This time I am going to be brief :-) Instead of issuing randomly generated session strings to a user and inserting them into database, mapping these to user identifiers, for subsequent lookup on every authentication, why not do the following, with the intention to avoid database access on every request and distribute the session store i...
Need to store the username and password for an outside application inside of a windows forms vb.net app. For initial testing, I just set the settings type to "Text", but want more security. There are System.Security and Encryption types available, but not sure where to begin. Any suggestions on how to Add, Update, and Delete the values...
I've been doing some reading on securing PHP applications, and it seems to me that mysqli_real_escape_string is the correct function to use when inserting data into MySQL tables because addslashes can cause some weird things to happen for a smart attacker. Right? However, there is one thing that is confusing me. I seem to remember being...
Adobe Flash has some interesting and, at times, frustrating security rules that prevent lots of things from happening, like writing files to disk. Swf Studio and Flash Jester allow Flash to "break out" of the security sandbox that prevents file IO operations. How are these programs written? Is this something that I can do in any of the ...
Hi, I'm planning work on a new project and am now tempted to use ASP.NET MVC. My project plans to use JQuery and AJAX (although non-JS clients will also be supported). Coming from a standard ASP.NET background, I'm still trying to get my head around the MVC paradigm (with great help from Scott Guthrie). However, my main concern with us...
On many banking and investment websites, the site prevents users from logging in from an unrecognized computer without first answering an additional question or activating that machine. How do developers typically create this feature? For example, here is the message that Salesforce.com gives when I connect to my account from an unreco...
I'm just wondering if the built in Hashing in the ASP.Net membership good password security, or if there is more that I should do to protect my passwords? If so, what should I look into for a higher level of security? ...
My sample index.php include 'class.php'; $x = new class; include $_GET['page'].'.php'; //checks if isset file_exists and in_array of valid file names before including; I want to make sure the page being included can't be accessed directly. Below are some examples of code I'm placing on the first line of code on the files that are bein...
Hi All, I am wanting to find out whether or not it is possible to inject JavaScript into the .NET WebBrowser control from outside the running application? Thanks STW Clarification: I am wanting to know if someone can get hold of the internal process of the wrapped components and manually insert what they like into the "browser" por...
I am developing a mobile application that is to run on a Windows Mobile PDA. The application is written in Java and to run it we are using the J9 JVM from IBM. The application communicates with an Apache Tomcat server over HTTP and we are trying to set it up now to use SSL. I have generated public/private keys for both the client and ...
I'm using a custom security (no membership provider). After the user logs in ... a folder "App_Data" with ASPNETDB.MDF gets automatically created ... on my local machine. If I deploy this to a remote server, it will not work due to security constraints on App_Data. Even if I delete this folder and restart the application ... it is re-cr...
Is there a way to inspect HTTPS traffic from Flex applications compiled to SWF files? I'm trying to use Fiddler for this, have added DO_NOT_TRUST_FiddlerRoot to my Trusted Root Certification Authorities so my IE now can access other HTML sites that would normally complain about untrusted certificate. However, the HTTPS traffic from the ...
I'm not a cryptography expert, I actually only have a little bit of experience using it at all. Anyways, the time has come where one of my applications demands that I have some encryption set up. Please note, the program won't be managing anything super critical that will be able to cause a lot of damage. Anyways, I was just trying to...
Let's say you were building a multi-step ( 5 part ) booking engine that had a fully working backend but had a layer of ajax, where you can go through all 5 steps in the initially loaded page. The steps would be: input dates and specify availability information availability results where you can choose rooms input your information inclu...
What ways are there for detecting exploits in PHP/MySQL web applications (checking for certain characters or pieces of codes in the GET, POST, COOKIE arrays / using a library with a database that has all the patterns for common exploits, if any exist?) and how should I proceed when one is detected? For example, if someone tried to find ...
In several frameworks (symfony/Django), you have admin generators that usually control access via a User table (which assigns a user to a specified Group table). I'm curious, why not simply use MySQL's actual users (with select/read/write access already baked in) instead? ...
I have the following line which caused this error message run under JNLP : java.security.AccessControlException: access denied (javax.sound.sampled.AudioPermission record) at java.security.AccessControlContext.checkPermission(Unknown Source) TargetDataLine targetDataLine.open(audioFormat); How to fix it ? Or does that mean in JN...
I have a project versioned with Git that I'd like to make open source, but it has some private information in it that is specific to the environment in which it was originally used. I'm going to change the information in question to load from a config file which is not included in the repository. I realize I should have done this in the ...
My web-app runs in IIS 6.0 under windows server 2003, and we all know that in this situation, user account "Network Service" is used by IIS. I happen to have to allow certain user to perform some action on my web page, and that action requires administrator privilege. The laziest solution to me seems to add "Network Service" to Adminis...
I have a form to singup yourself in a mailing list. I had set up the script to send me a mail for every singup and confirmation. The last days I saw a bunch of empty submisions (rejected). Turns out filter_input is that good :-) But I want to see the input of the malicious users, so I'm encoding the input and sending it to me by mail ...