I run a small php/mysql website for a camera club where users can upload photos. I have recently started storing email addresses for doing password resets. My question is what is the best practice for dealing with users' personal information: are there any laws/legislation regarding what I can do with personal information? Do I need to...
It's been my experience that some security software (like Symantec's Norton AntiVirus) oftentimes prohibit their removal from a Windows system via the "Add or Remove Programs" utility, going so far as to occasionally require a removal program obtained from Symantec's homepage. (I assume this it to prevent a malicious program from disabl...
What kind of security issues am I going to run into when hosting a Flex site (with multiple modules) using Amazon S3's hosting? Can I even communicate between two different swfs if they're loaded from two different subdomains? (These will be modules) I dont yet know if i would host all modules on S3 or just some. For testing impact to ...
As web developers our applications are vulnerable to a number of security holes (xss, sql-injects,etc...). I'm a firm believer that if you're writing an app it should be protected from all of these well known vulnerabilities. However, I'm having a hard time convincing my team (and management) that it's worth the effort. This leads me...
What is appropriate way to integrate SpringSecurity with Capcha ? I have following use case : When user will tries to login, if we he failed to login N times, captcha will be displayed, so authentication will be using three parameters : username, password, captcha. But Spring Security doesn't support built in Captcha handling. I just...
I have a mixed UI (Win App, WPF App, and soon an ASP.NET MVC App) setup, so far I'm using Client Application Services for security. I know how to programmatically get a user authenticated and doing so is working beautifully. However... I want to implement some cross cutting that basically checks to see if the user is authenticated all...
I am building authentication into a client-server application, and some of the feedback I've received is that I should leave the hash calculation to the server (it was initially implemented to have the client receive the hash, calculate a hash from the client's entered password, and compare them). That seems to make sense, but I am left...
According to the PHP manual, in order to make code more portable, they recommend using something like the following for escaping data: if (!get_magic_quotes_gpc()) { $lastname = addslashes($_POST['lastname']); } else { $lastname = $_POST['lastname']; } I have other validation checks that I will be performing, but how secure is...
In a database I am designing I have implemented profile based object level security. Each user can view, edit, insert, update database tables according to the profiles (roles) he is a member of. Now there is a need to implement "External Users" who can view only the relevant records and edit some of them (but not the bulk of the database...
Not quite sure how to troubleshoot this. I'm maintaining an ASP site, its mostly static, but there's this one include page which brings the menu. Just recently I replaced some images, but now when I try the site, I get a prompt for a password as if It were looking for something on the local network! I checked, all image paths are writ...
Simple question that keeps bugging me. Should I HTML encode user input right away and store the encoded contents in the database, or should I store the raw values and HTML encode when displaying? Storing encoded data greatly reduces the risk of a developer forgetting to encode the data when it's being displayed. However, storing the en...
open_basedir limits the files that can be opened by PHP within a directory-tree. I am storing several class libraries and configuration files outside of my web root directory. This way the web server does not make them publicly accessible. However when I try to include them from my application I get an open_basedir restriction error l...
Regarding cross-site request forgery (CSRF) attacks, if cookies are most used authentication method, why do web browsers allow sending cookies of some domain (and to that domain) from a page generated from another domain? Isn't CSRF easily preventable in browser by disallowing such behavior? As far as I know, this kind of security che...
On my website, I have several html files I do not link off the main portal page. Without other people linking to them, is it possible for Jimmy Evil Hacker to find them? ...
Today I changed the application pool identity of our ASP.NET application from "Network Service" to a domain user. I added the user to the local group "IIS_WPG", done a iisreset just in case, and everything works fine with IE6 and Firefox 3.0 But when I go to the website with IE7, an authentication popup appears, I type my credentials,...
I don't want to know how... Just how complicated.... I'm thinking of securing a webservice or 2 based on the incoming client ipaddress of the caller. Is this in any way secure? Surely if the IPaddress was being spoofed then the result would have to be sent back to the address that was being spoofed and therefore not reach the spoofer? ...
Reading this blog post about HttpOnly cookies made me start thinking, is it possible for an HttpOnly cookie to be obtained through any form of XSS? Jeff mentions that it "raises the bar considerably" but makes it sound like it doesn't completely protect against XSS. Aside from the fact that not all browser support this feature properly,...
I have a user account 'member center' that shows all of a customer's subscriptions and memberships that they have with my company. This is at https://secure.example1.com/membercenter/. I have another site which is the actual member site. This is at http://www.example2.com/. ( each site on a different domain, though it is the same dedica...
Hi, I'm involved in creating a web based business solution. The idea is that the customers will use it, get their business processes and information into one place and also receive added business value by inter-system communication. In short they will use it as a core tool in their daily work and will depend highly upon it. One problem...
With so many ways to attack a site, it would be useful if there is a single guide, or resource, listing all known vunerabilties with possible preventative measures. Does anyone know of any? Also, is there a library or framework that can deal with this kind of thing? ...