Our company is looking into allowing third party sites to use our online checkout system. A client has stated that they would like to be able to use a lightbox style popup to display the checkout. And they would like this to be available on every page of the site, therefore mostly unsecure pages. Our checkout system and the client site ...
Ok, say that my application is emitting (x86) instructions into memory, making the page executable, etc. Is there any way of altering the method stub of an un-JITted method to point to my emitted instruction stream? E.g.: Suppose I have created an x86 instruction stream in memory, which does something arbitrary. Now, further suppose th...
We're moving to cheap office space that provides a lot of stuff: receptionist, copiers, printers, microwave and internet access - all of it shared with strangers. What should I ask to find out if the network is safe to use, and if it's not inherently safe, what can I do to make it safe? ...
I'm working on updating a classic ASP web page used by a number of sub-sites maintained at the company I work for. The purpose of the page is to notify the user that they are leaving "our" site and going to another site. It's basically a disclaimer, but due to resource limitations and time limitations I can't add the disclaimer to every...
I plan on using MySQL and it's built-in encryption functionality to encrypt / decrypt certain columns in certain tables. The concern I have is that I need to store the key somewhere. I could certainly store the key in a file and control the permissions of that file and the permissions of the application that accesses it, but is that en...
I have a WCF service up and running and am able to communicate between the service and a .Net 2.0 Client using basicHttpBinding. I now need to lock down the WCF service so that it can only be called by authenticated clients. I have control over the clients that will be calling my service. The clients are part of a product that will b...
What is the best way to design a user login mechanism using Java? What are the best practices to be followed to architect a secure and robust login mechanism? What is the difference between JAAS, JNDI and GSSAPI? How do you decide which one to choose? ...
Before I get flamed and down-voted without mercy, my company will not allow the install of .NET3.5 on non-dev machines yet (others are currently on 3.0). I have a managed exe on network share that needs to be able to run from there. This is a common problem with pre-.NET3.5SP1, but I cannot figure out how to solve it. I have read thi...
One problem that I come across regularly and yet don't have a solution to is to restrict or permit access to specific entities in a system. Some companies (banks, for example) have very strict policies regarding which employees may access certain information. For example, an employee at a specific branch may access account information fo...
So my group is trying to set up a shared-server environment for various and sundry web services. I think we've settled on setting disable_functions and disable_classes site wide in php.ini and php_admin_value to force open_basedir in each app's httpd.conf for php scripts, and passenger's user switching for ruby scripts. We still nee...
This is a follow on to this question. I am trying to avoid using the x509 certificate method as that makes my client installs more complex. If basicHttpBinding is not the only option, where are some samples of other binding methods. My clients are on .Net 2.0, I don't have access to System.ServiceModel namespace as that didn't come ...
My C++ application stores some common user data in %CSIDL_COMMON_APPDATA%\Company\Product. I want to make sure the Users group has write permisions to this folder which on Vista it does not. How would do I do this? ...
Say each row in a table has data pertaining to one particular user. The user has a password to access the system. How do I encrypt a column of data using InnoDB so that no one other than the user who's data it is can read the data ? I was thinking of something like using one of the MySQL encryption functions (say AES) with a key based o...
We are an organisation who have purchased a system which is used by doctors to view test results of patients (quite sensitive information). Being a programmer, I have poked and prodded with the system and found that it submits the username and password via a HTTP GET request. On the domain it is run on, all computers are set to bypass th...
I came across an article about Car remote entry system at http://auto.howstuffworks.com/remote-entry2.htm In the third bullet, author says, Both the transmitter and the receiver use the same pseudo-random number generator. When the transmitter sends a 40-bit code, it uses the pseudo-random number generator to pick a new code, which i...
I want to configure SMTP on my web server, so that any email sent through the SMTP server is relayed to a remote SMTP Server. The IIS SMTP server would have to use SMTP authentication, and use the host name, username and password (as if configuring a normal email client). Does anybody know if this is possible? ...
I have an application that behaves oddly, and just to verify, I'd like to see which security zone it is currently running under. I've found the System.Security.SecurityZone enum, but can't seem to find anything that will return which of these I'm running under. Does anyone have any tips? Basically I want to find out if my application ...
Lets say on MySQL database (if it matters). ...
I have a web service that is protected by requiring the consuming third party application to pass a client certificate. I have installed the certificate on the providing web service in production and on the client as well. This process is currently working fine for other clients with a similar setup. The current version is written in ...
I have a rich-text editor on my site that I'm trying to protect against XSS attacks. I think I have pretty much everything handled, but I'm still unsure about what to do with images. Right now I'm using the following regex to validate image URLs, which I'm assuming will block inline javascript XSS attacks: "https?://[-A-Za-z0-9+&@#/%?...