If I need to enter a password through an on screen keyboard (via touch or mouse) the password can be gleaned by watching the key presses or where the mouse hovers if key press is disabled. Is there a way to make this process a bit more secure? Its fine if the user can obscure the screen of the device with his body, but if the screen i...
We need to choose between two signature schemes: RSA/SHA2 S-MIME signatures ECDSA/SHA2 S-MIME signatures For that our python software needs to support one of this scheme. Currently for some political reasons the ECDSA solution is prefered. Is the ECDSA solution supported by any of the python crypto modules (M2Crypto, ...) and do you...
I have a Web Site in IIS 6.0 that hosts several virtual directories. Some of the virtual directories in the Web Site need to be served out to the internet, so there is a public DNS entry for the Web Site as a whole. Other virutal directories should not be served to the internet, but they get exposed by default through the public DNS ho...
I'm playing around with using amazon web services in my personal project. I've grabbed their AWS SDK for .NET and I'm using that, but I'm a little confused. Access to the web service (in this case, SimpleDB, though I don't think that's really material to the question) is authorized via a private/public key pair. The AWS SDK for .NET A...
I'm considering utilizing the ASP.NET Membership Provider for a few different web apps/tools with a single login approach. REQUIREMENTS User logs in to my.domain.com and sees a list of apps/tools that they have permission to use. The user selects the tool they'd like to use and clicks the link. When the tool opens, it is able to i...
Has anyone had to deal with multiple AntiForgeryTokens on a child view of a master page? The scenario I am thinking about is as follows: The view contains a Form with an AntiForgeryToken rendered as a hidden field. The view is contained by a master page that has another AJAX submitted form. The issue here is that I need to encapsula...
On my site i can trigger certain things using GET request like the ability to hide or delete a comment. I am not very worried but it would be pretty annoying if someone design an attack using img src= url to delete comments or emails. Is there a way to prevent this? I am using httponlycookies for the login data. if someone does img src ...
I was thinking about this and it appears POST only a little less vulnerable and somewhat harder (do to requiring the user to click something). I read about token ids and double submitted cookies and i am not sure what the difference is http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#Disclosur...
I’m using .Net 3.5 and SQL Server 2008 Express. Should I use the administrator user for the connection string, Or should I create a new user with limited permissions? If I need to create a new user for the connection string: What security permissions should I grant him? How do I set those permissions? Thanks. ...
The other day I noticed that if I run IEInspector's HttpAnalyser and capture the post data when logging into my bank account or amazon account the post data shows my user name and password in the clear. This is a little concerning. Does anyone know at what point the SSL encryption takes place? This I assume would mean that any softwar...
I am developing a site and i am using yslow to profile speed and stats, webdeveloper for html and css validation, etc. What can i use to check for security mistakes? ...
Hi, I know this question must have been discussed million times in your organization. One more go. Designing a LOB application which has its business operations exposed as services. These services would be accessed by our own web application(ASP.Net MVC), smart desktop clients, mobile clients, as well as, our partners via either thei...
I am reading a report from a "web application security" company, whom have been scanning a few websites of the company I am working for. It appears from the report - which seems written without any human involvement - that several attempts where made to break our sites using requests like this: DEBUG /some_path/some_unexisting_file.aspx...
Spring Security offers many powerful security mechanisms but it doesn't fit properly into a Java EE (EJB) environment. One problem is that Spring Security stores the SecurityContext in a ThreadLocal object which is not suitable for clusters. Spring Security relies on services (AOP for example) from Spring core which are not available if ...
I know the interface of the .class file lets say Boolean xy(); is the only method. I want to execute the method of an unknown .class file which implements that interface on my server. The Method should be able to call some Methods of my classes. How can i be assured or test that no dangerous stuff is executed in the method? ...
I have written a bit of code that inspects the iis metabase to see what sites are installed and where their virtual directories are kept. THis code runs fine when run locally on the server. I am trying to extend it so that it works remotely. The thing I'm struggling with getting it to authenticate. I'm currently using the LogonUser api,...
I'm designing a document security system. Ultimately, the document breaks down into sections, and then into content elements. Then there's an security id, a GUID presumably, which is associated with the content element. When a user requests the content element, they supply a SID and the system determines whether they're authorized or not...
Obviously, we don't want to hardcode the plaintext password in each script. This would make cycling the password difficult since a ton of scripts would need to be changed in addition to the password being in plaintext in the first place. If the scripts takes the password as a parameter, then we need to worry about modifying the 'ps' out...
while studying some security things, there was a question that one can guess the generation of some sequence for rand (timestamp) running in webserver. He said that our first goal should crash the server (assuming that server will get up in 1 min), we can sync our generator with server and then rand (timestamp) generated by the webserver...
Heres one scan of Wapiti. I notice when i had images uploaded (users can upload) i get a crash before Launching module crlf. So just using a fresh instance of my site i ran this and got the result below. My questions are 1. How do i fix the crashes 2. How might i find out what is causing the crash. I used -v 2 to figure out the url and ...