I have an asp.net application that runs on a custom app pool which runs under a service level account. I have anonymous access turned off in web.config. The web server is part of a domain. The application access a sql server which runs on the same machine. Currently, for all users, I impersonate the service level account to access the D...
My php user authentication script is based on code from someone who, at the time, was a much better coder than me. As such I trusted that the parts I didn't quite see the point of were better left alone unless I had a good reason to change them. I've since improved and have my own ideas of what should be done. One of the things in this ...
I would like to sign my XDocument XML document (to verify it later on). Is there any way to sign an XDocument or do you have to convert it to an XmlDocument? http://www.west-wind.com/weblog/posts/257599.aspx ...
I don't exactly know how it usually works, so please tell me where to dig.. I need to create a tamper-resistant app installation file. Basically, if for some reason setup file(s) has been changed it suppose to tell about it and prevent any further installation. How it works? I suppose it's something to do with md5 hash. Is it possi...
Hi Is there a way of detecting when an AJAX request (using jQuery) to an ASP.NET MVC application redirects me to the login page? I'm getting partial views rendered using an ajax call, but when the user has been signed out (for whatever reason), instead of returning a 302 or some other indication (that I can see) I get the login form re...
Hi, I'm using mod_security with the latest core rules. It triggers on all my pages whenever I use a querystring.. ie. www.mypage.com/index.php?querystring=1 I get a warning that it exceeds maximum allowed number of arguements, however the base config defines max_numb_args to = 255 which of course it doesn't exceed. Any ideas why? Ba...
Hi all, I am facing a strange problem with the security component. I have a form with following fields in it: First Name (firstname) Last Name (lastname) Primary Email (primaryemail) Password (password) Retype Password Secondary Email (secondaryemail) Residence Address (address) State City (city_id) Location (location_id) Designation ...
I am searching for a sasl library for .net. So far I could only find: Sasl.Net but it looks dead and only implements plain and digest-md5. Can anyone suggest a good library? Preferably an open-source implementation. ...
I am looking forward to develop a remote system management web application (like Webmin is, for example). Obviously I am going to need to call shell commands to be executed as issued by root or another specific non-nobody user. What are general guidelines for this task? The only solution coming into my mind now is running the web serve...
Hi All, I'm using the WCFTestClient to debug a service. This normally works like a charm. This particular service is using SSL and I need to pass the user name and password. I can right click and edit the config file, but I do not see a place where I can inject the user name and password. On the normal client app for this service, we pro...
What are common Java vulnerabilities that can be exploited to gain some sort of access to a system? I have been thinking about it recently, and havent been able to come up with much of anything - integer overflow - maybe? race condition - what does it give you? I am not looking for things like "sql injection in a web app". I am looki...
I read most of the documentation, I only see the use of @RolesAllowed or @DeclareRoles, how can I add user or delete user. I have a table of users with username and password in my database, how can I make my web app to authenticate those user? How can I map these user (principal) to a particular roles. Samples code would be greatly appre...
I've heard that some XSS attacks can be done by posting an image to a site that has javascript as the src attribute. Are there certain browsers that will protect me from this type of attack? ...
Can serialization be used as a secure means to store the state of program? ...
I've written a VB program. How do I add anti-tamper code so people can't crack it? ...
I'm building an ASP.NET MVC 2 site where I'm currently implementing an OpenID sign-up form. Unfortunately, I'm foreseeing a possible security bug/vulnerability inside my architecture. Here's how I want OpenID login to work: User requests /Account/Login, Controller sends back OpenIDLogin View. User enters their OpenID into the View, th...
Hi everyone, I was just pointed to a very interesting article about a security problem called Cross Build Injection (XBI). Bascially it is a fancy name for smuggling bad code into an application at build time via automated build systems such as ant, maven or ivy. The problem could be alleviated by introducing a cryptographic signature ...
Hi SO, I've got a LAMP webserver running my homepage (index.html in var/www/). I'd like to know in general how to set my file permissions so that browsers can't access anything besides the html/php files I want to show. Right now I've sort of accidentally chmodded everything to 777. I understand that .htaccess only protects the www fo...
Hi, Can some one provide me with a list of leading binary research tools for Windows OS and windows applications? I found BinScope from microsoft itself but was wondering if there are any other better tools around? Thanks, Omer ...
I have a silverlight application which I load inside a an asp.net website via . If I don't implement any security on the silverlight application itself - will it be secure if the user needs to authenticate on the asp.net page (in which the tag sits) only? Or is there some hack to access the silverlight application without actually acces...