To make a long explanation short, suffice it to say that my Rails app allows users to upload images to the app that they will want to keep in the app (meaning, no hotlinking). So I'm trying to come up with a way to obfuscate the image URLs so that the address of the image depends on whether or not that user is logged in to the site, so...
To protect against CSRF you should put a nonce in a hidden field in the form, and in a cookie or in the session variable. But what if the user opens several pages in different tabs? In this case each tab would have a form with a unique nonce, but there would be only one nonce stored in the session variable or cookie. Or if you try to sto...
I have found three possibilities for what is calls an "ACL owner" in the wild: The owner is the protected resource. That's the way EAz goes. The ACL owner is the user whow owns and edits the ACL. (like in java.security.acl.Acl or POSIX ACL) The user owns the protected resource and the protected resource owns the ACL. So the user owns ...
What is the best way to connect an ACL with the protected resource? 1) Should the protected resource hold a reference to its ACL? interface AclHolder { Acl getAcl(); } This would be simple, but if the object lives in a database it has to be constructed before it is possible to check access rights. 2) Spring Security uses a mec...
I have a pretty basic helper class that I'm using to do all my Http Get/Post stuff. I'm using HttpGet, HttpPost, and HttpClient from the org.apache.http library. All of my stuff works fine over HTTP, but as soon as I tried to consume a service that works over HTTPS, I get a ClientProtocolException when executing the request. The only ...
Where should I best manage a hierarchy of ACLs? I see three possibilities to manage a hierarchy of ACLs: 1) The ACLs themselves manage the hierarchy: class Acl { Acl parent; // ... } 2) Constructing a separate tree structure to manage the hierarchy. 3) Using an already existing hierarchy as the implicit hierarchy for ACLs (like...
I wonder if complete ACLs or only their Access Control Entries (ACE) should be inherited. It would be simple if the children replace the whole ACL, but it would be limitting if only an additional ACE should be added. If ACEs can be inherited, I think I would need negative rights, because otherwise all rights beginning from the root ACL...
The talk of internet town today is the SNAFU that led to dozens of Facebook users being led by Google search to an article on ReadWriteWeb about the Facebook-AOL deal. What ensued in the comments tread is quickly becoming the stuff of internet legend. However, behind the hilarity is a scary fact that this might be how users browse to al...
I have this as a vulnerability issue in McAfee scan for my website (ASP.NET with VB.Net, IIS7, SQL Server 2008)- Missing Secure Attribute in an Encrypted Session (SSL) Cookie. What do i have to do to get rid of this vulnerability? please advice ...
Hey everyone, I've got a section on my site which allows users to upload a link in their profile, to their MySpace account. In order to secure other users, I want to to hard code the domain name (www.myspace.com/) and append the user's (sanitized) input. To me, this seems pretty secure and ensures that it always goes to MySpace.com. How...
I've been configuring some of my applications to use the Windows Identity Foundation. I use the passive redirection to get security tokens from a Security Token Service. I accomplished this by inserting WIF code into a logon web site that existed before I started using WIF and then using the "Add STS Reference" within the applications....
I've been solving a couple of the WebGoat exampels for a uni-lab thing. In one of the exercises I tried to use a python script with urllib2 to do automated "tests" so I didnt manually have to used ascii(substr(first_name,3,1)) > 97 etc. But I seem to get the same page eventhough I try different urls when using an urllib2 script aka f2, ...
Currently Google requires you to create an API Key that is specific to the domain of where the map will be served from. How does Google enforce this? I want to do the same thing. I expose an API for my service but want to allow clients to embed calls to the API via javascript and not just from the server. I could secure it with just a r...
I'm trying to run a PowerShell script from a C# application and I need the script to run when my C# app is running as a non-admin user (e.g. Network Service or some other domain account). Previously, I was using the following code: using (RunspaceInvoke invoker = new RunspaceInvoke()) { // load the powershell module invoker.Inv...
Hi, How can i make sure only my iphone app is allowed to use my app engine application for sending and receiving data? I probably have to use a secret key, but i don't know how. Can i just use post/get to send my static key over https? Or do i need to use some dynamic secret key algorithm? Any help would be appreciated! Bjorn ...
An application wants to parse and "execute" a file, and wants to assert the file is executable for security reasons. A moments thought and you realize this initial code has a race condition that makes the security scheme ineffective: import os class ExecutionError (Exception): pass def execute_file(filepath): """Execute seria...
Is it possible to deny access not only per directory using directive <location> but a to a number of directories at one time? Or I have to use every time <location> for each directory? ...
I'm new to PHP and I'm following a tutorial here: Link It's pretty scary that a user can write php code in an input and basically screw your site, right? Well, now I'm a bit paranoid and I'd rather learn security best practices right off the bat than try to cram them in once I have some habits in me. Since I'm brand new to PHP (litera...
Hi all, I want to have a swf locally that loads another swf from the internet. Flash quite wisely displays a warning requiring to whitelist the place from were the external swf is being loaded. Now is there any way for this warning not to display? Changing those options trough the browser is quite an hassle and Im pretty sure people...
Dears , i have a asp.net web site with it we have admin area with login page for admin only and all site is allowed for all - i need to ask how to define the right security configuration for it as i get this error Cannot use a leading .. to exit above the top directory. Description: An unhandled exception occurred during the execution...