I have this code (ASP.net VB.net): Dim xx As Net.Mail.SmtpClient xx.Credentials = New Net.NetworkCredential("username","password") I'm not very sure but would the password stored there be ridiculously easy for a hacker to get? If it was a standard windows form app, something like net reflector get the password with the click of a but...
I have a page with a couple of grids and a small form with 7 controls. The grids show ancillary data. Overall there are about 320 lines of code-behind that handle various events. I have the requirement that one particular role is only supposed to edit 3 fields out of the 7, whereas all other roles with access to this page can edit all of...
Recently the security team on my project released a secure code guidelines document, designed to be used as part of our code reviews. The first thing that struck me was an item that said "Do not use Inner classes". I thought this seemed like a very heavy handed and sweeping statement. Inner classes are good if used correctly right?, but ...
I use Ajax (jQuery) and the POST method to update data in the database. I do the following: Get data from the form: user_id, entry_id, content,... Send them to a URL which will process the data. If the data is valid, we will record them in our database. I do not know how to verify that the user sends data from my website and not from...
Hey guys, I'm making a site and it needs to have user authentication. Currently, I'm using HTTP/Basic Auth for proof of concept/development, but this is not good in production for obvious reasons(ugly, insecure, can't read from mysql db, sucky). So, I know how to do some basic auth stuff, like getting in the username and password, salti...
Is there any benefit in salting passwords for a strong, unique (not used for other applications by the user) password? Salting (as I am aware) protects against rainbow tables generated with a dictionary or common passwords. It also protects against an attacker noticing a user with the same hash in another application. Seeing as a stron...
Is there any way to centralize enforcement that every action method must have a "ValidateAntiForgeryToken" attribute? I'm thinking it would have to be done by extending one the "routing" classes. Edit: Or maybe do some reflection at application startup? ...
Hi, In my application, the password is encrypted and if the user forgets the password , there is no way to recover the password.Now we are cancelling that user account and creating a new one.Now i want a proper method to recover the password.The login is done using the Asp.net configuration tool.How can i recover my password using this?I...
Story: today one of our customers asked us if all the data he deleted in the program was not recoverable. Aside scheduled backups, we shrink the log file once a day, and we use the DELETE command to remove records inside our tables where needed. Though, just for the sake of it, I opened the .mdf file with an editor (used PSPad), and se...
Hi, I am planning a new portal solution in ASP.NET MVC. I need to be able to have some parts of the site visible for everyone (public part) and a part where only registered users are allowed to visit. In traditional Web Forms the security was made on folder level, but how about ASP.NET MVC? Could someone please explain me how to do this ...
One of the more powerful features of modern day browsers is the ability for software developers to write browser extensions to enhance, modify and tweak the pages visited by the user. As more of our lives migrate onto the browser, aren't we potentially exposing ourselves to a massive privacy and security holes created by the installatio...
using vsto, C# fx 3.5, how to check Excel Workbook or sheet is password protected or not? ...
I am developing a web application where UserId and RoleId plays a vital role... Is it secure to store these values in session.Someother can be hiddenfield,cookie.. Which is more secured? Any suggestion for this... ...
Hello, I need to write a small file serving component for web server. There are lots of issues serving files. Because "as-is" serving as big security hole, like this www.somesite.com/../../../../etc/passwd There are many issues including ".." resolving and many others like under windows there are many "unusual ways to refer to some pa...
I need to secure access to all pages in a .NET webapp - EXCEPT requests from: local network (the network IIS is running on) IPs listed/netmasks listed in a database all other requesets should be redirected to a login form I was thinking in the direction of a HttpModule - but never wrote one. Can anyone provide any ideas to this? Th...
I thought they were there for security; to check that the file hasn't been tampered with. But surely if someone is capable of modifying the file then they are also capable of modifying the page with the hash! What security does this actually offer? ...
I'm working on what aims to be a secure method of user registration and authentication using php and javascript but not ssl/tls. I realise this may well be considered an impossible task that's been tried 1000 times before but I'm going to give it a go anyway. Every example I see online that claims to do it seems to have some huge fatal ...
Hello everybody, I have created a class file database.php which handles all the sql queries and connecting to database. I store username and password for the database in a variable (which is easily seen if one gains access to the php file). I want to encrypt that username and password so that even after having that php file one is not ...
I wonder if those prepared statements of PDO really increase security, or if they are just a "cheap" text-replace in the query. The point of prepared statements actually is, that whatever gets inserted as parameter, will not be parsed by the DBMS as part of the instructions itself, so a parameter like "'; DROP TABLE foobar;" has no e...
We're building/designing next generation of our sales/ordering/CRM system which comprises of entities like customer (customer hierarchy in particular), order, promotion action, ... Each user of the system should have assigned one or more customers. Users should be organized in a form of organizational hierarchy. The system should con...