I'm writing a web application that allow user upload their files on the app. The file will be uploaded on the HTTP Server, after the user click the "upload" button. The user can receive the file by getting the file from the path.... ...for example: http://www.demo.com/user/abc/download/the%5Ffile.jpg but I found that all the people can ...
Has anyone ever done row-level security in LLBLGenPro? If so, how? ...
Hi, I'm developing a login and authentication system for a new PHP site and have been reading up on the various attacks and vulnerabilities. However, it's a bit confusing, so I want to check that my approach makes sense. I plan on storing the following data: In the session: user-id, hashed + salted HTTP_USER_AGENT In the cookie and i...
I am working on a project that has one page that needs to make use of the SSL certificate. All of the links in the site to this page make use of https instead of http, but in the case that a user may navigate directly to the page I want the http version of the page to redirect to itself but use https. I can do a Response.Redirect in the...
I work for a web development firm, and I designed a page for some of our marketing people to add custom footers to various pages in our application. We have various test environments before we deploy our product for the world to see. The problem is, when someone tries to add a javascript:(void) call to the footer HTML, they are presente...
I know questions like this have been asked a hundred of times, but mine is a little different. I know about all the common and widely-known security issues like SQL injection, XSS etc. But what about issues that often appear but are not recognized most of the times or not judged as vulnerabilities? Are there any? ...
I am developing a windows desktop client/server application in .NET where the client application connects to SQL Server Express 2005 via the SQL native client and a connection string. The client then executes SQL over the connection on the database directly (no stored procedures). How can I configure SQL Server (or windows) security in...
What policy would be enforced by the following crossdomain.xml that contains no allow statements. <cross-domain-policy> <site-control permitted-cross-domain-policies="all"/> </cross-domain-policy> Does this implicitly deny or accept everything? ...
I'm building a solution consisting of an app and a server. Server provides some methods (json) and the app uses them. My aim is to make those API methods inaccessible to other clients. What is the best way to do so? Should I take a look at certificates (to sign every outgoing request)? If yes, where do I start and what is the performance...
I am considering creating my own web based, multi user password management software. The basic question that comes up is, what strategy will I use for secure storage and retrieval of passwords? Obviously, I don't want to store information in clear text. Should I encrypt/decrypt on the database server, web server, client (javascript), o...
CouchDB access as a rest service seems insecure. Anyone can hit the database and delete/add documents once it is exposed. What is the best strategy to secure the CouchDB? ...
A web application uses a Java applet that stores a password, submitted by the user, in a private property and uses this property in several public methods. I wonder if it is possible for another Java applet loaded from the same or different web site to call the methods of this applet or possibly access the private property containing th...
I want to a rewrite rule such that if a user goes to the URL example.org/stuff/junk.jpg the rule will process and end up at re-writer.php but if the user goes to example.org/stuff/hackingisawesome/junk.jpg the rule will not be triggered and they will get a standard 404 (or a page, if one should exist). I can't tell, based on the environ...
Hi, I was just wondering if there is a way to prevent people from copying a file which is stored by using System.IO.IsolatedStorage? To me, I can't think of anyway. Any person can go and grab those files manually. Is there other ways that I am missing? ...
As a freelancer, I inherit a lot of poorly developed custom web projects. Most of these projects do not safeguard against XSS and SQL injection. On some of these projects, I've been the sole developer for over 1 year. When clients ask me to add new features, I do it without making significant changes to the underlying system's archite...
As programming teams become less and less centralized, services such as Dropbox, Beanstalk, and Yammer make it easier than ever to share source code, intellectual property and confidential information. Presumably these companies are operated by technologists that are just as curious as their customers that entrust their content to these...
Hi experts... we have a java server-client application with an applet in the client side. our applet seems to be used by attackers for bots and other attacks... we suspect that they modified it and used it. because we use strongly encrypted packets they can do that in only two ways: 1.modify our applet and use it against us in someway...
is there a way to overcome that restriction? I mean to communicate with a java applet to other than the originating server? ...
According to the spec (Annex C), strict-mode code can't do pretty much anything that might assign any identifier with the name eval. I can understand that one might want to restrict use of the actual eval function, but I don't see what purpose is served by restricting use of the name? ...
When using the OAuth protocol, you need a secret string obtained from the service you want to delegate to. If you are doing this in a web app, you can simply store the secret in your data base or on the file system, but what is the best way to handle it in a mobile app (or a desktop app for that matter)? Storing the string in the app is...