KB131065 demonstrates how to activate SeDebugPrivilege to open a handle to any process. It has a function named SetPrivilege that calls AdjustTokenPrivileges, but there are two implementations and no mention why. The first implementation calls ATP in two passes: // // first pass. get current privilege setting // tp.PrivilegeCount ...
INITIAL NOTE: This is just for a personal tinkering project; I'm not writing enterprise security here, and if I were, I'd know better than to try to write my own scheme. :-D EDIT: To stress the above point, I tried to tag this under "iKnowThisWouldBeABadIdeaInRealLife", but SO wouldn't accept it because it was >25 chars. Just be aware...
I'm implementing authorization in my gwt app, and at the moment it's done in the following fashion: The user signs up by putting his credentials in a form, and I send them in clear text to the server The server code hashes the received password using BCrypt and puts the hash in a database When the user wishes to log in, his password is...
What's the way the logout hashes are usually handled in php? on a lot of sites there's usually logout hashes to confirm that the user that's logging out is teh correct user, how is this usually handled ? Examples http://domain.com/user/logout/nil4ytwojytjwoytjwy5tw5 nil4ytwojytjwoytjwy5tw5 being the hash Just an update of my res...
I ask because it seems like the only thing ever called in a proper app index.php file is the require_once bootstrap file. I'm assuming this adds a layer of security but if not, this pattern seems pointless. Why not just use the index.php file as the bootstrap? Any opinions, cautions, thoughts etc. are appreciated! (By the way, my htacce...
How do I set a Windows login on SQL Server so that it has read-only access to any database on the server, and will default to having read-only access to any subsequently added database. I would prefer T-SQL code. I am using SQL 2000 ...
Hi, I was wondering if anyone can help me understand how to add SSL certificate handling to synchronous connections to a https service. I know how to do this with asynchronous connections but not synchronous. NSString *URLpath = @"https://mydomain.com/"; NSURL *myURL = [[NSURL alloc] initWithString:URLpath]; N...
Hey all Is there a way to "mask" the input of a text field to act like a password field (to show dots instead of text) without making the text box of type password? We prefer CSS than javscript... any ideas? ...
Hello again. Is there any known hashing algorithm, which for similar input returns similar output? I need it for creating 'tickets' without checking them against DB. My idea is that I create token carrying (userID and timestamp) (not reversable), and pass this token along with userID, and be able to check, if the token has given UserID,...
Hi, I'm trying to replicate the functionality i've seen on a couple of sites: http://todaslistas.heroku.com http://endor.se The idea is you sign up and log in with Twitter using Oauth. Once you have authed the app at twitter you then return to their site and they keep you logged in. In the case of each one they obviously base this o...
Hello i am a beginner in the field of computer network security but i want to learn it more, so i can enhance my knowledge in this filed. So please suggest me some good tutorials or ebooks from where i can learn it from starting to advance level. Thanks in advance ...
Blackjacking is a technique used to connect internally to a corporate network using a typical BES device. It was announced at DefCon a few years back and is hardly new. How does this work, and what are the ways to reduce risk from this exploit? ...
We have a .NET executable that we are hosting on a web server. The domain for the web server is set as a "Trusted Site" on the user's IE. When the user left clicks the link for the executable, it blows up with the error: "Microsoft IE Execute shell has encountered a problem and needs to close". From what I have read, it is because IE ...
For example, when I want to update a part of my page with AJAX I would normally make the appropriate call to getPost.php which would return the markup to be inserted into my page. Is there any way to prevent a user from accessing this page directly (eg: example.com/getPost.php with the appropriate GET or POST arguments) and getting only ...
I'm thinking about creating a web app where users may login via Facebook Connect or Twitter OAuth. I'm wondering how secure these logins are? Are there any security issues I should be concerned about? Thanks in advance for your advice and suggestions. ...
Hello, I have WIX installers for two windows services. Both are installed using the same credentials, but one works while the other fails with the error "Service "PCP Event Processor-3.9.9.0-wix' (MyServiceExeName) could not be installed. Verify that you have sufficient privileges to install system services.". I use a common wxi file f...
I need to create a webservice providing javascript widgets and ajax calls, which only run on certain domains. After doing a lot of research, I only came up with a combination of HTTP-Referer and API Keys, which is pretty easy to break with tools like RefControl, or am I missing something? Are there more secure solutions for this problem?...
I have a request to alter a standard Django login of email and password to allow any user login without a password, but only if they are on a certain domain ... e.g. [email protected] ... where the user is allowed in due to them being on the correct domain. Any suggestions? Thanks ...
Is it possible in a C#.NET application to request administrative rights on a Windows 7 PC? I want to be able to deploy the application via Click Once and have users use it to perform administrative tasks (in this case it is writing registry entries for the main application). ...
My desktop application asks a user for proxy-server credentials to use it later. But what is the best way to store this secure information for further usage? ...