I understand the purpose of an IV. Specifically in CBC mode this insures that the first block of of 2 messages encrypted with the same key will never be identical. But why is it a vulnerability if the IV's are sequential? According to CWE-329 NON-Random IV's allow for the possibility of a dictionary attack. I know that in practice pro...
I'm creating a x509 certificate using makecert with the following parameters: makecert -r -pe -n "CN=Client" -ss MyApp I want to use this certificate to encrypt and decrypt data with RSA algoritm. I look to generated certificate in windows certificate store and everything seems ok (It has a private key, public key is a RSA key...
I have a classifieds website, and inside each classified, there is a small form. This form is for users to be able to tip their "friends": <form action="/bincgi/tip.php" method="post" name="tipForm" id="tipForm"> Tip: <input name="email2" id="email2" type="text" size="30 /> <input type="submit" value="Skicka Tips"/> <input type="hidden...
I have a flash piece that communicates with the page its on (index.html) for javascript functions that open up pop up boxes. I'd like to be able to load the flash piece from a local computer (i.e. package up all the assets into a zip and allow people not on the internet to view the flash piece). However I get a security settings error ...
I have a Java source code that I need to interrogate and apply security policies [for e.g. applying CWE] I have couple of ideas, for starters using AST and then travel thru the tree. Others include using regular expression. Are there any options other than AST or regex that I could use for such process. ...
In rails I could do something like this to make sure a user is authenticated before accessing an action in the controller: before_filter :checked_logged_in, :only => [:edit, :update] I was wondering if ASP.NET MVC had something similar or if there was a framework out there that could essentially do something like the following: For c...
I just spent some time reading http://stackoverflow.com/questions/2768248/is-md5-really-that-bad (I highly recommend!). In it, it talks about hash collisions. Maybe I'm missing something here, but can't you just encrypt your password using, say, MD5 and then, say, SHA-1 (or any other, doesn't matter.) Wouldn't this increase the processi...
There probably is some solution to this, whether it involves code running on just the wordpress installation or a combination of a wordpress installation and a master server I am not sure yet, but please remember not to have tunnel vision and consider any and all possible solutions: The scenario is this: A WordPress plugin (plugin-A) th...
I have implemented a project on PHP/MYSQL now i needs to secure my project, please let me know the security issues and how to tackle in PHP ...
This question comes as part of my doubts presented on a broader question about ideas implementing a small encrypted filesystem on Java Mobile phones (J2ME, BlackBerry, Android). Provided the litte feedback received, considering the density of the question, I decided to divide those doubts into small questions. So to sum up I plan to "cr...
What is the meaning of the accessMask parameter in System.Security.AccessControl.CommonAce's Constructor. Unfortunatelly the description "The access mask for the ACE." is not very helpful. ...
i want to deploy our official asp.net web application (Enterprise Resource Plan ) which mostly contain critical data. currently we have deployed it on internal machine on intranet now we want to open it for public i.e on web what would be the best deploying strategy so that application remain fast,data secure and prevent unauthorized acc...
Hi I've implemented a own LoginCommand and it works perfectly for all the remote calls from flex. But beside the flex remote objects I'd like to protect some other web resources like html, jsp and swf files so I added a security-constraint with url pattern in the web.xml. <security-constraint> <web-resource-collection> <web-r...
This may be a really dumb question but I figure why not... I am using RIA Services with Entity Framework as the back end. I have some places in my app where I accept user input and directly ask RIA Services (and in turn EF and in turn my database) questions using their data. Do any of these layers help prevent security issues or should ...
Trying to figure out if a file is in a folder that has been subst'd or is located in a user folder using C# ...
I am trying to add special handling to emacs to handle Triple-DES encrypted files (any file with extension .des3 is assumed to be a valid encrypted text file). My approach is to append to format-alist, like so: (setq format-alist (cons (list 'des3 "Triple-DES encrypted files" ".*\.des3" "show" "" t nil) fo...
Hey, first, let me say, I'm not asking about things like md5(md5(..., there are already topics about it. My question is this: We allow our clients to store their passwords locally. Naturally, we don't want them stored in plan text, so we hmac them locally, before storing and/or sending. Now, this is fine, but if this is all we did, the...
Imagine the following scenario: You work at Big Co. and your coworkers down the hall are on the web development team for Big Co's public blog system, which a lot of Big Co employees and some public people use. The blog system allows any HTML and JavaScript, and you've been told that it was a choice (not by accident) but you aren't sure ...
I am deploying a public ASP.NET website on an IIS7 web farm. The application runs on 3 web servers and is behind a firewall. We want to create a single page on the website that is accessible only to internal users. It is primarily used for diagnostics, trigger cache expiry, etc. /admin/somepage.aspx What is the best way to contro...
I been finding that for something that I consider pretty import there is very little information or libraries on how to deal with this problem. I found this while searching. I really don't know all the million ways that a hacker could try to insert the dangerous tags. I have a rich html editor so I need to keep non dangerous tags but s...