Hello, i've created a WCF service that should be consumed outside my domain, so i decided to use WSHttpBinding with Certificate authentification and message Security. I created a self signed certificate named "Test And Dev Root Authority" using makecert and with it I signed other two certificates using mthe same tool like this makecert...
Although "slightly" related to a previous question, it is different. How "secure" is this code in terms of cURL? Are there any other "bits" that should/ought to be added. Note it is not being used to pass "sensitive" info. $ch = curl_init("http://www.example.com/test.xml"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch...
Now I didn't do the website design but a couple of months ago I ported an existing website over to wordpress for a client of mine. I got a call from a client today regarding their website, and some sort of a security problem. The websites homepage loads up fine, but if you try to navigate to any other page it brings you to - http://sec...
It has been recommended that I read Writing Secure Code: Practical Strategies and Proven Techniques for Building Secure Applications in a Networked World The book looks great, but seeing it was last updated in 2002 concerns me ... especially where security is involved. So my question is, is this book still relevant? Or should I read ...
I've been scouring the Net for hours looking for a solution with with only partial and non-functioning solutions to show for my efforts. The solution below seemed like a great fix at first but it also blocks my flash player from accessing the files. Could I only allow access from particular pages?: < Files ~ "..."> order allow,deny den...
I'm building an Android application that needs to communicate with a MySQL database. The application isn't meant to be published, and I want the application to be the only thing allowed to interface with the web service I'll create for DB access. I've been thinking how I can secure the system, and this is the idea I've come up with. I'd...
My website was infected by a trojan script. Somebody managed to create/upload a file called "x76x09.php" or "config.php" into my webspace's root directory. Its size is 44287 bytes and its MD5 checksum is 8dd76fc074b717fccfa30b86956992f8. I've analyzed this file using Virustotal. These results say it's "Backdoor/PHP.C99Shell" or "Trojan....
I have a textarea and I want to support some simplest formatting for posted data (at least, whitespaces and line breaks). How can I achieve this? If I will not escape the response and keep some html tags then it'll be a great security hole. But I don't see any other solution which will allow text formatting in browser. So, I probably s...
Do any SO users know anything about these security flaws that have emerged from the German government of all people? http://www.guardian.co.uk/technology/2010/aug/05/apple-security-weakness-ipad-iphone Is it possible to understand what sort of vulnerabilities this type of hack could have (e.g. on debit/credit cards?) ...
One of the issues with using a Flash uploader controlled by Javascript (e.g. SWFUpload) is that Flash starts its own session when executing the upload script. This means that if the upload script authenticates the user, it will fail. One way around this is to pass a PHPSESSID as a post parameter to the script. This isn't a perfect solut...
We have recently implemented htmlpurifier in our web-based application. Earlier we used to have regexes to match commonly known XSS injections (script, img, etc. etc). We realized that this wasn't good enough and hence moved to htmlpurifier. Now given that htmlpurifier is slow in working (very slow compared to the regex method we had ear...
I want to create an SQL sandbox that will allow users to execute arbitrary SELECT queries at a PostGIS database. Essentially, I want to allow users access to psql to play with. Obviously this is a security disaster if write access is allowed. How can I create a system such that querying data is allowed, but there is no reasonable poss...
Hi folks, I plan on having an aspect of my site where the users can submit HTML, CSS, and JS, which is then generated 'live' into full working pages of HTML. Other users will be able to see this. These pages need to have working Javascript on them. I understand that's a pretty major security flaw in itself, but it's very important this...
Hi, I was working on understanding what the implications of granting a package a particular permission are. To my utter disbelief I could not find any material which would answer the questions satisfactorily. 1.) What permissions are reserved to be used by whom? 2.) What level of effect does granting a permission to an applica...
Hi, we've implemented a system similar to the one described in this other SO post. Basically, if the user doesn't do anything for 14 minutes, we prompt them that they will be logged out. If they click on "keep me logged in" we do an ajax request to keep their session alive, otherwise, they are redirected to the logout page after a minute...
I'm using UNLINK with PHP and AJAX. I know that in this way is very dangerous, because everyone can delete any files. But I need to use AJAX because I can't reload the page when I delete the files. So how should I do to allow to delete the file only for the user who owns it? Please let me know other things too if you think I'm doing h...
Hi all , As I say in the title of my question, I don't succeed in configuring Spring Security... I've followed two articles written by James Ward or Jettro Coenradie but I still don't have it ! First I tried to make all this working in a fake project, and it worked well, thant I tried in the "real" project. The configuration files are ...
Ruby's safe mode disallows the use of tainted data by potentially dangerous operations. It varies in levels, 0 being disabled, and then 1-4 for levels of security. What vulnerabilities are possible when safe mode is enabled? Do you know of any CVE numbers issued to a ruby program when safe mode is enabled? What CWE Violations (or cw...
Which one is the best approach/method to implement security in J2EE?(JPA/JSPs) I'm working on a personal project so I can learn J2EE and I am a little confuse on how to approach the AUTHORIZATION and AUTHENTICATION process on my website. I have different roles and I don't want certain users to access certain parts of the website. So I'...
I am looking for something like https, but backwards. The user generates their own private key (in advance) and then (only later) provides the web application with the associated public key. This part of the exchange should (if necessary) occur out-of-band. Communication is then encrypted/decrypted with these keys. I've thought of some...