I am reading the tutorial at http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ It states Remember - you must never rely on the sessionID sent to your server in the cookie header ; look only at the sessionID that your GWT app sends explicitly in the payload of messages to your server. Is it use...
Hi gang, We are moving to SSO in our N-tiered SOA applications. If all the services were SOAP, I'd be ok with just the WS-Security, WS-Trust, WS-Federation set of protocols. My problem is that many of the services are RESTful (ironic) and those protocols do not address REST services. What is your advice for SSO protecting the REST se...
I am going trough the OWASP Top 10 list of 2007 and 2010. I stumbled upon Cross Site Request Forgery (CSRF) this is often called session riding as you let the user usee his session to fulfill your wishes. Now a solution to this is adding a token to every url and this token is checked for every link. For example to vote on product x th...
Where can I find a RSA encrypt example that does not use "NoPadding"? --update Better: how to make this SSCCE run correctly without throw the "too much data for RSA block" exception? import java.math.BigInteger; import java.security.KeyFactory; import java.security.interfaces.RSAPrivateKey; import java.security.interfaces.RSAPublicKey...
A security review was done against one of our ASP.net applications and returned in the test results was a SQL Injection Exposures considered to be a high risk item. The test that was performed passed a SQL statement as the value of the __EVENTTARGET and the __EVENTARGUMENT. I am wondering since these 2 values are ASP.net auto-generated...
I have a PHP script that checks the HTTP Referer. if ($_SERVER['HTTP_REFERER'] == 'http://www.example.com/') {...} However, this seems inherintly unsafe ... because what happens if the user goes to 'http://example.com/' or 'http://www.ExaMple.com' (both of which don't match the equality test). Question: what's a better equality test ...
I know this might make me seem like an idiot, I've read everything there is to read about CSRF and I still don't understand how using a 'challenge token' would add any sort of prevention. Please help me clarify the basic concept, none of the articles and posts here on SO I read seemed to really explicitly state what value you're comparin...
Hi all, From a security standpoint, what is the best solution to handle application errors with Websphere? I've been thinking of creating a class that is called every time an application error is generated, log the error and display a generic error message to the users. In PHP this can be achieved using the set_exception_handler() fun...
hi guys, We have a swf file that we want to secure and make available only to authorized users. I embedded the file in an aspx page and that works fine, since ASP.NET handles the aspx page, I can use ASP.NET authorization features and in the web.config restrict the access to roles="AllowedUsers" for example. However smart users could ...
I've read through many of the questions on SO about this, but many answers contradict each other or I don't understand. You should always store a password as a hash, never as plain text. But should you store the salt (unique for each user) next to the hashed password+salt in the database. This doesn't seem very clever to me as couldn't ...
How can I secure an aspx page that is called by a Flex application of ours? It has to be secured for the whole application, not for particular users. Is it possible to give credentials with the Flex Call? In Asp.net, only some five aspx pages need to be secured. The amf calls are already secured. I do not want a popup to be displayed w...
Hi, I want to implement an SSL client using SSPI. Where can I find step-by-step guides, code examples, etc.? Thanks in advance. ...
There is a nice article on denzone about avoiding identity theft. However it was written before Zend_Session_Validator_HttpUserAgent came in. How do I use Zend_Session_Validator_HttpUserAgent? Zend_Sesion::registerValidator(new Zend_Session_Validator_HttpUserAgent()); Zend_Session::rememberMe(); Is that all? ...
How to get back from encoded byte[] to java.security.Key? import java.security.Key; import javax.crypto.SecretKey; import javax.crypto.KeyGenerator; public class TestRSA { public static void main(String[] args) throws Exception { KeyGenerator kgen = KeyGenerator.getInstance("AES"); kgen.init(128); SecretKey key = kgen...
Hey guys, I currently present my mp3s by referencing their file location into a flash mp3 player for the users. Is is possible for users/bots to go onto your site and somehow execute an mp3 continuously and drain bandwidth? If so how can you prevent this? (I program in php). Thanks in advance for any advice. ...
I'm trying to configure AspNetMembershipProvider to be used for authenticating in my WCF service that is using basicHttpBinding. I have following configuration: <system.serviceModel> <serviceHostingEnvironment aspNetCompatibilityEnabled="true" /> <bindings> <basicHttpBinding> <binding name="basicSecureBinding"> <se...
I have googled a bit for how I should handle security in a web service application when the application is basically the data repository for a Silverlight application, but have gotten inconclusive results. The Silverlight application is not supposed to have its own user authentication, since it will be reachable only through a web appli...
For a login system in php would this be a suitable outline of how it would work: users types in username and password, clicks login button. Checks if user exists in database, if it does, then retrieve the salt for that user hash the password and salt (would this be done on the client or server side? I think client side would be better...
Actually I have a file . I am working in linux environment. I need to encrypt that file for secure purpose with giving the some password. The operation could be like zip , tar any compression. When I extract the file It should ask me password , only then it should get extracted Thanks in Advance ...
How do I prevent SQL injection when it comes to ColdFusion? I'm quite new to the language/framework. Here is my example query. <cfquery name="rsRecord" datasource="DataSource"> SELECT * FROM Table WHERE id = #url.id# </cfquery> I see passing in url.id as a risk. ...