How is ActiveSupport::SecureRandom secure?
Is the ActiveSupport::SecureRandom secure in the way that it is 'impossible' to figure out random numbers or is it secure in the way that it will return UUIDs? ...
security
how to add simple security and measure performance of web service
hi, So I'm making a app for a bank, but it doesnt manage very important data. I have two problems, it will run over a VERY large LAN network protected by all kinds of security(antivirus and firewalls) and the bandwidth in certain regions is as low as 56kbps.(Its a desktop app with a web server backend connected by web services) From th...
Does prepared statement prevent SQL-Injection here
Hi all, The code below is from SAMATE Reference Dataset. I used it to test a static analysis tool. As you can see the code should prevent SQL-Injection both by using a sanitization method as well as using a prepared statement. Since SCA tools cannot know custom santitzation methods, the will not detect that the allowed method is used t...
Whats the simplest way to secure your forms from spammers?
Whats the easiest way of stopping spammers from probing your forms (preferably without deterring real users) ...
HTTP based authentication/encryption protocol in a custom system
We have a custom built program that needs authenticated/encrypted communication between a client and a server[both in Python]. We are doing an overhaul from custom written Diffie-Hellman+AES to RSA+AES in a non-orthodox way. So I would be very interested in comments about my idea. Prequisites: Klient has a 128bit RegistrationKey which ...
Outlook attachments and Javascript
So I have a security issue with my fresh install of Outlook 2003 (on Windows 7 + Internet Explorer 8). I just received an email with an HTML page attached. I (stupidly) double clicked the attachment, which opened up IE, and which contained javascript that ran and took me to a malware site. Some interesting facts: (1) When I create an...
Is putting data in cookies secure?
Hi I am using asp.net mvc 2.0 and I am wondering how secure is it to put information in a cookie? Like I put in my cookie a forms authentication ticket that is encrypted so can I put information that could be sensitive in there? string encryptedTicket = FormsAuthentication.Encrypt(authTicket) HttpCookie authCookie = new HttpCook...
auth problems (security filters) in sfGuardUser Symfony
Hi, I'm using Symfony 1.2.7, and sfGuardUser Plugin. I'm able to view all the pages, login and logout. However when I try to edit (just going to the form) or update an object (saving the changes) sometimes I have problems of auth, and symfony redirects me to the edit form page again. I put some emphasys on sometimes because it's what it...
Security Risk: OLEDB Excel
Hi Everyone, I'm writing a web app that will read data from an Excel file submitted by an authenticated user by opening an OLEDB connection to it. Can anyone tell me the security risks of opening up an Excel file this way? I know dangerous macros can be embedded in excel files, but is that still a risk when using a OLEDB connection? ...
Has anyone used SecureBlackBox?
Hi All, Has anyone used SecureBlackBox? It is a library that can be used with sockets to encrypt the data sent over the socket. I have a project that uses it, and to send a packet of data which is around about 976Kb using the SecureBlackBox library it takes 12 seconds. If I strip out the library and just use normal sockets it takes fr...
How to keep secret keys a secret from sys admin?
We have a web app which can upload files to S3. For this to be possible a configuration file is required which contains the access key id and the access secret key of my AWS account. I am not the sys admin of the box that runs the web app. So basically this person can just grab my access secret key and eg start, stop and terminate EC2 i...
Security concern between application server and database server.
Think about the situation like this.... I have an application server, and a database server. An application will ask for database server information. The database server, of course, need a password. Also, having a SSL connection. Is it necessary to make the connection via a VPN network ? Also, I am using RoR to develop, is there any way ...
(PHP - Session) How can user restrict to access direcly to controller.php , only allow access from view.php?
Hi, I am a beginner in PHP. How can I restrict user access to controller.php and allow access to it only via view.php? My proposal: I don't know if this is proper, or how to avoid robots accessing it directly. view.php: <?php session_start(); $_SESSION['isFromView'] = true; ?> <html> <body> <form action="...
How to secure my generic handler calls?
I am creating a myspace application and for some database entries I am using generic handlers which I have hosted on another website. From my myspace application I use ajax calls to those handlers to perform the activities that I want. I want to know how can I make these ajax calls secure? I mean I want to be sure that the handlers are b...
SQL Server: protect database from being changed directly
Our program ships with an SQL Server 2005 database and SQL Server 2005 Express. Usually it installs its own instance of SQL Server 2005 in the client's computer. Now I have to add some tables whose content should only be updated from within the program. I need to prevent these tables from being changed directly, by using Management Stud...
Why encrypt user passwords?
Possible Duplicate: Why arent original passwords stored? Why would one store encrypted user passwords in a database, if the password is the least valuable part of the data? It doesn't seem like it would affect external attacks; setting a limited number of login attempts per day per account would be effective. It doesn't seem l...
Should you encrypt data in the app.config and web.config under this situtation?
Hi I am developing an asp.net mvc 2 web application. My clients will most likely want a copy of my application to be hosted on their servers instead of me hosting it on my server for all clients. However I see a problem with this because I was planning to use the .net 2.0 encryptor to encrypt my web.config to make it safer. I got to t...
Why should usernames be unchangable?
I read everywhere (and see in practice) that usernames should not be changeable. When I ask why, 'security' is given as a reason. I've been searching for a definitive answer as to why changing a username is insecure, but I can't seem to find the answer. Could any of the security experienced people here answer this question? Note: if y...
Giving web designers autonomy to publish
I would like to give web designers autonomy to publish web pages but letting them to edit aspx files is a serious security risk as they don't have the required programming skills. I was thinking about two approaches: They are only able to edit html files and call services with ajax; Let them to edit xslt files associated to services t...
Asp.NET Login Control: Dealing with brackets in passwords
Hi. I'm using the standard asp:Login control, and we have a user who recently changed her password to include an angular bracket. When she tries to login, she gets an error message, and I get the standard 'dangerous request' exception. I know I can set ValidateRequest="false" on the page to negate this, but I was hoping someone knew o...