I'm familiar with the use of the context object design pattern - a lightweight context wrapper around objects passed between tiers. If one were to use the context object to track taint (untrusted user input), or the origin tier, I could see how a receiving tier could dynamically filter, encode, or validate accordingly. For example: A ...
My sharepoint webpart is throwing an error when calling HttpWebRequest.GetRequestStream when the request is made through a proxy server. The error is "unable to connect to the remote server." The client's machine (where this is failing) is set to use a specific proxy server (Use proxy server for your LAN) on IE settings. Do I need to ...
There is this PHP script on my website which I don't want people to be able to run by just typing its name in the browser. Ideally I would like this script to be run only by registered users and only from within a Windows app (which I will have to provide). Can this be done ? Alternatively, how can I protect this script so that it can ...
In CBC mode, C2 = Ek(C1 ⊕ P2) C2 = 2nd block of ciphertext P2 = 2nd block of plaintext Ek = encryption function If IV is known (let's say it's set to 0), is there anyway to find the ciphertext block such that C2 = Ek(P2) ? ...
Hi, I'm working on a project that consists of ASP pages (not ASP.Net). I would like to know if there are security mechanisms that can be implemented for ASP just like the ones that ASP.Net handles in the webconfigs. Thanks in advance ...
My company hired a contractor to do a small project for us, for which he needs to select data from one single view in our main database (SQL Server 2005). I wanted to create a locked-down SQL Server login for him, with permissions just to SELECT from "his" view...and nothing else. So I created a new user on the server, and then I gav...
Hi! I am using CustomBinding to enable Soap 1.1 (endpoint does not support 1.2) + Addressing 1.0. The endpoint is only available over SSL, and runs on some kind of Java/Weblogic platform. Here is my configuration: <customBinding> <binding name="Soap11Addr10"> <textMessageEncoding messageVersion="Soap11WSAddressing10" /> ...
Possible Duplicate: Can I protect against SQL Injection by escaping single-quote and surrounding user input with single-quotes? String badInput = rawInput.replace("'","''"); ResultSet rs = statement.executeQuery("SELECT * FROM records WHERE col1 = '"+badInput+"'"; Is there any way to do a "Bobby Tables"-like attack...
How can I disable dropping of files on a System.Windows.Controls.WebBrowser? From the documentation it would seem that this behaviour should be disabled by default as it is inherited from the UIElement.AllowDrop Property. However dy default I can drag and drop files on to a WebBrowser control. Further to this it seems I can't disable th...
In my website, I am not using any authentication or authorization. I've created login page to capture the user credentials and check against database. If the user successfully authenticates, it's storing the user data in session and navigating to other pages. How thinking of implementing Forms Authentication, but my concern is how to s...
Hi, this works for me, but is there a better/safer way to use an include: <?php include "http://www.myserver.com/somefile.php" ; ?> I tried: <?php include "somefile.php" ; ?> but it did not work. ...
What do people do with security issues when using nServiceBus/msmq? Thinking about for example message encryption, message signing (validation?) etc How do you know that the message is not sent to the queue from someone else. or that someone has tampered a message. ...
Hello, I feel sorry, if this post isn't related here. If you feel this post is useless act according to your wish My question is why don't we save the visitors(subscribers) cookie information in DB rather than setting a file on user's machine.Yeah, I know I might sound silly for following reasons 1) Maintaining DB for every single ...
Its possible access local resources, like serial ports, open a socket, write a file, etc, using a activex dll in c#? I already have a applicaton that works in this scenario, but i had to configurate the framework to fulltrust access. Now i would like to do without this configuration? It possible? There is a type of sign to certificate ...
Does anyone have any in-depth technical detail on the Pirate Bay SQL injection hack? I'm very curious. Where can I find this info? Thanks! (Note, I'm looking not for general techniques like tossing single quotes in user inputs, etc. I know the basics already. I want to know the actual methods used. The YouTube video is also lackin...
Hi I am using jquery datatables and MS XSS library. I did this AntiXss.HtmlEncode(MyDate.ToString("MM/dd/yyyy h:mm tt")))); this renders this 07/22/2010 4:04 PM So its all encoded. Now for whatever reason this messes datatables up. It can't figure out how to sort anymore. So why is it encoding the slashes and dots? w...
icacls d:\users\dptname\username /grant:W company-domain\username:(OI)(CI)(M) error says: invalid paramter "/grant:W" why? ...
Hello! I'm trying to list all files (. DOC and. PDF) contained in a specific Web directory. The problem is that I do not have access. I can only download with the full path of the file. Example: Directory 1: http://xxx.site.com/uploads/local20/40 Files: 45677.pdf 54354.doc 65767.doc 54354.pdf 43243.pdf ... Directory 2: h t t...
I'm developing a Java Enterprise application, currently doing JEE-Security stuff to restrict access for particular functions to specific users. I configured the application server and everything, now i'm using the RolesAllowed-annotation to secure the methods: @Documented @Retention (RUNTIME) @Target({TYPE, METHOD}) public @interface R...
The server/client application communicate with each other using XML formatted data, using a TCP connection. This is awesome, since I don't have to worry to serialize/deserialize complex data. To allow the XML data receiving, I prepend the XML document length (in bytes) to the data sent over the network socket; in this way the receiving...