Hi, I am using Forms Authentication in my VS-2005 website. In case of wrong credentials or while explicitly requesting protected pages the website is able to redirect user to login page. However, when correct login credentials are provided the application is not able to redirect the user to the desired page. While debugging I found tha...
Please refer to the answer provided here. Just wanted to understand what are the legal implication if someone really exploited such a security hole to disrupt the system. Will he be legally charged for such act, and what kind of punishment / penalty will be levied. As Cyber laws differ from country to country, please refer to the loca...
Hi all, I cannot get an encryption class to work (it's in a seperate file in the classes folder). The code for the class is: class SymmetricCrypt { // Encryption/decryption key. private static $msSecretKey = "Hello"; // The initialisation vector. private static $msHexaIv = "c7098adc8d6128b5d4b4f7b2fe7f7f05"; // Us...
Hi guys, I'm not clear about the security-related catalog views in SQL Server 2005 or 2008. I want to list all logins, their server roles, their correspond users in all database, all database roles in one query. How can I write the query? I know there are some catalog views to use, but I'm not familiar with their relation. These catalo...
I worte a method with PrincipalPermissionAttrubute then i run this method but i get an exception - security exception. It happen cause i dont know who is the principal that running. I try to get the current principal by Thread.GetCurrntPrincipal() but i have a casting problem. My question is how i know the principal who running and...
I am trying to find information on Virt-ICE, a malware debugger/analysis tool presented at the most recent Black Hat conference. I have read through the white paper Virt-ICE: Next-generation Debugger for Malware Analysis and am now looking for something more. It sounds fascinating and I would love to dig deeper. Here is what I have foun...
Digital signature, if I understood right, means sending the message in clear along with a hash of the message which is encrypted using a private key. The recipient of the message calculates the hash, decrypts the received hash using the public key, then compares the two hashes for a match. How safe is this? I mean, you can obtain the ...
I am currently doing a website in php, we are using a Session variable to store the permission level of each user. For example, if any one of you would go on the website, you would automatically get a session variable with a value of "member". What I am asking is: Is it possible for an attacker to go on the website and modify the value...
I have an application that reads/writes from/to message queues on remote application servers. The clients usually run on machines outside of the servers' domains/forests with no trust setup. In Windows XP this was no problem, but with the introduction of Windows 7 it stopped working. After some research I found the suggested Registry ...
We're running MySQL 5.1 on CentOS 5 and I need to securely wipe data. Simply issuing a DELETE query isn't an option, we need to comply with DoD file deletion standards. This will be done on a live production server without taking MySQL down. Short of taking the server down and using a secure deletion utility on the DB files is there a wa...
I am considering using AHAH extensively on a project and am concerned about security. Couldn't an attacker inject malicious code into my response that would then be executed in the client? If my AJAX response is JSON, I don't have to worry about this because if things are tampered with the JSON will no longer be valid. On the other hand...
I've read several articles about how to use Attached Properties to bind to the value of a PasswordBox in WPF. However, every article also references the .NET documentation which explains why the PasswordBox was not made bindable in the first place. I do not consider myself a security expert by any means, but I figure that someone at Mi...
Hello, I am interested in purchasing a SSL/TSL certificate for my website and I would like to know which retailer allows me to add my custom message in the green address bar like in this image : http://tinyurl.com/33yug4y You can see there : "COMPANIA NATIONALA DE TRANSPORTURI AERIENE ..." I want something like that too. ...
I wonder how safe ssh is, espespecially in state of authentification/initializing. Is there any way for a hacker to sniff some "hashkeys" or stuff to decrypt my stream? or is SSH completly safe, with no yet known bugs or weaknesses? I read some text on that topic, but almost all of them dont cover such special cases. at best they only t...
Okay I have a folder say... http://oldserver.net/file/index.jar How would I be able to protect the file "index.jar" from being downloaded from regular web browsers? I've seen this done before, I just want to protect it from being accessed from web browsers, and keep it strictly java download access only. What I mean by java download a...
The user I have should have access to all tables in a database - SELECT, INSERT, UPDATE, DELETE and EXECUTE (ASP code to blame :-P) except for 1 table e.g. users. When granting db_datareader and db_datawriter this gives them full access to everything and removing the DELETE permission on the users table will not work. There are over 60...
Does anyone know of any script injection scanners that are able to detect if your website has been compromised (i.e. javascript that has been injected that should just not be there)? Update: found what I was looking for - http://sucuri.net/ ...
In an application I'm working on I've found a weak escape function to prevent injection. I'm trying to prove this, but I'm having trouble coming up with a simple example. The escape function works as follows (PHP example). function escape($value) { $value = str_replace("'","''",$value); $value = str_replace("\\","\\\\",$value); ...
We're trying to enable our rich client C++ Windows application to utilise DoD CAC cards. We're using a third party library to secure our client/server communication using SSL, and it recognises/handles generic smart cards, but only if the certificate was created by its own, bundled application. Why? Isn't a certificate a certificate? H...
What is the point of doing this? I want a reason why it's a good idea to send a person back to where they came from if the referrer is outside of the domain. I want to know why a handful of websites out there insist that this is good practice. It's easily exploitable, easily bypassed by anyone who's logging in with malicious intent, an...