Hi, My app is running on domain example.com, but I fetch some data from domain api.example.com. Example: User want to add new article. example.com send request to api.example.com/add Question: I would like to know, which security should I use to verify user? oAuth? Or should I send user's password over POST? Thank you. ...
Should I save this information in the database? For example when users sign up or log in? ...
I want to allow users to create tiny templates that I then render in Django with a predefined context. I am assuming the Django rendering is safe (I asked a question about this before), but there is still the risk of cross-site-scripting, and I'd like to prevent this. One of the main requirements of these templates is that the user shoul...
I'd like to enable users to leave rich text comments, possibly using markdown. I've installed the libraries used on Reddit, but am concerned about the javascript injection attack which occurred last year, especially since I'm still not clear on the details of how the attack was done. Should I still be concerned about comment security? Is...
I am trying to find security flaws in a MySQL page. It is an assignment for a class learning about SQL. Through a textbox, they will be given access to a database to submit queries and see if it returns the correct data sets. I want to find out if there's anything malicious they could do. This is the result of a SHOW GRANTS query: Gran...
In SQL Server 2005, setting up an anonymous user to view a report was simple (just create a windows user with limited privileges and give that user permission to see the report in IIS). However, in 2008, it seems more complicated. Under my present configuration, users require domain authentication to view reports. There does not seem t...
What is the most secure way to handle forgotten passwords/password resets? Should I email the password to the user? If so do you then force them to reset it? Or do you let them reset it immediately (without sending an email) and require some other information to verify that it is them? Or is there a better method? ...
Hello, I've built a client-server system, where clients sign in to communicate securely with other clients through the server. Here are the properties of my system: -Client-server communication is SSL encrypted -Client login details are stored as hashes securely with their salt on a database stored locally on the server -On login, ...
I'm just a beginner, What's wrong with my code, I'm trying to experiment on this so that the webpages I'm going to create will not be vulnerable to mysql injections. What's the correct way of doing this: <?php $host="localhost"; $username="root"; $password=""; $db_name="testing"; $tbl="hospital"; $connection=mysql_connect($host, $us...
For a church website I'm managing, there is a need to place audio files (sermons) on the website. There will be two categories of audio files; one will be a sample size of the audio file, around 5 minutes in length. The other will be the full-length of the sermon (30-50 +/- minutes). I have decided the best setup would be to place t...
I want user's to be able to select a "remember me" box on my website so they need not log in each time they come. So, I need to store a unique ID in a cookie to identify them. Is it safe to hash their password with sha512 and a long salt in PHP and store that value in the cookie? If the cookie was stolen, would their password be at risk?...
I wish to know the way to add ASP.NET ("Machine_Name"\IIS_IUSRS) to user role in COM+ component programmatically using C#. So whenever my COM+ component is being installed, ASP.NET user is created under Role. ...
I have heard about "principal based security", "role based security", "component centric security", and in .NET, I get to know that the Code Access Security (CAS) is kind of a "origin based security". So are there any other security models? And what technically do they mean? Could someone give me some explanations, or point me to some re...
Hi, We have just finished developing a new website for my company using the .NET MVC framework. The sql server supporting our application holds some critical data such as the profiles of other web users and we would like to make sure this data is never leaked due to a reputational risk to the company. We have a number of ideas on thing...
I have read that 'Normal' ARM instructions are fixed length - 32 bits. And that no ARM instruction can jump into the middle of another instruction - something that is easy to do with x86 instructions. (For x86, Google's NaCl tries to 'fix' this by aligning instructions on 32 byte boundaries.) Does this make ARM programs more secure or ...
I am looking to find a way to programatically (C++) control/secure access to the USB ports on a Windows CE device that will only have a single login, and then be left running a real-time application. Ideally, being able to have a password entered into the running application, which then opens up/enables USB functionality, would be the e...
Hello, I need to access the clients principal (username ) inside a ejb method. I don't want to add it as a parameter. Tryed adding them to Context object like ; prop.add(Context.SECURITY_AUTHENTICATION,"user") prop.add(Context.SECURITY_CREDENTIALS,"pass") but trying to access them inside the method like; @Resource private Sess...
We are planning to implement ACL on our Linux platform. Only one particular group is going to come under ACL. This group would have at the max 20 users. All of the restrictions would be at directory level (not at file name level) Would this show any impact on the server's performance/responsiveness? ...
Is there a quick way to determine if a method call will run under medium trust? In this scenario, I'm specifically wanting to know about trust-level requirements for .NET Framework methods. Thanks! ...
I have a page with a large iframe that contains a majority of the content. The user interacts with the website by clicking around within the iframe. The functionality I'm trying to build is: When a user navigates away from my site, I do them a favor and bust out of the iframe. The iframe has an onload event which is fired every time a n...