hi.. I wrote a javascript function in my html page to execute an .exe file. for this i used ActiveXObject. my function is: //~~~~~~~~~~~~~~~~~~~~~~~~~~~JavaScript~~~~~~~~~~~~~~~~ function openWin(url) { if (!document.all) { alert ("Available only with Internet Explorer."); return; } var ws = new ActiveXObject("...
I am a post graduate student. I have to do a masters thesis on SOA vulnerabilities(SOA security). In the sense, finding vulnerabilities in web services or finding solutions to the existing vulnerabilities. In that direction i have been searching for vulnerabilities in SOA. Once the vulnerability is find i have to stimulate it and show to...
My question is about verification more than anything else. What can be used to determine what is unique in an HTML document? (The document can have a degree of being dynamic.) What is able to be used, or generated to recognize that a page is the correct page to an accuracy of say 99%, taking into consideration you can store a "fingerpri...
I've seen some similar questions, but none that look like what I'm trying to do. This is my current implementation w/out any security: <div id="menucontainer"> <ul id="menu"> <li><%= Html.ActionLink("Main List", "Index", "AController")%></li> <li><%= Html.ActionLink("Product List", "Ind...
Google's Webmaster guidelines state Allow search bots to crawl your sites without session IDs or arguments that track their path through the site. These techniques are useful for tracking individual user behavior, but the access pattern of bots is entirely different. Using these techniques may result in incomplete indexing of your s...
Hi. I'm creating a regular windows application that will be distributed to several users on my department. I'll need to include some connectivity passwords on the App.config file, and I obviously don't want end-users to just fire up notepad and look at the passwords. Several articles point on how to encrypt/decrypt configuration sectio...
Is there something in SQL Server similar to USE (to switch databases) that can control the owner prefix that is used for tables? For example, we have an application that insists on creating tables "theServiceAccount.TheTableName" ; What we really want is to force it to put the table names under dbo... so "dbo.TheTableName" . We don't ha...
I've heard that Code Access Security is changing completely under .NET Framework 4. Can anyone confirm how this will now work, and what the implications will be for legacy applications? ...
We are designing a security system to prevent brute force attacks to get into an account. One option proposed is blacklisting by IP. If an IP address attempts to login too many times, any further attempts by that IP address are blocked for a given time. Another option is to do a more traditional account lockout, where too many attempts...
I'm currently researching cross-domain SSO implementations, and I may not be able to use a third party SSO provider. I found a custom implementation online that involves a series redirects and an encrypted querystring parameter. MrUser logs into http://www.foo.com MrUser clicks a link to http://www.bar.com/page.aspx MrUser is not aut...
I was wondering what are "semantic NOPs" in assembly? ...
I'm developing an ASP.NET web site for some small business. The site needs a password-protected area where the site owner will manage the site content. For the rest of the world, the site is completely read-only. I've designed and implemented the following scheme: A user wants to access some protected page. Every protected page inheri...
The concept I have uses a central MySql database which has many Java clients running and using this database (connecting directly). The clients would be publically available, so security becomes an issue. As Java can be decompiled, I cannot put the security part of this system into the client application. I'll need to have an initial us...
Hi , I have built a cms from scratch in PHP and I need a little help with getting it more secure. Basically I have arranged all my important files as followed: /var/www/TESTUSERNAME/includes/val.php Is this a secure way to stop people from getting hold of my values ? Would it be a better to store these values in a database then ru...
I'm wondering what the current state of art recommendation is regarding user authentication for a web application making use of JSF 2.0 (and if any components do exist) and JEE6 core mechanisms (login/check permissions/logouts) with user information hold in a JPA entity. The Sun tutorial is a bit sparse on this (only handles servlets). ...
In one of our networks we are utilizing the netTCPBinding. The WCF service hosted in windows service that run as a domain account. From the event viewer I can see that my WCF service uses Kerberos authentication. Everything works seamlessly "out-of-the-box" with simple default configuration without an <identity> element in the configu...
I am wanting to list all the files in a folder that a user has read access to. The user visits the website and can use Forms Authentication for some aspects of the site (e.g. adding links etc), but I want to list files in a given folder using their Windows Credentials (since I have anonymous access turned off), hiding those they can't re...
In a multi-step form process, I am receiving a URL as a form field. After processing, my PHP script redirects to that address using header("Location: ..."); Apart from the possibility of being misused as a redirect service for porn sites to generate harmless-looking links in E-Mails (Open Redirect, which can be helped by matching the U...
Scenario: I have a Grails app that uses Acegi security for authentication. I'm implementing a REST service endpoint in the app and want to be able to GET and POST to / from the service endpoint using a shell script. I've been trying to use curl to do this, but can't find the right combination of parameters to make the curl command log ...
I am writing an ASP website that uses Forms security and Active Directory. I allow the user to login using the Windows API: [DllImport("advapi32.dll", SetLastError = true)] public static extern bool LogonUser(string pszUsername, string pszDomain, string pszPassword, int dwLogonType, int dwLogonProvider, ref IntPtr phToken); This give...