I validated my client's website to xHTML Strict 1.0/CSS 2.1 standards last week. Today when I re-checked, I had a validation error caused by a weird and previous unknown script. I found this in the index.php file of my ExpressionEngine CMS. Is this a hacking attempt as I suspected? I couldn't help but notice the Russian domain encoded in...
I know there are plenty of questions here already about this topic (I've read through as many as I could find), but I haven't yet been able to figure out how best to satisfy my particular criteria. Here are the goals: The ASP.NET application will run on a few different web servers, including localhost workstations for development. This...
I will keep this simple. It's possible, or there is a special type of proxy for this? ...
I'm putting a Drupal project on an open source hosting site. What files do I have to not put up there so I don't compromise my site's security? Various settings.php comes to mind. And obviously the database itself won't be in a repository. Anything else dangerous? I'm running Drupal 6. Also, it'd be nice to get the database itself und...
I'm getting an exception with a message of "Access Denied" when executing against a WMI request. Some WMI requests appear to require higher security privileges than others. Ultimately my goal is to monitor process launches within the system and log. Regardless if there is a better approach, its now become a vendetta in getting this WM...
I'm trying to secure my rails 3 app against brute force login guessing. I'm using authlogic. What's the best way to force a user (or bot) to fill out a captcha after a specific number of failed login attempts? Does authlogic have a built in mechanism for recording how many consecutive failed attempts came from the same ip? I'd appreciate...
When I calculate in Java an SHA-256 of a string with the following method public static void main(String[] args) throws NoSuchAlgorithmException { MessageDigest md = MessageDigest.getInstance("SHA-256"); byte[] hash = md.digest("password".getBytes()); StringBuffer sb = new StringBuffer(); for(byte b : hash) { ...
Hi, yesterday i noticed that sometimes on my webpage shows up javascript errors. when i went to source code, i found that one of .js files was totaly replaced with a ton of porn links. i checked the ftp for this file, but there was just old javascript file without any changes. yet i go back to check source code via browser and indeed th...
Let's say I allow users to link to any images they like. The link would be checked for syntactical correctness, escaping etc., and then inserted in an <img src="..."/> tag. Are there any known security vulnerabilities, e.g. by someone linking to "evil.example.com/evil.jpg", and evil.jpg contains some code that will be executed due to a ...
I'd like to run an app in a restricted private beta on heroku. We're changing the app regularly and haven't done a security audit. To stop anyone exploiting stuff, we'd like to lock down the whole site, so you need a password to access anything. Ideally similar to using .htaccess and .htpasswd files to lock an entire site on an Apache...
Hi all... I'm developing an website using asp.net mvc with MySQL and I need to make a simple restrict area for the user update some informations in website. So, I had created an area in mvc application called "Admin", and I know how to protect it using Forms authentication and Autorize attribute! It works fine, but in each controller of ...
How do I get an ICredential object within my web application? I use Windows Authentication I tried using the following code: WindowsImpersonationContext securityContext = Request.LogonUserIdentity.Impersonate(); After the last line of code both: CredentialCache.DefaultCredentials and CredentialCache.DefaultNetworkCredenti...
Where does Internet Explorer store saved passwords? And since this is a programming site, i'm not literally asking for the location where IE stores passwords, but which API ie uses to save passwords. At first i assumed that Microsoft was using the standard api: CredRead CredWrite which is used to save domain and generic program/web...
Hi ! I wonder if there's any downside or bad practice in doing the following procedure: $user_input -> htmlentities($user_input) -> mysql_escape($user_input) -> insert $user_input into DB Select $user_input from DB -> echo $user_input instead of doing the following: $user_input -> mysql_escape($user_input) -> insert $user_input in...
On this winform application I am writing, I want to secure one menu item from most users. It runs a month-end and cannot be easily backed out if accidentally run. The menu option opens up a window to prompt the user for some information before processing. I don't care where exactly I do the check, but I want to be sure only certain users...
If I create salt by using something like this: public class User { private const int Hash_Salt_Length = 8; private byte[] saltBytes = new byte[Hash_Salt_Length]; public User() { RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider(); rng.GetNonZeroBytes(saltBytes); ...
I have an location element in my web.config like so: <location path="Admin"> <system.web> <authorization> <allow roles="Domain\Development"/> <deny users="*" /> </authorization> </system.web> </location> This works to only allow members of the development group access to this folder. I ...
after creating secret key how do i store them using Keystore class methods and how do i load the keys. ...
I am working on my first desktop app that queries LDAP. I'm working in C under unix and using opends, and I'm new to LDAP. After woking a while on that I noticed that the user could be able to alter the LDAP query by injecting malicious code. I'd like to know which sanitizing techniques are known, not only for C/unix development but in m...
Possible Duplicate: What is the optimal length for user password salt? I tried to find the answer to this question on Stack Overflow without any success. Let's say I store passwords using SHA-1 hash (so it's 160 bits) and let's assume that SHA-1 is enough for my application. How long should be the salt used to generated passw...