Hi guys. Lets just consider the trust that the server have with the user. Session fixation: To avoid the fixation I use "session_regenerate_id ()" ONLY in authentication (login.php) Session sidejacking: SSL encryption for the entire site. Am I safe ? Thanks. ...
I have created an application in which I have used base64 encoding and save the user password into NSUSerDefaults, But somehow another iPhone developer breaks that password. I wonder how could he got NSUserDefaults Data? Does someone knows how to stop this critical thing and also how he had got the NSUserDefaults Data. Also what is the b...
Hi, there is the security issue that "Dialogs must be user-initiated." in Silverlight (see question 1355078). There is "a timer in silverlight" and a "UserInitated" flag that is used to do the check (see silverlight forums). That's why you should not set break points before code involved in the procedure. The problem now is, if SL is r...
Hi folks, I'm sending a value from my front-end (Flex) to the back end (Oracle) along with a hash on the value. From my front-end, I'm using the as3corelib library from Google Code to compute a HMAC hash value using the SHA1 algorithm: com.adobe.crypto.HMAC.hash(mySecret, myMessage, com.adobe.crypto.SHA1); At the back-end, I'm using...
Hey Guys, I am using a Magento installation with the one step checkout plugin meanning I have very few pages that need https, I want to control https search indexing and user access by redirecting the whole https version of the site except of course for the secure checkout. the secure checkout section is /onestepcheckout/ (and also inc...
I'm using MVC 2 with futures, and I'm trying to hide/show content based on role. Is there a way with ActionFilterAttribute or AuthorizeAttribute if the authentication fails to not show the controller child action all through attributes? Or is all I can do with those attributes is redirect or throw up an error message? I just need the ...
I am creating an app with several DLLs and thought I could just call Assembly.GetPublicKey() at run time and see if the DLLs were signed by me. However, I now see there's a SetPublicKey method on the Assembly. Doesn't it make it easy for anyone to spoof my DLLs? Or am I checking the signature of the DLLs the wrong way? Update: I have a ...
Recently a client was concerned that their SWF was "insecure" because the XML path was coming from Flashvars. This seems to me to be something that isn't really a concern as the SWF is only displaying images / text and a few button links. I can understand how someone could path to the swf and add a remote XML path in to add javascript to...
I just read an article saying that passwords with 7 characters are no longer safe. However, if the server increases the time to retry a login attempt after each login attempt, then brute force attacks are useless. How do you create such logic in asp.net? Somehow I guess the server side code needs to remember the ip-address that tried to ...
For a recent project a friend of mine and I have been working on, we want to build a RESTful web API for client application usage. I believe that I have a fairly good grasp of the top-down picture after reading this, but am fairly clueless when it comes to security issues. I know of OAuth and plan on implementing it, but are there any o...
I have a .NET library that I'm registering for COM interop. Everything works fine on my machine (windows 7 x64) -- I register the library using regasm and VBScript can run CreateObject just fine. I unregister it and CreateObject fails. Just as you'd expect. However, when I put this exact same library on my server (Windows Server 2008...
With respect to Oracle Database 11g transparent data encryption (TDE) with HSM, I understand that the following command is used to set the master encryption key. However, why does a user_Id have to be specified when the PKCS#11 library for the corresponding HSM only requires a PIN? SQL> ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY "use...
I have looked through the whole set of "Oracle Database 11g Release 2 (11.2) Documentation" searching for the details of the master encryption key used for transparent data encryption (TDE) with HSM. There was only a single insignificant line out of the whole set of documentation that says it makes use of AES. What surprised me was that...
I am currently in the process of coming up with a PKCS#11 library with minimal functions such that my legacy HSM is able to support the Oracle database 11g transparent data encryption (TDE). I do not want to come up with the complete PKCS#11 library with all the functions since all I need is to support Oracle database. In addition, codin...
I'm working on an iOS app which will need a server backend for users to grab data from, but the data isn't stuff that I'd like any packet-sniffer to be able to use. I'll be paying to access the data, so I'd like to ensure that if something is connecting to my API to request data, it is in fact MY app, and not some dude who wants free inf...
This question is about a specific programming problem I am having - I want to make sure that my code (and software algorithm) are sufficient enough to store user credentials in a database. // Get a 32 character salt like '69Mt6nexL1rsjWnu011S53MpB/WmT4Vl' $passwordSalt = Security::generateBase64Salt(); $user = new User(); $user->setUse...
Currently I'm allowed users to add application/x-shockwave-flash objects to their profiles in my website. I've only filtered the URL and the content-type is set to "application/x-shockwave-flash" Is there any vulnerabilities in allowing my users to link to remote flash/video files? ...
I am working on creating a toolbar application that will invoke a URL on the server and increase a User's points(as an incentive to use the toolbar). Right now the URL is a GET(I can and will change it to POST). The issue is, I need to make sure that someone cannot, using any sort of a hack, increase the points. The URL is ofcourse a pu...
Hi, Still learning JSP Web Applications here. I have been doing this for a while in my web application but I would like to know a more secured solution. Imagine a Table that displays certain Book Information. When user clicks one of the rows in the table, I basically send the BookID together with the url. Example URL. http://locath...
Does anyone know which WMI Class is to be used to getting information of which users or user groups have permission for a given folder? ...