Hi, I would like to hear some opinions about using the isolated storage in Silverlight for storing sensitive data. For example, is it OK to store an authentication token (some GUID that identifies a server-side session) in this storage, or is it better to use cookies? The isolated storage gives an advantage over cookies in that it is s...
I'm thinking about learning CAS, but I need to quickly grasp basic architecture, performance implications and if it at all suits my needs. What should I read? ...
When designing user table what would be the must have fields from the security/user authentication point of view for a Web based Application (.NET and SqlServer 2005) I came with with the following fields: userID username -- preferably email passwordHash onceUsePassword -- to indicate that the password should be changed after login al...
I have been asked to provide information on available techniques for assessing our current, and any future websites for security problems. the request is in the form of Do you know of any good free one that examines for security holes? I think our data security is probably worth a small amount of upfront spend so any non-free metho...
What is the slowest (therefore best) hash algorithm for passwords in ASP Classic? EDIT: For those unaware, when hashing passwords, slower hashes are preferred to faster to help slow rainbow table style attacks. EDIT2: And yes, of course speed isn't the only valid concern for hash selection. My question assumes that All other things be...
I'm having a friendly debate with a developer about a situation where users are logging in and accessing documents in a web application. When we load the document for the user to view, we have the userID in session and the documentID that may be passed via QueryString. To prevent the user from modifying the documentID on the QueryString...
My company is looking at using VeraCode for some independent static analysis of our binaries. Anyone out there using them? I would also be interested to hear from anyone using their dynamic analysis services as well. ...
As a follow-up to this question I am hoping someone can help with the CredEnumerate API. As I understand from the documentation the PCREDENTIALS out parameter is a "pointer to an array of pointers to credentials". I am able to successfully call the CredEnumerate API using C# but I am not sure of how to convert the PCREDENTIALS into so...
The company I work for has recently been hit with many header injection and file upload exploits on the sites we host and while we have fixed the problem with respect to header injection attacks, we have yet to get the upload exploits under control. I'm trying to set up a plug-and-play-type series of upload scripts to use in-house that ...
Does anyone have a recommendation about web service security architecture in Java (preferably under JBoss)? Any recommended reading? I want to expose a fairly rich web service to the world but the data are sensitive and it requires authentication from the current client (Flex), accessed via RPC. I definitely do not want any server-sid...
I've come across a couple of popular PHP-related answers recently that suggested using the superglobal $_REQUEST, which I think of as code smell, because it reminds me of register_globals. Can you provide a good explanation/evidence of why $_REQUEST is bad practice? I'll throw out a couple of examples I've dug up, and would love more in...
Not sure if anyone listened to Hanselminutes episodes 134 and 135, but at the end of show 135 Scott Hanselman had a lot of great advice on how to setup a baseline secure environment for a web application. As a developer, most of my time is focused on developing the application, not on the network facet of the project, however as a start...
Hi Thanks for going to answer my question. I have the folowing pages. login.aspx default.aspx xxx.aspx After logging into application default.aspx will be displayed. Now if the user is trying to open http://server/xxx.aspx?Id=1234 by specifying its URL directly in a browser, the login screen is displayed and after successfull login,...
In case one wants to protect VBA applications to make trial(demo) versions and not to expose the scripts, how secure the built in password protection is? Are there any alternatives? Edit: I'm asking about Excel VBA here. ...
This question is related to my previous one. Can you explain or give a link to an explanation of how Excel VBA code password protection actually works in versions prior to 2007, and what is the difference in 2007? Does it actually encrypt the code and how Excel executes the code if it is encrypted? How password removal software for exce...
We've got a Windows 2000 server with WebDAV enabled and are told it's insecure so we should remove it. However, we've got several developer using Interdev and Interdev-enabled sites, so we're concerned they won't be able to work anymore. Are there alternatives that will allow them to use Interdev securely, or must we disable WebDav and ...
Hi I've written a little web site in my effort to learn vb.net and asp.net, fairly happy with it so rented some space and uploaded it, it was written using asp.net express edition 2008 and sql server express .... I've uploaded it and I've found that it was written in .NET 3.5 and my host only deals with 2.01 ... I've sorted most of tha...
This may be a doozy, but does anyone have an idea how to: Pass the users windows token (authenticated from domain) to the wcf service that is called - the service would then perform an action based on the users windows credentials that made the call. ie: Client -> WCF -> SOME 3rd PARTY REPOSITORY THAT INTEGRATES WITH ACTIVE DIRECTORY. ...
I know SQL Injection is one... what are the others... ...
Can someone recommend a secure FTP implementation that works well on Windows Server 2000? I'm uploading files into virtual directories and web applications under IIS and the existing provider, obviously, isn't secure or encrypted. ...