The old and superseded draft 75 of WebSocket specification doesn't specify HTTP request headers Sec-WebSocket-Key1 and Sec-WebSocket-Key2. Why does the latest draft include these, and what in terms of increased security? ...
I understand that each packet has some header that seems like a random mix of chars. On the other hand, the content itself can be in pure ascii and therefore it might be human friendly. Some of the packets I sniffed were readable (raw html headers for sure). But some packets looked like this: 0000 00 15 af 51 68 b2 00 e0 98 be cf d6 0...
I'm writing a game which requires users to log in to their accounts in order to be able to play. What's the best way of transmitting passwords from client to server and storing them? I'm using Python and Twisted, if that's of any relevance. ...
If I have exported a .sql file with my database in it, can I then only import "parts" of that database instead of the entire database to MySql? The question appeared when I was trying it out on a test database. I exported the testdatabase. Then emptied some of the tables in the database. Then I planned on importing from the .sql file...
Under the default security manager, if I create an ExecutorService (ThreadPoolExecutor in this case), I cannot shut it down, shutdown() just calls checkPermission("modifyThread") and thus immediately dies: import java.util.concurrent.*; class A { public static void main( String[] args) { Thread ct = Thread.currentThread(); ...
I have mercurial setup by following these instructions. I'm trying to understand where or what file to setup the users in. Everything I've read seems kind of cryptic... it gives all these snippets of code saying use this but it seems to be leaving out steps of how it's all connected and what file to put the snippets of code in... can so...
I have a partial that contains this sanitize() code: <%= sanitize comment.body, :tags => %w(a b embed i img object p param), :attributes => %w(allowfullscreen allowscriptaccess href name src type value) %> I'd like users to be able to embed videos, links, pictures, use italics, bold, etc. How unsafe is this and if I put this on a liv...
I am in the process of resecuring my registration on my website and want to ask if my password hashing is correct. Or if there is any better more secure way I can do it. I read somewhere that the salt can be written to the database on a per user basis. This is my security so far: $salt = sha1(md5($activecode).$username); $username = m...
what are the best security features (settings,modules) provided by drupal according to credit card transaction?. Do you have any additional prevention techniques .If possible post important and necessary setting points also please. ...
Hi, I am starting to have a look at HTML form security. So far my research revealed three main attack vectors: Cross-site request forgery (CSRF) Cross-site scripting (XSS) SQL Injection My question is: Are there more attack vectors for HTML forms than these? I am interested in a list of possible attacks through HTML forms. ...
Hello: I'm developing a program that needs to load and save data in external files, I have been searching for options and I have chosen to save the data in a binary file. As I don't want that someone could edit the file easily, I thought about writing in the first line of the file, its md5 sum. In this case, if some data of the file is...
I am writing a web service that acts as a proxy to many other services, and for each of these services I need to pass along the user's password for that particular service. I'd like to keep the password encryption details out of the main part of the service and let the client deal with another specialized part of the service (let's call...
The following code exists in LogEntry.cs in the Enterprise Library's Logging Application Block: private bool UnmanagedCodePermissionAvailable { get { if (!unmanagedCodePermissionAvailableInitialized) { // check whether the unmanaged code permission is available to avoid three potential stack walks bool internalUn...
Is there any way to "break out" of an iframe? What I mean by this is that people will be placing my javascript tag inside an iframe (sometimes it ends up being nested iframes, but lets just deal with ONE for a now). I'm trying to gather certain information, like where that iframe is located on the page. It's easy enough to do it when you...
If I have a flash file that I'd like to test locally (on my computer) but I have video files on a flash video server and photos on another server, is there an easy way to set up my flash file so I can do this? ...
I have two webapps. One that is serving content to the other over XHR/REST calls. One is in Tomcat 7 (with CSRF protection), and the other is in Spring's tcServer 6 (Tomcat 6.x). The servers and webapps are setup as such: Tomcat 7 with CSRF on port 8081; webapp communicates with other apps via REST Tomcat 6 on port 8080; webapp calls ...
Despite all the advices to use SSL/https/etc. I decided to implement my own security layer on top of http for my application... The concept works as follows: User registers -> a new RSA Keypair is generated the Private Key gets encrypted with AES using the users login Password (which the server doesnt know - it has only the sha256 for a...
I used Java EE 6 with Glassfish v3.0.1, and I wonder if Java EE security model support ACL, and if so how fine-grained is it get? EDITED I implement Security using jdbc realm via glassfish v3, that the realm at runtime look into table USER inside the database to check for authentication, by looking at the password field and authorizatio...
Many of the encryption techniques I've seen can easily encrypt a simple 8 digit number like "12345678" but the result is often something like "8745b34097af8bc9de087e98deb8707aac8797d097f" (made up but you get the idea). Is there a way to encrypt this 8 digit number but have the resulting encrypted value be the same or at least only a s...
Hi, I've created a WIX DB installer. It works on my DEV machine using SQLEXPRESS but not on my test machine using (local). I confirmed that the server is correct in each case, using Orca. The following, is pretty much what I'm using, only with a few more scripts. the scripts are known to work fine, and if I take them out altogether, it ...