I'm trying to avoid adding any vulnerabilities (obviously...), but it's alwyas possible (esp. since there's some unmanaged code, both by own & libraries, to which data from files/network is passed). UAC + DEP helps, but you never know. So I was wondering if...
xml has been the backbone of the service oriented application(SOA) and it will be a useful one in the coming future. As xml is easy , flexible, it can be easily made vulnerable and the attackers can use it for their own purpose. As such some of the attacks by are coercive parsing attack, xml external entity(XEE) attack, xml dos(xdos) att...
The following example is clearly fictional but it resumes how validation is done on a code base I'm working with. TypeA has two methods, with the following signatures: public void FirstMethod(TypeB param) public ValidationResult TryFirstMethod(TypeB param) When FirstMethod is called it needs to perform validation on the parameter. He...
I am building a web application from scratch that has registration and login functionality. I am completely a novice when it comes to security issues and attack like mysql injection. Apart from encryption of password in database, what are other security issues that i have to worry about?? And how do i take care of them?? Thank you ...
I am developing a program that I want to share with certain people, however if I change my mind about these people I want to be able to 'revoke' their access to the program. Ideally this would be on a per-user basis rather than just blocking all instances of the program. Something along the lines of user accounts, but at the moment I ...
I have legacy C++ code that changes a process DACL and am trying to use the managed code classes in .NET 3.5. I found code on the web where someone created a SetAclOnServices class that extends the NativeObjectSecurity class for services. I thought that I could implement this and just change the ResourceType.Service to ResourceType.Kerne...
I've created an ASP.NET WebService that is to be consumed using ASP.NET Ajax. The WebService is located on the same box and same web application that it is to be used by, so I do not want to allow remote access to this webservice, but have it only respond to requests from localhost. The Web.Config DOES NOT have a configuration section ...
Greetings, I'm hoping to make my tiny program secure so that potential malicious users cannot view sensitive files on the server. $path = "/home/gsmcms/public_html/central/app/webroot/{$_GET['file']}"; if(file_exists($path)) { echo file_get_contents($path); } else { header('HTTP/1.1 404 Not Found'); } Off the top of my head...
Hello All, I am using the CheckTokenMembership Windows API to check if the user is an Administrator. Here's the code: Option Explicit Private Const SECURITY_BUILTIN_DOMAIN_RID As Long = &H20 Private Const DOMAIN_ALIAS_RID_ADMINS As Long = &H220 Private Declare Function AllocateAndInitializeSid Lib "advapi32.dll" (pId...
I am in the process of designing a server side webservice dll which will be accessible by developers from other companies to access data on a central server. the issues i need to consider are - ensuring they only see the data which they are allowed to see - allowing them to upload/ download files. again only ones they are allowed to. I ...
What files should/should not be stored in the cgi-bin folder/directory on a web server? Obviously, executable scripts/files that make up a web application, called from a web browser can be stored there. But is there a common industry opinion about what else can be stored there? Is there a very strong reason why nothing else apart than...
I've read quite a few times how I shouldn't use cryptography if I'm not an expert. Basically both Jeff and Eric tell you the same: Cryptography is difficult, better buy the security solution from experts than doing it yourself. I completely agree, for a start it's incredibly difficult to perceive all possible paths an scenario migh...
I've created a special user account for my applications use, and I need to know how to disable the interactive login feature so that it's only available as a system account. Right now any machine I deploy this application on, the user shows up in the login menu. Any help is appreciated. Is it a setting on the account or a GPO? ...