I'm asked to write a Web API for an application (pc executable, not web-app) that will allow sending emails. A user clicks something, the app communicates with the API which generates an email and sends it out. I have to make sure noone unauthorised will have access to the API, so I need to make some kind of authentication and I haven't...
Recently we've developed an E-Commerce web application for a client. We are at the stage before launch and the client is not happy to disclosing live merchant account details to us because they don't want us to potentially being able to see their clients' data. Since we are going to maintain their website (running off their servers but ...
I'm trying to get a user out of Active directory using their username and password. Does anyone know how to do this in C# in addition to getting the security group they belong to? Edit: This problem got more complicated (the requirements changed on me after a meeting). The security groups are nested within AD. ...
Amazon's API requires you to have a signature which is a combination of many elements one being the secret. The sever checks this signature by matching the API key passed in the parameters with a secret it has stored in the database. My question is, how does amazon match the api key and secret, wont doing a query every time overload th...
The application in question is a fairly extensive with many different types of access roles (read Customer Service, HR, Admins, etc etc). Tiered access, so each role inherits the access below it, so HR has Read Only, CS has edit abilities, Admins full control. Menu bars and buttons enable/visible attributes are controlled by an outside a...
In a ASP.NET MVC along with a test case project, How does someone create a test case to test against existing security exploits on a controller method? For example, how do you create a test case for a call that need anti-forgery token? Or XSS? ...
I'm using a ClientAccessPolicy.xml file that I think allows pretty much all access to my WCF service: <?xml version=""1.0"" encoding=""utf-8""?> <access-policy> <cross-domain-access> <policy> <allow-from http-request-headers=""*""> <domain uri=""*""/> </allow-fr...
I implemented an advanced login dialog for a webstart application. I call it "advanced" because it consists of three screens: one for the actual login (user, password), one for password retrieval, and one for new user registration. The problem I am having is that the webstart support for login dialogs is somewhat poor. The server simply ...
I was thinking about creating a service similar to posterous where users can post to a fixed address like [email protected] and then authentication of the posts would be based on some combination of the from address and header signature. Posterous seems to be doing something clever so that they can detect if a message is being spoofed or ...
Have an application were 99% of the actions will require user to be logged in. The options I've come across are - 1-)Create a base controller inheritance chain and apply authorize attribute at that level. Something like: BaseController > AuthorizeController, BaseController > PublicController. (don't like this because of the inheritance...
I'm running a process as a user in the Administrators group, trying to get a process token for another process. The other process is run by a user not in the Administrators group. Here's the gist of the code I'm using. pid in this code represents the process id of the non-admin process. All of this is on Windows XP SP 2 and all on th...
Hey everyone, I'm using ASP.NET and rely on the web.config file to secure sections of my site. However, is this truly reliable, or is it also a good idea to add an IsAuthenticated check in the Page_Load event? Also, is it possible for someone to directly call methods (assuming they somehow got my method names and method signature) in m...
I have a named pipe that's created in a managed process. I have a 2nd process that tries to open a file handle to the named pipe, however the 2nd process is running under an lower privilege than the process that created the named pipe. My understanding is that I need to create the named pipe in the first process with a security descripto...
For my application I need to know if a Facebook Connect session is valid from the server side. The Javascript API lets you know if you are connected to Facebook or not, but it seems that this can't be done from the PHP client library. The scenario where I need it is similar to the following: Log in to The Run Around using Facebook c...
I have a shell script which is called by a cron job. I don't want it to be downloaded via a browser. I have tried the filesmatch htaccess directive but that doesn't seem to stop me calling the url of the file and downloading it. How can I protect it? ...
ie static void Main(string[] args) { var thread = new Thread(WhoAmI); thread.Start(); } static void WhoAmI() { //can i access network resources as the user who ran Main? } ...
After reading through the other questions on StackOverflow, I got a snippet of Python code that is able to make requests through a Tor proxy: import urllib2 proxy = urllib2.ProxyHandler({'http':'127.0.0.1:8118'}) opener = urllib2.build_opener(proxy) print opener.open('https://check.torproject.org/').read() Since Tor works fine in Fir...
If a C# application connects to a mysql server from a client, how do I store the mysql username/password for the connection? If I have it in a config file or embedded in the source it can be found by reverse engineering. It is not possible to give all users a MySql password. Also, I have a log in for the application. How do I enforce...
In this how-to geek article, the author talked about using mysqladmin -u root -h host_name password “newpassword” To set a new password. A person replied that that may leave the password in the shell's history file, and suggested using mysql -u root mysql mysql> SET PASSWORD FOR root@localhost=PASSWORD(’newpasswordgoeshere’); but a...
i have one question when we give option to web user to import data into mysql table, is this secure? for example <form method="post" action="import.php" enctype="multipart/form-data"> <input id="file1" name="file1" type="file"> <input type="submit" name="button" id="button" value="Submit" > </form> and in import.php ...