I have a WCF service, in two machine in Preproduction environment, machine A and machine B. Only in machine B, the service fails when I call it (from biztalk proccess), another machine is right. The configuration of service in both machines is the same. I get this error: System.NotSupportedException, mscorlib, Version=2.0.0.0, ...
Hi folks, I've written a basic 'security checker' for my webapp. I'll need to see at a glance whether user-submitted code contains evil stuff. Here is a screenshot of the code that I'm running this against right now: http://cl.ly/677a6dc40034f096697f Here is the PHP code I'm using against these three bits of code: <!-- The View --> ...
if my webserver just serves static pages and my html pages allow users to run any javascript. Can a 'bad' user do any damage to me ? p.s. There are lots of talk about watching out about XSS and what I am doing is even worse. I am letting the user to inject his/her javascript. what I don't get is what damage can they do ? Thanks ...
Google turns up all sorts of discussions on sanitizing queries for web access but I'm not finding anything addressing what I'm concerned with: Sanitizing user input data in a c# program. This must be done by a reversible transformation, not by removal. As a simple example of the problem I don't want to mangle Irish names. What's the ...
I have to implement a "bad words" filter on my website, which is a classifieds website. I have a big list of "bad words" but don't know which method is best to compare the user inputs to. In my case, a textarea inside a form, needs to be checked for "bad words". <form name="test" action="test.php" method="post"> Inside test.php I...
Hi, I'm trying to pass URL to a website so it can be opened in an iframe, the URL is for a registration confirmation so users get their id / password, I know how to do that and the URL opens fine, but what are the implications for the website it is being passed to (it is an online store). Here is the script on the store site: <? echo ...
I was wondering whether or not it is considered a good style to call bash commands within a Python script using os.system(). I was also wondering whether or not it is safe to do so as well. I know how to implement some of the functionality I need in Bash and in Python, but it is much simpler and more intuitive to implement it in Bash. H...
Hello I am preparing to setup a request routing system in php based on the $_GET array. For example, for the url ?r=login I'd use include myfiles/".$_GET['r'].".php"; Which would point automatically to myfiles/login.php I know I need to sanitise the get input, but I'm concerned as it is possible to maliciously redirect the include. Ca...
I have a classifieds website, and when users post a new classified, they may chose to upload images. My php code takes the chosen image, uploads it to a image folder, and names it accordingly. The problem here is, I have to set the images folder to 777 in order for this to work. My question is, what should the permissions be set to? A...
This might be a noob question, but can't find an answer anywhere. I have a problem, which http://stackoverflow.com/questions/3483832/another-file-permissions-problem have helped me to ALMOST solve. I have created a user in linux (danny) which has sudo access. I have also created a new group which name ALSO is danny, and added the user ...
Whilst reading 'Gray Hat Hacking', I encountered this statement Applications and operating systems use each others components, users download different code to extend functionality, DLLs are installed and shared, and instead of application-to-operating system communication, today many applications communicate directly with eac...
The url would be something like this: www.example.com/index.php?file=myFile.ext The filtering would only allow leters and numbers in the file, and only one dot. The filtering would not give characters from the input to the file functions, instead, on for every allowed character it matches in an internal array, it copies the character...
PHP: $SQL = "SELECT goodies FROM stash WHERE secret='" . str_replace("'",'',$_POST['secret']) . "'"; Could an evil genius hacker inject SQL into my SELECT - How ? ...
I have a classifieds website. I as an administrator need to be able to remove classifieds as I wish... So I have created a very simple remove function which only requires the name of the classified. I plan on placing it on the server ONLY when I need to remove classifieds, so it wont be there unless I upload it and plan on using it. Th...
Section 4.2 of the draft OAuth 2.0 protocol indicates that an authorization server can return both an access_token (which is used to authenticate one's self with a resource) as well as a refresh_token, which is used purely to create a new access_token: http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.2 Why have both? Why not...
Hi there ,as i understand sitecollection security ,member of a given sitecollection can not view another site collection where he has no membership ,my problem is that any user from a given site collection can view other site collection easily ,how is that ? by the way ,this user is not an administrator ,he is a domain user ,with approve...
We build sites that have a public (non-secured) area and secured (delivered over HTTPS) area and we use jQuery library. Recently I suggested we use Google CDN for jQuery delivery. Some of my colleagues expressed concerns in regards to security aspect of this way of delivering JavaScript libraries. For example, they mention the scenario ...
I have a simple site to develop and would like to learn PHP as I go. I want the site to be secure, scalable, and easy to maintain. Should I learn a framework and PHP simultaneously? If I build off of a framework there will be lots of unfamiliar code in play. Would you say this increases security risks? ...
I have trac set up together with subversion. I want to allow some people to be able to add tickets, but I don't want them to access the repository. There will be other users who will be able to access the repo via trac. Currently I am using Apache 2 for authentication. How secure is trac? How difficult is it for someone with limited acc...
I'm working on an web application using ASP.NET 4.0, C#, and IIS7. The web application is a content management system that defines multiple user roles, such as editor and administrator. These users and roles are managed by the asp.net membership framework, and the associated database tables are integrated into the web app's database usin...