Is querystring parameters secure in HTTPS (HTTP + SSL)?
Do querystring parameters get encrypted in HTTPS while send over the link? ...
security
How do I manage access in Windows Identify Foundation without raising exceptions?
In the Windows Identity Foundation (WIF), there is a class called ClaimsPrincipalPermission. The documentation on MSDN is very sparse. It states: ClaimsPrincipalPermission represents the permission required to access a resource. ClaimsPrincipalPermission takes in a string that represents the resource to be accessed, and a string t...
How to secure phpMyAdmin
Hi, I have noticed that there are strange requests to my website trying to find phpmyadmin, like /phpmyadmin/ /pma/ etc. Now I have installed PMA on Ubuntu via apt and would like to access it via webaddress different from /phpmyadmin/. What can I do to change it? Thanks Update For Ubuntu 9.10 and Apache2, the corresponding sett...
How do I deny access to a specific URL in my rails app?
I have a rails app that has a private component and a public component. www.hostname.com/ is private and should only be accessed from inside our firewall, but i want to allow access to www.hostname.com/public to internet users. I played around with the apache vhost config but it seems when I allow access to www.hostname.com it allows ...
How to detect hidden field tampering?
On a form of my web app, I've got a hidden field that I need to protect from tampering for security reasons. I'm trying to come up with a solution whereby I can detect if the value of the hidden field has been changed, and react appropriately (i.e. with a generic "Something went wrong, please try again" error message). The solution sho...
Javascript in the adress bar. is this malicious?
I got a message on facebook telling me to copy and paste this into my adress bar. I thought i'd post it here and see what everyone thinks about it. What does it do? how does it work? Here's the source code: // (DO NOT DO THIS!) Javascript:var a=["\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C","\x61\x70\x70\x34\x39\x34\x39\x37\x35\x32\x38\x37\...
What do you do with a software engineer that writes very insecure code?
I am the manager of a small team of software engineers. One member of this team write very insecure code. I have tried showing him documentation like the OWASP Top 10, but he just doesn't get it. I can't knowingly put vulnerable code into production. So what do I do with this programmer? ...
Hosting SQL at remote location?
Hey guys, My OSCommerce site includes a separately programmed feature for which I use SQL tables. I've decided to host its tables on a remote site offering free SQL accounts. I'd like to know if there could be any disadvantages to this approach. Thanks Syd ...
Error: java.security.AccessControlException: Access denied
I have to connect to a https URL with username and password to read a file. I am not able to connect to the server (see the error log below). I do not have much Java experience, so I need help with this code. import lotus.domino.*; import java.net.*; import java.io.*; import javax.net.ssl.HttpsURLConnection; public class JavaAgent exte...
Avoid Guests accessing files without .htaccess.
We have some applications up and running. We have implemented an Access Control List (ACL) in order to control, which users can do what (guests included). And here is the trouble: Whenever we disallow a guest to see something, the usual procedure for our software is to set a .htaccess and copy users/passwords from the ACL to the .htacce...
How can I debug this Internet Explorer issue?
I have a Web Application (ASP.NET C# for .NET 3.5) that uses the Session object to store, amount little things the debug information so when things go wrong, this is the first place to go. The process is simple actually, no matter what browser (except IE), when I navigate to a page, in the Debug Log I have data, just like the one show ...
Writable folder by all users on the same pc
I have a desktop .NET WPF application witch uses an embedded database (SQLite). Where to put the database file ? It's the same database for all users. I tried to use CommonAppData but it's not writable by non-admin users. So I tried to use a custom installer action to give write rights to all users to this folder but it fails on domain ...
Facebook javascript in address bar, possible to replicate?
This is my first experience with stackoverflow and I'm afraid my question asks of a lot for a first. I was looking at this thread: http://stackoverflow.com/questions/2634159/javascrypt-in-the-adress-bar-is-this-malicious and as you will see SLaks has very kindly deobfuscated the javascript and left us with what appears as the Javascript ...
Is it possible to decrypt and view ViewState values?
I know there are tools out there that will let you see the content of asp.net viewstate. Is it possible to see and modify the content of viewState if it has been encrypted by adding the <machineKey ... /> node to the web.config? ...
Security warning when opening file from network share
I've created a setup executable which I have signed. It's located on a network share (which I access using unc - \server\share\setup.exe). When I double click the executable file, I get a Windows warning saying: Title: Open File -> Security Warning Do you want to run this file? Name: setup.exe Publisher: My Company Type: Application Fr...
MySQL - connection and security
Hi, I was wondering if someone could tell me if there is any potential security breeches that could occur by connecting to a sql database that does not reside at 'localhost' i.e. via ip address? Regards, Phil ...
What is the best practice for secure connection to SQL Server 2008 from .net 4.0?
What is the best practice and most secure solution when connecting from a .NET 4.0 application to SQL Server in 2008? And how is this done in c# / vb? I thought of connecting from the application to the SQL Server's database over an encrypted connection and then by using something called Application Roles. Would this be a good approa...
Does using ReadDirectoryChangesW require administrator rights?
The MSDN says that using ReadDirectoryChangesW implies the calling process having the Backup and Restore privileges. Does this mean that only process launched under administrator account will work correctly? I've tried the following code, it fails to enable the required privileges when running as a restricted user. void enablePrivilege...
Limiting what a .net plugin can access
I have a web application that can load plugins through reflection. It currently uses Assembly.LoadFrom() and Activator.CreateInstance() to get this done. Right now plugins are loaded into the same AppDomain and have access to anything in my app and anything my app could access. What I'm looking for is a way to limit what classes and m...
ssl multi domain website
We need to secure a multi-langual web application with SSL (registration, login,..). However, this application is accessed by different domain names, exactly a domain name for each language (domainName.co.uk, domainName.fr, domainName.it and so on). We're looking for the simplest and cheapest solution. We don't want to purchase a certifi...