The Google API (or things like calendar and Docs) has a handy feature where any code can point to a generic URL and get the info for the user currently logged in to that session. I would like something similar, but without relying on OAuth or RESTfulness, or user-approval via token. Essentially a user will log in using the same authent...
What is the most secure way to stop users adding html or javascript to a field. I am adding a youtube style 'description' where users can explain their work but I don't want anything other than plain text in there and preferable none of the htmlentities rubbish like '<' or '>'. Could I do something like this: $clean = htmlentities($_PO...
Does MySql 5.1 and SQL Server 2008 (Web edition, Standard) have any functional password limitations other than length limits? Are metacharacters in any form a bad idea to use, like bang, pipe, hash, any slash, carrot, and so on? I know that MySql 5.1 has a password length limitation of 16 characters that is hardcoded, but I was wonderin...
In the intent of preventing XSS attacks, I am updating a page in which we have a textbox that accepts HTML, stores it in a database and retrieves and renders it at a later time. My understanding is that I can sanitize the HTML using AntiXSS.GetSafeHtmlFragment() method. As long as I do this before storing the HTML in the database, am I ...
I wonder if I should use the CAS protocol or OAuth + some authentication provider for single sign-on. Example Scenario: A User tries to access a protected resource, but is not authenticated. The application redirects the user to the SSO server. If beeing authenticated the user gets a token from the SSO server. The SSO redirects to the...
Hey everyone, I'm using various ASP.NET controls out of the box such as the CreateUserWizard control, Login control etc... For custom controls, I have sanitized my inputs by making sure they conform to expected values. However, is this required for the controls such as the CreateUserWizard control, or is that handled internally? Do I ...
Hi, I would like to secure my MVC controller actions using... [PrincipalPermission(SecurityAction.Demand, Role="Administrator")] However, if the user is not in this role then a SecurityException "Request for principal permission failed." is thrown by the code. There seems to be no way to handle this error, even [Handle] error wont ca...
When I create an Azure ASP.NET application, by default .NET trust level is Full trust. I always change it to Windows Azure partial trust which is similar to ASP.NET's medium trust level. You can do it either by using GUI when you select Properties on the Role or by setting enableNativeCodeExecution to false in the definition file (.csd...
I've worked with many APIs and it's never usually an easy task. Messing about with POST requests and then trying to handle the XML is a pain. And I thought wouldn't it be easier for both user and developer if they could just directly interact with the database. Is it possible to create a user which API users would connect to then assign...
Hi, this is probably a n00b question, but I don't really have any experience in this area. I need to create a p12 bundle containing an X509 certificate and the private key. I currently have two objects, the X509Certificate2, and the RSAParameters object which contains key information. How do I combine these into a p12 file? I just ...
How to set the user authentication on my database application in berkeley db java edition. ...
I have earlier asked a related question here. I have come up with a scheme which I shall describe below. I request experts out there to provide feedback. Since the target application is a consumer application, implicit assumption is that the application won't be deployed on BES. If required, a separate application would be developed th...
How much stronger would this be: return sha1($salt.sha1($passwd)); compared to just: return sha1($salt.$passwd); salt is a per-user strong 12 char with random ascii ...
I would like to have your opinion about the subject "version control", but focusing on security. Some common features: allowing to access to source code using clients only (no way to access the source code on the server directly) granting permission to access only the source code which I am allowed to modify (i.e.: a developer should...
I couldn't think of a decent title, so let me first apologize for that. I have a WebService (call it A) written for my app so I can take advantage of ASP.NET 3.5 AJAX features. I use the generated JavaScript proxy to make AJAX calls. As a side effect, WebService A is exposed for anyone to add as a reference to another project, which i...
I have a client server environment and would like to secure the network traffic using IPsec. What is involved to get this implemented? The application is working fine, I just need to secure the traffic between computers. What do I need - certificates on each computer for example? Do I need to make changes to the socket read/write code? ...
Hi, I'm trying to sanitize any data that's inputted by making sure the data is valid for a particular field (e.g. a name can't contain special characters/numbers etc..) However, I'm not sure what to do when it comes to a password field. Would I even need to bother with any sanitization as the password is simply hashed? If the user was ...
Often, I am told that Security functions are not available at a level of abstraction that a developer with little security knowledge can use them. What changes will the developers want in their developement environment say for Java that will make securing their software much easier than today. I am looking at new ways like providing c...
In my review of free package distributed under the Apache license I found a number of bugs ranging from the obscure code issues to security holes. I've taken the following steps: I notified the project lead through private email about this two weeks ago, and other than an acknowledgment of said emails, I haven't seen any internal o...
Suppose you have a webapp that gives users their own site on a subdomain (eg: awesome.super-cms.com) and that you let them edit HTML. Further assume that you're setting the SessionID in a wildcard subdomain cookie ("*.super-cms.com") The user who manages evil.super-cms.com could easily write a JavaScript that grabs the SessionID from o...