How check site security on asp.net4 mvc2? I'm only 19 years old and I am very worried if I do not know what a vulnerability. I use LINQ, and it's mean, that SQL Injection - protected. XSS - I tried to use a special library AntiXSS (how check all on site to use it...?). And of course all that I do not know.. Authorization (cookies, inte...
I'm working on a Flex implementation (currently using SDK 3.5) on WebLogic 10.3 (11G.) We originally used Glassfish v2.1.1 with zero issues (there was an active directory group lookup bug but it did not hinder our progress.) Since transitioning to WebLogic we have an issue where the flexsession is invalidated after logging in using j_s...
Suppose that I take a user-supplied string, userstring, and call (keyword userstring) on it. Are there any security concerns about doing this? And if so, what would be the best way to mitigate them? ...
Hi Everyone, This may seem like a very broad question, but any help is appreciated. I have a client/server solution written in java which uses the Cajo project (which uses RMI). I just want to try and make my solution as secure as possible, given the sensitive data that will be transferred between server and client. So far, my ideas a...
Let me preface this by saying I know nothing about encryption. I understand the basic concept of public key / private key encryption but I don't how easily it can be broken, if at all. If one were to believe the movies, encrypted data can be broken by a teenager with a decent computer in a few hours. I have a client who wants credit car...
What would happen if someone writes System.exit() in a servlet would the server or the application crash? ...
Is there a site, or is there a simple way of setting up one, which demonstrates what can happen with a buffer overrun? This is in the context of a web app. ...
I have written a custom protected configuration provider for my web.config. When I try to encrypt my web.config with it I get the following error from aspnet_iisreg aspnet_regiis.exe -pef appSettings . -prov CustomProvider (This is running in my MSBuild) Could not load file or assembly 'MyCustomProviderNamespace' or one of its ...
I have a application where I want to connect to a server using WCF DS with username/password. In addition I want each client to also have a certificate (different for each client). How can I solve this in the most simple way? It must be simple to deploy new certificates to the client. ...
As I see, TDE and EKM mechanisms are available only in Enterprise edition. How can I encrypt data in tables in Standard edition of SQL Server 2008? ...
I'm maintaining this Swing app that has a "print" option. Users need to be kept from interacting in any way with the underlying file system, but the print dialog offers "print to file" as one printer, and that of course allows selecting a directory and file from the file system. Is there a painless way to override/modify the print dialo...
Hi there. Im searching for the most secure (but yet doable) way of password management in a web app. Right now, I save the password as hash. The DB account of the app is restricted to excecution of stored procedures and I authenticate users by giving the username and the hashed password to a stored procedure that returns 1(true) or 0(...
I am using Apache to authenticate users for Django, but I would like to do so without the popup form that Apache uses in its basic configuration. How do I embed the login form within a page while still using Apache for authentication? That is, I'd like a page that says "Please login" and provides a form asking for username and passwo...
Hey. I need to prevent direct access to http://www.site.com/wp-content/uploads/folder/something.pdf through the browser. However the Download Monitor plugin I am using, which allows logged in users to download the file, needs to be able to work. Trying Order Allow,Deny Deny from all Allow from all but the download links do not no...
I am securing a .net web service (framework 2.0) with WSE3 mutualCertificate10Security Assertion. When request are valid all is fine and the response is wellformed, but when the request is invalid (cause a invalid signature, failed check, or soapexception thrown), the web server isn't able to process the response to send to the client....
I am currently working on an ASP.NET 3.5 and C# web application which deals with users secure information like credit card numbers. What are some of the security measures which I need to take from an application development stand point so that I can sleep peacefully at night :) ...
I am currently working on an ASP.NET 3.5 and C# web application which deals with users private information like SSN numbers. What are some of the security measures which I need to take from an application development stand point to feel safe? ...
Trying to firgure out how to test the security of a WebService. Is there some way to search a site for webservices? I have 2 applications one has a webservice and the other a reference to that service. I let visual studio build the reference in the App_WebReferences folder. The webservice works, but i started wondering, can anyone ac...
Is it any way to remove "Received:" header in qmail? I do not want my recepient to know from where I did send my message. ...
I've noticed that on some sites, when you request a password reminder or sign in, they'll tell you if the user doesn't exist (I think Meetup does this). Other sites will simply say "the user/password combination is invalid" (Google, I believe, does this). Is there a security reason for not revealing the existence of a user id? ...