I have a situation where my main SWF file loads many external SWF files. However, those external SWF files are just sitting in the public folder of the web server. Is it possible to restrict the SWF visibility to only my main SWF file (the one that loads the external SWFs). In the current state, any user who knows where to look can jus...
I'd like to do OAuth for Twitter from an iPhone app. But doing so implies that I need to have my API secret alongside my API key baked into the application binary. This is obviously undesirable. Facebook supports the notion of a session proxy to get around the parallel issue with their API. Can I do something like this for Twitter? ...
I am programming in C++ MFC, windows. What is the best practice to get a file attribute(such as read only), and security attribute(such as read deny write deny) in windows XP, Vista, and Win7? and What is the best practice to modify a file attribuute and security attribute? Many thanks!!! ...
I am using c++ MFC How can I get the file security attribute in windows, is there any handy api? Many thanks! ...
Hi all, I have an implementation of SSL handshake from the client side, by using these functions: SSL_CTX_load_verify_locations SSL_CTX_use_certificate_chain_file SSL_CTX_use_PrivateKey_file All functions get char* type for the filename parameter. How can I change it to support also unicode file locations? Thanks! ...
I'm wondering how to prevent Session fixation attacks in ASP.NET (see http://en.wikipedia.org/wiki/Session_fixation) My approach would to this would normally be to generate and issue a new session id whenever someone logs in. But is this level of control possible in ASP.NET land? ...
I was going through this link to understand CodeAccessSecurity: http://www.codeproject.com/KB/security/UB_CAS_NET.aspx It's a great article but it left me with following questions: If you can demand and get whatever permissions you want, then any executable can get Full_Trust on machine. If permissions are already there, then why do w...
I am trying to port some code that is based on WSE3.0 to WCF. Basically, the old code has the following configuration: <microsoft.web.services3> <diagnostics> <trace enabled="true" input="InputTrace.webinfo" output="OutputTrace.webinfo" /> </diagnostics> <tokenIssuer> <statefulSecurityContextToken enabled="false"...
I have installed SFTP on a windows servers using copSSH and all is good and it works well however you can go back from the main root. For example when i use C:\copSSH\home{username} as that user i can go back into copSSH and into them directories too. And I have a user setup to actually be C:\inetpub\wwwroot but that user can go into t...
I'm currently using MongoDB to record application logs, and while I'm quite happy with both the performance and with being able to dump arbitrary structured data into log records, I'm troubled by the mutability of log records once stored. In a traditional database, I would structure the grants for my log tables such that the application...
I must be missing something very basic. Here is the scenario We have a ASP.NET 2.0 WebService (Server 2003) with the following settings: SSL Integrated Security Anom. Access DISABLED Running under NETWORK SERVICE Exposed (i.e. can access from public internet) Service returns data from database using application username/password, does...
I have what seems like a common issue with SaaS applications, but have not seen this question on here anywhere. I am using ASP.NET MVC with Forms Authentication. I have implemented a custom membership provider to handle logic, but have one issue (perhaps the issue is in my mental picture of the system). As with many SaaS apps, custo...
I have a Django webapp that has both a front-end, web-accessible component and an API that is accessed by a desktop client. However, now with the new CSRF middleware component, API requests from the desktop client that are POST'ed get a 403. I understand why this is happening, but what is the proper way to fix this without compromising...
All, A few of our internal users are editing one of our classic ASP sites (Not a SharePoint site) via Sharepoint Designer which I believe uses FrontPage Server Extensions. I would like to give a particular user author rights to a single folder - ie, /products and any items and folders it contains. Any suggestions? ...
I read that SHA-1 is being retired from the FIPS 180-2 standard. Apparently there are weaknesses in SHA-1 that led to this decision. Can anyone elaborate on the basis for that decision? Are there implications for the use of SHA-1 in commercial applications? My real questions are: What is the state of SHA-2 support in various cl...
i have to write a program that sniffs network packets (part1-the simple part). and i have to update the program (part2) so that it will be able to terminate connections. the specific requirements are: construct raw packets by specifying data link layer and network layer information including appropriate source and destination MAC and IP ...
Is there any tools available to encrypt and decrypt Asp.net Web configuration sections like connection string ,etc.? Can i get any add-on for this?If i use Enterprise Library i can do so,but without that is there any simple utility available? ...
Hi all, I have a Flash web app which displays user submitted PNG files. Files are uploaded to the server via some API prior to being displayed. I'd like to make sure no "bad" files are served to Flash, where "bad" is entirely unspecific. Is there a way to validate PNG files against the PNG specs (this would catch corrupted files)? Or an...
I don't mind so much about pirating etcetera, but I want to ensure that the backend (Rails based) isn't open to automated services that could DOS it etc. Therefore I'd like to simply ensure that all access to the backend (which will be a few REST queries to GET and PUT data) will be via a valid iPhone application, and not some script run...
I have a scenario where a user will have access to a one-time-url. When the user clicks on the URL, specific files will be available to that user. I have many files on the site but would only like certain files to be accessible by that user. I have though about generating an authenticated cookie and using forms based auth and applying ...