I have a set of RESTful web services. These services are protected on a Glassfish server by OpenSSO. When I attempt to call the RESTful services directly from a browser, OpenSSO intercepts the request, then forwards the request to the REST service once the user's credentials are authenticated. OpenSSO utilizes a session cookie on subs...
I apologize if this is a somewhat stupid question, but I am very new to the REST programming realm. I have an application that is both web, mobile and machine accessible, and I will be leveraging REST-like web services for the mobile and machine part. I was going to use the S3 authentication model for the REST requests, however that re...
All, I have a PHP website written in Zend Framework and MVC. Most of the controller actions check if the request is an Ajax request or not, else they redirect the user to home page. I am thinking about various ways to break that site. I am considering the following scenario: A user creates his own PHP project on his Local machine. Use...
This question is for learning purposes. Suppose I am writing a simple SQL admin console using CGI and Python. At http://something.com/admin, this admin console should allow me to modify a SQL database (i.e., create and modify tables, and create and modify records) using an ordinary form. In the least secure case, anybody can access htt...
How do you prevent malicious input in WYSIWYG editors like TinyMCE? I have a system with users who are not "tech savvy" (so no WMD) and need a rich text editor that posts its content into a database. I'm worried about scripting attacks and malicious input code. ...
Is there an Open source tool to extract ActionScript from Flash movies, ideally written in (or consumed by) C# I just did a search and found http://www.nowrap.de/flare.html, but the source code is not available. I need this so that I can allow the security review of Flash & ActionScript using the OWASP O2 Platform ...
Here's a use case: I have a desktop application (built using Eclipse RCP) which on start, pops open a dialog box with 'UserName' and 'Password' fields in it. Once the end user, inputs his UserName and Password, a server is contacted (a spring remote-servlet, with the client side being a spring httpclient: similar to the approaches here...
We've got a couple of clusters running on AWS (HAProxy/Solr, PGPool/PostgreSQL) and we've setup scripts to allow new slave instances to be auto-included into the clusters by updating their IPs to config files held on S3, then SSHing to the master instance to kick them to download the revised config and restart the service. It's all worki...
Hello! I want to allow the users of a web app that I'm building to write their own CSS in order to customize their profile page. However I am aware of this opening up for many security risks, i e background: url('javascript:alert("Got your cookies! " + document.cookies'). Hence I am looking for a solution to sanitize the CSS while sti...
I have been implementing the 'login through facebook' button on my e-commerce site by using the javascript sdk and the example here: http://developers.facebook.com/docs/authentication/ . However, i have noticed that the cookie created by the sdk can be transmitted through http (as opposed to https) and I am pretty sure this is not the s...
I have a question about XSS Can forms be used as a vector for XSS even if the data is not stored in the database and used at a later point? i.e. in php the code would be this: <form input="text" value="<?= @$_POST['my_field'] ?>" name='my_field'> Showing an alert box (demonstrate that JS can be run) on your own browser is trivial wi...
Hi, I want to limit the allowed uploaded file types to images, pdfs, and docs. What is the recommended way to approach this? I assume checking the file extension alone is not enough, since an attacked can change the file extension as he wishes. I also thought about checking against MIME Type using PostedFile.ContentType. I still don...
Hello, I am a wordpress plugin developer. I saw the source of many pluginsand many plugin use "classes" in them and some without classes. Many huge coded plugins like "wp-postratings" does not use Classes and some small plugins use Classes. edit: Since classes have private, public and protected access specifiers, i feel a taste of s...
private bool HasRights(FileSystemRights fileSystemRights_, string fileName_, bool isFile_) { bool hasRights = false; WindowsIdentity WinIdentity = System.Security.Principal.WindowsIdentity.GetCurrent(); WindowsPrincipal WinPrincipal = new WindowsPrincipal(WinIdentity); AuthorizationRuleCollection...
Hi, does anybody knows about Java/C# database independent authorization library. This library should support read, write, delete, insert actions across company organizational structure. Something like this: - user can see all documents - user can enter new document assigned to his unit - user can change all documents assig...
Need to store some valuable data securely on Mac and access it with my application. How to? ...
I have a class that inherits from Exception. In .NET 4, I started receiving a runtime error: Inheritance security rules violated while overriding member: MyBusinessException.GetObjectData(System.Runtime.Serialization.SerializationInfo, System.Runtime.Serialization.StreamingContext)'. Security accessibility of the overriding meth...
I have just recently run into an issue running an asp.net web app under visual studio 2008. I get the error 'type is not resolved for member...customUserPrincipal'. Tracking down various discussion groups it seems that there is an issue with Visual Studio's web server when you assign a custom principal against the Thread.CurrentPrincip...
Hi I starting too look at a bit of security into my site. My site I would consider a very low security risk as it has really no personal information from the user other than email. However the security risk will go up a bit as I am partnering with a company and the initial password for this companies users will be the same password the...
Hello, I am working on a browser based application that will have many users. The catch is that every user should have their own customized login page, but the actual application is the same for everyone, and needs to be in a central location. The login page is static. That is, if we have a user that requires a separate login, we will...