I have a website that came with a SSL site for HTTPS but its on a different server. Example being my website: http://example.com my SSL site: https://myhostingcompany.com/~myuseraccount/ So I can do transactions over HTTPS and we have user accounts and everything but it is located on a different domain. The cookie domain is set f...
As I mentioned in an earlier post, I will be using flot for an upcoming project to generate graphs for a user. I would like to protect the formulas used to generate these graphs, so that someone can't simply copy the javascript. Is there a way to do this and still calculate the values on the fly with the ability for a user to change th...
I'm trying to learn Java EE 6 and i'm just wondering how to implement authentication mechanism in Java EE 6. Here is the Java EE 6 authentiction example: public void login() { if (account.authenticate(name, password) == null) { message = "Invalid user name or password!"; } else { message = " Login successfu...
We are currently implementing a security log monitoring/auditing application for local law compliance. In our first implementation we used the security event taxonomy proposed by the OpenGroup XDAS working group since the interesting Common Event Expression (http://cee.mitre.org) effort is apparently going nowhere. Are there any other si...
Here's what's going on: I have an application A hosted on a.mycompany.com and an application B hosted on b.mycompany.com Application A contains an iframe containing a page contained in the application B. <!-- In A's index.html: --> <iframe src="http://b.mycompany.com/something.html" > I need to have either the parent talk to the ifr...
I'm working on logs for a customer service application. Another guy who is not a very experienced developer is working on other things, but we're both in the same database. He has some friends that work in Customer Service. I don't think he'd delete logs, but I want to be sure that if logs were deleted, we'd know about it. Is it poss...
I'm looking for options for securing UDP traffic (mainly real-time video) on a wireless network (802.11). Any suggestions apart from Datagram Transport Layer Security (DTLS)? Thanks. ...
Now that there are a couple of neat canvas demo's of both classic platform and even 3D fps games in HTML5, the next step might be to try developing a multiplayer HTML5 game. HTML5 socket support makes this relatively straight-forward, but with client-side source being viewable by anyone in the browser, what are some solutions for basic g...
in .net Claim-based identity framework If i wanted to restrict users to do an operation (view or edit) on let's say an account, a particular account #123456.(i am talking about business entity, like a bank account.) Is it a good idea to create a claim for each account they can view or edit? Any disadvantages of having a lot of claims ...
How would you go about securely destroying several hundred gigabytes of arbitrary data as quickly as possible? Incinerating hard drives is a slow, manual (and therefore insecure) process. ...
How should one handle the situation where you may need to filter by a group of users. Here is the scenario. I have an administrator role in my company. I should be able to see all the data belonging to me plus all the other users who I have control over. A plain old user however should only be able to access their own data. If you a...
Seems to be a question for a Flash security guru. Suppose we are loading an external SWF movie with MovieClipLoader.loadMovie(url:String) Is it safe to assume that if url starts with "http://", the movie will be loaded in REMOTE sandbox? We need to tell local SWFs from remote ones to close a security hole. If you need the context read...
A bit of a Ruby newbie here - should be an easy question: I want to use the encrypted_strings gem to create a password encrypted string: (from http://rdoc.info/projects/pluginaweek/encrypted_strings) Question is: Everything works fine, but how come I don't need the password to decrypt the string? Say I want to store the string somewhe...
I'm developing a GWT app running on the Google App Engine and wondering if I need to worry about Cross-site request forgery or is that automatically taken care of for me? For every RPC request that requires authentication, I have the following code: public class BookServiceImpl extends RemoteServiceServlet implements BookService { ...
I've just read "Hacking: The Art of Exploitation" and I'm interested in this subject. The thing is, this book seems irrelevant to hacking now that OSes have non-executable stacks, canary values on the stack, etc. So, how what methods are used now to exploit computers? Edit: Sorry, I wasn't clear. I was wondering about how hackers attac...
Hi, I have an assembly and want to restrict the assemblies and applications that can call/use this assemblies functionality. Can anyone provide detailed information on how this can be achieved ? From what I have read on the internet this is not possible because any "fully trusted" assembly will automatically be granted access. I am u...
Hello. I would like to know if there's a combo like jCryption (jCryption) - PHP but for jQuery - ASPX. I mean, I have been searching for a combo to send data both ways (Client-server, server-client) with jQuery to ASPX. The best I found was jCryption that sends data from JavaScrpit to PHP. I need a combo to send data from JavaScrpit to ...
Hello, I have an existing application written in SEAM that uses SEAM Security (http://docs.jboss.org/seam/2.1.1.GA/reference/en-US/html/security.html). In a stateless EJB, I might find something like this: @In Identity identity; ... if(identity.hasRole("admin")) throw new AuthException(); As far as I understand, Seam injects the...
in these days, i'm interested in software security. As i'm reading papers i see that there are many attacks and researchers are trying to invent new methods for softwares to get more secure systems. this question can be a general including all types of attacks.There are many experienced programmers in SO, i just want to learn what are u...
It seems that even if you set the access-control-allow-origin header to allow access from mydomain.org to an image hosted on domain example.org, the canvas' origin-clean flag gets set to false, and trying to manipulate that image's pixel data will trigger a security exception. Shouldn't canvas' obey the access-control-allow-origin heade...