What are some good suggestions or resources to look at to help me secure a single click URL based authentication? Essentially, the situation is a third party system which accepts an HTTPS request, through the browser, where you supply authentication information (un, pw, authkey, ect...). The service then, upon authenticating the prov...
I'm using an Edit in Place jquery plugin which needs to post the data to a script that will do the actual database update. The URL to this update script is easily viewable in the html source as well as with Firebug, so I need to add some sort of authentication check before the update is processed. This is of course so the user can't jus...
Assuming a Perl script that allows users to specify several text filter expressions in a config file, is there a safe way to let them enter regular expressions as well, without the possibility of unintended side effects or code execution? Without actually parsing the regexes and checking them for problematic constructs, that is. There wo...
The size of the generated hash and the speed of the algorithm are not important. I'm really only interested in it being the most secure option. I don't want to use any third party libraries either. The version of the .NET framework I'm using if 3.5 if that makes any difference. ...
My account is in the securityadmin role and I cannot grant myself sysadmin permission. I wish to gain access to a database so I can add my account to a particular role within it. As I don't yet have access to the database I can't use the UI. Does anyone know if this is possible and what SQL commands will achieve this in SQL Server 2005?...
this is the scenario: multiple web systems (mostly lampp/wampp) exist, most of them with separate login information, (some share it). We're considering the benefits/disadvantages of unifying them somehow, or at least making handling the user administration parts easier. Due to the nature of some systems (its a mixed bag of custom OSS s...
In our Sharepoint implementation users have been granted site collection admin rights. On a few occasions they've managed to delete a subsite or even the entire site collection. I'd like to be able to block this but not being a developer I'm finding it pretty tricky. I've had a look at the MSIT site delete capture tool to try to underst...
I am working on a single sign-on login page using Shibboleth that will be used for a variety of web applications. Obviously we would like to make this page as secure and usable as possible while limiting the effects of phishing scams. What are the best practices to keep in mind when designing a login page? Some questions that have come...
I am trying to set the permissions of a folder and all of it's children on a vista computer. The code I have so far is this. public static void SetPermissions(string dir) { DirectoryInfo info = new DirectoryInfo(dir); DirectorySecurity ds = info.GetAccessControl(); ds.AddAccessRul...
I have a site that requires Windows Authentication the application obtains the credential from the Security.Prinicipal once the user is autenticated the problem is that my credentials on my local environment are different that the ones stored in the DB and the user preferences cannot be obtain. i am doing the following workaround in orde...
I have a standalone Java app that has some licensing code that I want to secure, i.e., prevent users from changing my software to circumvent the licensing. What is the best way to do this? I've looked at obfuscation, but that entails all sorts of problems: reflection, serialization, messed-up stack traces, etc. Perhaps jar signing c...
I want my website to have a checkbox that users can click so that they will not have to log in each time they visit my website. What is the best way to implement this? I know I will need to store a cookie on their computer, but what should be in it? Is there anything I need to watch out for to keep this cookie from presenting a securi...
I am creating a small web page using PHP that will be accessed as an IFRAME from a couple of sites. I'm wanting to restrict access to this site to work ONLY within the "approved" sites, and not other sites or accessed directly. Does anyone have any suggestions? Is this even possible? The PHP site will be Apache, and the sites iframin...
How do you properly ensure that a user isnt tampering with querystring values or action url values? For example, you might have a Delete Comment action on your CommentController which takes a CommentID. The action url might look like /Comments/Delete/3 to delete the comment with the id 3. Now obviously you dont want anyone to be able to...
I'm writing a password encryption routine. I've written the below app to illustrate my problem. About 20% of the time, this code works as expected. The rest of the time, the decryption throws a cryptographic exception - "The data is invalid". I believe the problem is in the encryption portion, because the decryption portion works the...
I'm getting started on building a REST API for a project I'm working on, and it led me to do a little research as to the best way to build an API using RoR. I find out pretty quickly that by default, models are open to the world and can be called via URL by simply putting a ".xml" at the end of the URL and passing appropriate parameters....
So I'm reading The Art & Science of Javscript, which is a good book, and it has a good section on JSONP. I've been reading all I can about it today, and even looking through every question here on StackOverflow. JSONP is a great idea, but it only seems to resolve the "Same Origin Problem" for getting data, but doesn't address it for chan...
I read somewhere that NTP is based on UDP and there's no security built with NTP communication so it is easy to spoof NTP responses. Is it true? Wouldn't that be a major security issue since most of the servers out there depend on NTP to sync their clock? ...
How do I specify the username and password in order for my program to open a file for reading? The program that needs to access the file is running from an account that does not have read access to the folder the file is in. Program is written in C# and .NET 2, running under XP and file is on a Windows Server 2003 machine. ...
What would be the best way to avoid SQL injection on the C#.net platform. Please post an C# implementation if you have any. ...