The Problem Funny problem. Funny because it looks casual until you start thinking about it. Let's say I allow people to create items based on other items. You can open /items/new?id=3 and unlike your regular new action, instead of seeing an empty form, you will be seeing a form pre-populated with values from item-3. So unlike your avera...
I have a site and for a user to reset this account a confirmation code is email to them, however, after talking it over, it seems this could be a huge security hole. I'd like to make a small app that I can use and show my boss how unsafe the site is. Basically, the code's length is 12 characters with the last 4 being fixed and it only u...
Both this two languages are safe by security point of view with their own levels, but which one tastes better w.r.t your working experience ? Or is it the security depends entirely on the programmer ? The types of vulnerabilities found in .NET code is different than the types of vulnerabilities found in Java code. Its true that Micros...
I've been reading about database security when it comes to websites. And it says an attacker could steal a database and then have as much time as he wants to get all the user's passwords. If an attacker stole the database, why would he need the passwords as the authentication is done in php? So he could just access all the user's informa...
Hi, I've a basic php script set up on a web server to accept xml files received sent via Http post. So far so good. But I'm wondering about security issues and what other things I would need to be aware of before I could put this live. Has anyone done this beofre and what things I should be aware of? Basically all I have so far is: <?...
Basically, the prelude to this question can be found here: https://groups.google.com/group/google-appengine/browse_thread/thread/d8bc09d56626e82a/7ed967150c9ce025 Setup: Google App Engine 1.3.5 (1274741460) Open ID for Authentication Firefox 3.6.X On return from the open-id provider's login-page, Firefox complains: Although t...
Hi, I was wondering if it was possible to have a Java EE application with multiple JAAS security realms. I'm currently developing an application in which some users need to be authenticated with data stored in a database, while other users need to be authenticated through an LDAP bind. So I created 2 security realms in glassfish 3.1...
Hi, I am planning to check my website against all common security vulnerabilities like cross site scripting ,sql injection etc. Can somebody tell me is there any automated tool which I can run for my .net web app and find all security flaws exist. I tried CAt.net but it is not able to support big apps. i saw abt owsap but againt it is a...
To save a file i defined the following method public int encrypt(String fileName, String password) { return (fileName.concat(password)).hashCode(); } This returns a hashvalue that is stored in a file. Whenever the user wants to access the file, he enters the password, and if the same hash is generated, he can access the file. I su...
Hi, I'm building a web2.0 social networking app. I've got jquery and tomcat. I don't want to use tomcat sessions at all, but still want secure login. So I'm looking at openid, like used in stackoverflow. I want to build my own ui, so I assume I use the openid libraries. My question is, assuming that a persistent cookie is left in t...
Would there be a security issue with storing the SSL cert for your web app in the source code repository, SO LONG AS you were NOT storing your private key as well? I'm a little spoiled by how easy it is to use source control to make a backup of such things, and want to make the most of it, but I also don't want to be sloppy about its us...
HI all I have a question regarding file permissions. I have created a log file lets say "logfile.log" which traps certain errors, now in order for it to be writable i set its permissions to 777. But when i do this, it then is accessible to anyone to read via their browser. how would i go about solving this issue? thanks ...
I am looking for advice on where to store encryption keys and other sensitive application data. Is a certificate on a USB stick really the way to go here? What can you do to keep your secret keys safe? ...
I want to give end users the ability to save HTML to my backend store. Since this feature could easily cause SQL Injection, and loads of other issues, does anyone know of a server side library that will clean the input so only the "safe" parts of HTML can be used? Some things I'd like to avoid: Object Tag use JavaScript use Windows ...
Our PC Tech's are having to go around our company and write down information about every PC within the company (OS, CPU Speed, Memory). Is there any way to gather this information through ASP.Net? I know you can do it using Winforms, and i know there is also a security risk, but all that aside is it still possible? ...
Hi everyone. I'd like to know the BEST solution to secure includes files. For now my solution is this : in the index file : define('KEY','security'); include('s.php'; s.php : if(KEY!='security') exit; ...
If you have an asp.net site sending messages to a remote queue, how do you handle authentication. If Windows Authentication is turned off, the network service sends a message to the remote queue. Does that mean that in de security tab of the queue, I need to add the netwerk service of the server sending the message? (by the way, I do not...
Hello everyone, As the title suggests, I've inherited a php/MySQL application which has fairly well written procedural code, but only has one admin user login. The client naturally wants to split out functionality into different users/roles and ultimately update the application code with best-practice techniques. For the example of upd...
How do people manage permissions between their code base and the database? For example, my application is becoming littered with: if($objects['username']['access_type'] == 'edit'){ // print the HTML to edit the username } or in OO: if($user->getPermission('username')->canEdit()){ // print the HTML to edit the username } How...
When my colleagues try to access a site hosted under a virtual directory on my local machine's IIS they get a pop up dialog asking for their domain username and password. When my credentials are entered they then get access to the sites hosted on my PC. How do I disable/stop/get around this dialog? I want everyone requesting sites on my ...