I've been using the free Firefox extension XSS Me from Security Compass to test for XSS problems. However, using what I understand to be safe filtering, XSS me still reports warnings. Are these accurate warnings or spurious? Using the code below as a testcase: <form method="post" action=""> <input type="text" name="param" value="<?php ...
I have a website that uses IFrame in a page that loads other pages based on server side logic. So, if I do a View source, I would see something like this: <iframe src="DeterminedOnServerSide.aspx" id="myFrame"> </iframe> My question is - Is there any way, an attacker can change the src attribute to point other users to a malicious web...
I am using the following in my webconfig, so that only admin an access the admin folder. <location path="Admin" allowOverride="true"> <system.web> <authorization> <allow roles="Administrators" /> <deny users="*" /> </authorization> </system.web> Now when the guest user tries to access this he is redirected to the Login p...
I am writing a game server plugin, and writing a web interface to control it. I am considering detouring the GetPacket() function in the game server, and sending custom packets from my web panel and using GetPacket() to interpret them. My only concern is security as obviously I don't want to just send open data out. What can I read up on...
I am writing an application in which application errors are logged and posted to a listening HTTP port on our server. We decided against email since many of the clients running the server "would not be able to send anything through SMTP" (according to boss dude) I was just going to send the data as-is using log4net and a custom-written ...
Hi guys does anyone know why the programming language C++ is used more widely in biometric security applications compared to the programming language Java? The answers that I have collected so far are 1) Virtual Compilers 2) OpenCV Library provided by C++. Can anyone help with this question?? ...
Almost all the .net assemblies can be de-compiled using Reflection .Which means that all .net products are open source since the code can be easily be used by other developers. Isnt there a way so that we can encrypt the codes (at least for some security logic) so that it cannot be easily cracked or misused. Edit Old question Is winfor...
My application involves using submitting data (the "request") from a form into an SQL Server 2005 database, for later review and approval by a supervisor. Users should have permission to insert a new request, but not be able to modify the ones they have already submitted. With a single table, this is straightforward: grant them the INSE...
I have a WCFservice named IEnvironmentService. This service provides some unsecure methods. I have to protect some methods in this service. In order to protect this methods I want to use windows identity. So other than the specific windows identity service methods cannot be callable. How can I achieve this. thanks. ...
I want to use HTTP Digest Authentication with a central database that stores usernames and encrypted passwords. These data should be used by different servers like Apache httpd or Tomcat for example. The clients will be humans with browsers and other applications communicating in a RESTful way. As far as I understand I could not use a t...
Hi, I am building an application with health information inside. This application will be consumer-facing with is new for me. I would like a method to put privacy concerns completely at ease. As I review methods for securing sensitive data in publicly accessible databases I have frequently come across the notion of database translu...
My question is about certificates specifically in ssl but I think the questions should apply to all certificates. I have included the SSL procedure for the sake of clarity. In SSL this is what I understand to be the procedure: 1)Client sends supported crypto algorithms sends client nonce 2) Server chooses (and sends) a sy...
This is a corporate site so Private. We want to limit access by IP address to USA/Canada or North America. Based on IP range, would allow user/pwd to get in otherwise -'no access'. Just trying to limit hack exposure from anything overseas. ...
We are in the process of moving some software from our test environment into a production test environment. We've ran into a problem where our service can't communicate with another 3rd party service. After a bit of packet sniffing I was able to figure out that when the message is being sent on the working system the POST has an Author...
While there are many reasons to use the 'final' keyword in Java, one of the ones I keep hearing over and over again is that it makes your code more secure. While this seems to make sense in this trivial case: public class Password { public final String passwordHash; ... } With the final keyword, you would expect that no malici...
Hello By using python language, what would be a clever / efficient way of generating promotion codes. Like to be used for generating special numbers for discount coupons. like: 1027828-1 Thanks ...
I've seen it recommended to reference jQuery via: <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js"> </script> The idea being most people already have a cached copy on their client. What if a hacker replaces that file on google's server? They could do an infinite number of "e...
Working on a major financial company's website, we tend to shy away from using the CDN-hosted versions of the jQuery library used throughout our site because of "security concerns". I'm assuming (although I've never had it fully explained) that these concerns relate to potential physical security threats through the risk of code being c...
I understand that strlcpy and strlcat were designed as secure replacements for strncpy and strncat, however some people are still of the opinion that they are insecure, and simply cause a different type of problem. http://en.wikipedia.org/wiki/Strlcpy#Criticism Can someone give an example of how using strlcpy or strlcat, i.e. a functio...
I am trying to create an application that is based on module level security. The idea is we would have a user login, grab there roles, grab the pages those roles have access to then in those pages grab the modules they have access to then the functions inside the modules they have access to (list, create, edit, delete). That way in an ad...