I'm working on a new WPF application and we've been experimenting with some attached / dependency properties and triggers to do some things in our XAML. The question came up the other day about the ease of editing xaml in an existing executable. Similar to an IL dump / injection, If someone could export xaml, edit it, and re-package it s...
I am having an security issue, the user can forced browsing technique to traverse to the page which is not accessible to them. is there anyway that i can stop it. Visual Basic, .net 3.5 ...
Can the contents of the clipboard be encrypted? For example, say that to circumvent keyloggers, users copy and paste passwords from an encrypted file, but now the password lives unencrypted in the clipboard. Is there a way to prevent this behavior without breaking copy/paste, or running some script function that scrambles the clipboard ...
I have to implement a payment gateway for a website I am maintaining, and I haven't done anything like this before. Previously to implement payment processing, the site would build a transaction and send it directly to the payment processor and await a result. Since the site handled the gathering of credit card information, building of t...
I have used unsalted md5/sha1 for long time, but as this method isn't really secure (and is getting even less secure as time goes by) I decided to switch to a salted sha512. Furthermore I want to slow the generation of the hash down by using many iterations (e.g. 100). My question is whether I should append the salt on every iteration o...
I'm playing around with the idea of using Git for deployment and updates of my web applications, but the problem is that by doing it the way I'm doing it, the .git directory (and therefore all my source code) would be accessible via HTTP. This is what is holding me back from really implementing this idea. How do I prevent HTTP access to...
I am building a windows application to store backups of sensitive files. The purpose of my application is to store a copy of a file with its hash. The program or user will then display the hash publicly in case the user needs to prove they had the backup of the sensitive file at a certain time. Motivation: Some situations where this m...
I'm trying to debug & extend an existing piece of Java code using BouncyCastle to decrypt and verify secured attachments. I've looked through the BouncyCastle samples but what it's harder to extract from there is a model of what a PGP-secured attachments looks like. From the code and various errors I can infer there is something repres...
Hi guys, I'm coding a little library which will handle xml files to store some data, and I need this data to be handled only by the methods I provide in my library. I know that xml is readable for both human and machine, and that if somebody really wants to modify the xml file he'll probably do it, so... do any of you have an idea that ...
What are the security implications of websites accessing database views instead of using stored procedures? The views in question are only being read from; not written to. Edit The applications in question are ASP.Net MVC 2 using the Entity Framework (v.4). ...
I have a very basic logon system, that authenticates users by the means of a user table in a mysql database with php. can someone explain what the point of hashing passwords it, how to do it with php, and what is actually stored in the database. Thanks ...
I'd like input on this cookie password storing security system, When the user ticks the remember me box, it stores these cookies: User name in plain text. Password encrypted with a completely random key that the server stores in the database, that is never passed to the client and is user-specific, changes with every login. And the se...
Microsoft released Security Advisory (2269637) Insecure Library Loading Could Allow Remote Code Execution. The note refers to a tool that will help to detect this problem and programming guidelines on Dynamic-Link Library Security. How do these guidelines translate to .NET development? I assume this only affects Platform Invoke. Does...
I have an application (exe) that uses some strongly named dll's. If I understand that correctly, nobody can replace the dll's with their own, prepared versions, because they will not be signed. Nobody can replace the exe too, because it's secured by signing the manifest. But what if somebody prepares their own exe and changes the signat...
Possible Duplicate: Need some help understanding password salt Update: Please note I am not asking what a salt is, what a rainbow table is, what a dictionary attack is, or what the purpose of a salt is. I am querying: If you know the users salt and hash, isn't it quite easy to calculate their password? I understand the proces...
I am wondering how to ensure that an employee cannot access information from another company). This is not an authentication / roles based question on applying roles or permissions to actions, but rather ensuring that the data somebody is try to access actually belongs to them. Users belong to a department which in turn belongs to a com...
Like a lot of developers, I want to make JavaScript served up by Server "A" talk to a web service on Server "B" but am stymied by the current incarnation of same origin policy. The most secure means of overcoming this (that I can find) is a server script that sits on Server "A" and acts as a proxy between it and "B". But if I want to dep...
In my project, I do duplicate validation at the presentation layer as well as the persistence layer with the hope to increase security. So my question is: can standard JSF validation prevent code injections. <h:inputText id="name" value="#{bean.customer.name}" required="true" requiredMessage="Validation Error: Value is required." title=...
Another simple question from silly old me. We keep hearing big numbers being thrown around, for example the key: 234234-234WEF-ER334AS-3535FWF Would take 20 billion gabizillion years for anyone to crack. Could someone explain how you even know when you have cracked it? If you have permutated a trillion combinations how do you know...
I am trying to hit a web service from my DEV box which is giving error "Unable to add security token for identity". I have heard that it is just happening for windows 7, but not vista or any other windows. Is there any setting needs to be done, in order to get around that. ...