I'm using gmail from work, but I need to enter a password for a proxy when accesing the first web page. The password is asked from inside the browser. I receive a certificate from the proxy which I must accept in order to make the Internet connection work. Can my HTTPS connection, between gmail and browser, be tracked in this situatio...
I was wondering how to develop a secure form post through AJAX. For example, i have: My HTML form. My JavaScript handling the submit. The submit url is "post_data.php" The posted data is: id=8&name=Denis The PHP verifies if variables id and name are POSTED and their data type. If this is ok it proceed to do some stuff on a databas...
It is trivial to use a secure hash function like SHA256 and continuing to use md5 for security is reckless behavior. However, there are some complexities to hash function vulnerabilities that I would like to better understand. Collisions have been generated for md4 and md5. According to NIST md5() is not a secure hash function. It ...
I am developing (as A PHP 5.2 + MySQL application) a personal information manager web application for my own which is meant to be hosted on a shared hosting (like bluehost or dreamhost) and to store lots of very confidential personal data including those like passwords, personal private keys, financial details, contacts, etc. How do I be...
I can see how a paper-based cipher can be developed using substitutions and keys, and how those two things can become more and more complex through use of machines, thus offering some protection from decryption through brute-force approaches. But specifically I'm wondering: what other major concepts beyond substitution and key are invo...
I am in the process of moving from a "username/password" system to one that uses email for login. I don't think that there's any horrible problem with allowing either email or username for login, and I remember seeing sites that I consider somewhat respectable doing it as well, but I'd like to be aware of any major security flaws that I...
Hello, I want to build a web based admin tools that allow the system admin to run pre-configured commands and scripts through a web page (simple and limited webmin), what is the best approach? I already started with Ubuntu installing LAMP and give the user www-data root's privileges !!! as I learned (please check the link) this is a re...
How can I make a javascript file only work on a single domain. I'll compress this file and when somebody tries to use it by copying my web site or just the javascript file, it won't work and give alert. Here is an example. I downloaded all files but when try to view it gives an alert that says I need to buy it (what exactly I'm going t...
I've got a problem with the authentication features of Servlet 3.0: With this code in a Servlet v3: log.info(""+request.getUserPrincipal()); log.info(""+request.getAuthType()); log.info("===^==="); request.logout() ; log.info(""+request.getUserPrincipal()); log.info(""+request.getAuthType()); request.authenticate(response) ; log.in...
I am looking to see if there is a good library or framework that I can use to simplify adding user/group/permission management to a .Net application (4.0 VS2010). If the framework can work on it's own or integrate with Active Directory that would be a huge bonus. So far I have found Visual Guard, if you have any experience using Visual...
Hi all, Googling for the past week, but cannot finally decide which python web framework would be right for me. The web app I'm about to develop would be almost completely "pure" html with js (jQuery). Server side would have to do the following: authentication session management caching web services (almost all the on page data would ...
Possible Duplicate: Do I have to use mysql_real_escape_string if I bind parameters? I have a quick MySQLi security related question... For example, take a look at this code (gets input from the user, checks it against the database to see if the username/password combination exist): $input['user'] = htmlentities($_POST['usern...
Who knows actively developed XACML Implemtations other than the Sun XACML Implementation and XEngine? Who uses them in their products? Which vendors provide a PDP? I read something about a WebLogic XACML Privider. What other products support XACML? ...
I am trying to add some security to my computer at home and would like to have a copy of all Yahoo! IMs sent to me. I am using Python 2.6 on Windows. I would also like to have every URL in Internet Explorer sent to me. ...
I would like to log errors/informational and warning messages from within my web application to a log. I was initially thinking of logging all of these onto a text file. However, my PHP web app will need write access to the log files and the folder housing this log file may also need write access if log file rotation is desired which m...
I want to run this chrome experiment locally. I copied the .html and .js files, along with the two .jpgs that the demo uses. However, when I run it off my local drive, Chrome gives this error: light.js:89 - Uncaught Error: SECURITY_ERR: DOM Exception 18 Line 89 returns the image data from the canvas after drawing the image to it. What...
I would like to give my web application write access to a particular folder on my web server. My web app can create files on this folder and can write data to those files. However, the web app does not provide any interface to the users nor does it publicize the fact that it can create files or write to files. Am I susceptible to any sec...
I'm currently writing a simple FTP client (using C# and .NET). It's important that users be able to "bookmark" their previous FTP connections--including authorization information, so they don't have to type the password again every time. Is there any way I can do this securely? How do other programs, like Filezilla and Firefox, manage ...
Let's say we have this form, and the possible part for a user to inject malicious code is this below ... <input type=text name=username value= <?php echo htmlspecialchars($_POST['username']); ?>> ... We can't simply put a tag, or a javascript:alert(); call, because value will be interpreted as a string, and htmlspecialchars fi...
I'm allowing user supplied ruby code to run in server(java scripting), and since jruby doesn't support safe-levels as in ruby I'm thinking about using java's security manager. Is this a good decision? Has anyone else implemented this? Are there any good articles/books/resources that introduce me to security manager? ...