Why do emails not load images directly
Email providers like Gmail,yahoo,hotmail do not load images in the email directly. These services require you to allow the images to be laoded. Why do they do this? Is it to prevent XSS/CSRF? ...
security
Consuming a secure WSE2.0 / .Net 1.1 WebService using .Net 3.5 and VS 2008.
Please forgive any mistakes in this question. I am not overly familiar with secure web services or WCF. I need to consume a web service that uses WSE 2.0 and .Net 1.1. The service is secured in two ways. An X509Certificate and a BinarySecurityToken added to the header. I have code samples as to how to consume this Web Service when usi...
SilverLight Elevated Privileges
What are the capabilities of an elevated privilege OOB Silverlight Application? How low down is it able to communicate? I.e can you get to FileSystem areas, MAC addresses etc? The reason I ask is that I am looking at creating a security model for a Silverlight Business app, that would disallow one registered user installing the app on mo...
How to grant unmanaged code acess to a windows forms hosted in a html?
I am trying to host a windows forms control in C# inside an html page and then host that web page in IIS in order to be accessible by other client machines. The problem is: the usercontrol uses some unmanaged code, which triggers a securitypermission exception when accessing using another machine. I've managed to dumb down my code to a...
How secure are SQLite and SharedPreferences files on Android?
First, a bit of my background. I have been working on large web systems for over a decade, Android is something I have been looking at for the past two months; as you can imagine, the gap is quite wide :) Looking at Android's Security and Permissions and Data Storage part of documentation, talking directly to developers, reading books a...
Code-Signing on WM6.1 Drivers
I've already asked similar question on this issue on stack overflow already, but I believe this part of the issue can be separated into a new question. I've not done mobile development before so the use of signing and certificates is a new concept to me, and for all the reading of topics I have done, its not really improved my knowledge...
How to generate hash or use encryption to secure the keys in an asp.net mvc application?
EDIT 1 : I think I was not clear myself before and hence could not word it better. So, I am creating a system where I am providing page content to another system via IFRAMEs. A user will login to the other system and that system will set their apiKey and userKey in a cookie on my system so that access will be granted i...
What's the best way to do a authorization check programmatically on JSF pages?
Java EE 5 / EJB 3 / JSF 1.2, using Facelets / ICEfaces 1.8.2 I'm authenticating my users with JAAS, but I think that simple role-based authorization is insufficient for my needs—my users' permissions need to be computed out of data in JPA entities. I'd like to add to certain pages a check that gets some entities from an EJB, does a litt...
What is the difference between these two....?
From a security stand point what are a couple major points that would aid in the result of using a .master file versus a .aspx file? ...
Grails filters: can't make it work !
Hi, Im trying to write a Filter for my web-app. I read [the documentation][1], and wrote this dummy filter in my grails-app/conf directory class SecurityFilters { def filters = { someFilter(controller:'*',action:'*') { write('Filtering') } } } Next thing I do is set a breakpoint on the write statem...
Why do people save session data in hashed form?
I'm writing a project where after registration I save id of each client in session. As I know, session stores data on server side, so it seems to be secured. But I've seen many times when session variables stored in hashed form. So, why do they do it? Thanks much ...
What are the risks of cross domain JSONP communication?
In our web application we have run into the situation where we need to do a cross-domain AJAX calls from one domain we fully control to another domain we fully control. I've been surfing around for the best solution and the two that come to mind are a local file proxy (local file using php::fopen) or jquery/JSONP. When I look up online ...
Is there any conceivable way in which a .java file could cause harm?
Is there any way in which .java files on a web server, that are linked via a tag, could possibly, conceivably, cause damage anywhere -- on the server or client machine? I don't see how on Earth that could possibly happen -- we're talking about an ASCII text file and an anchor tag, but I have been dealing with an IT person who will no...
Securing database credentials and connection in ClickOnce publish
Hello! I have connection string with sensitive information (user,password) in Application.config.xml file. Now i need to publish this application through ClickOnce. Is there a way to encrypt connection string? On other hand can this be inplemented in database? For example: user connects with access only to fuction that checks username...
PHP dehashing the password
Ok. thats clear that one must store hashed password in the database but in case a user does not remembers the password and want to retrieve it back, then obviously the user wont like to have the hashed password. If the password is hashed with md5 or additional like salt and sha1 then how to retrieve back the password. ...
How To Start Learn Cryptography With C# ?
hi all , i want to learn about Cryptography theory (basics) and i want to use the algorithms in c# so i need some guides , books , tutorials to get start please help me . thanks ...
Grails + Securing Application
Hi, Im working on a legacy grails application. I have a couple of tables like this User ( id, name,enterprise_id) Enterprise (id, name) Asset (id,description, enterprise_id) I want to validate that when a certain user wants to access an asset, it has the right enterprise_id (i.e That the user belongs to the same enterprise as the a...
Is there any way to verify that client side code that is used is the one given by the server?
In a previous question I asked about weaknesses in my own security layer concept... It relies on JavaScript cryptography functions and thanks to the answers now the striking point is clear that everything that is done in Javascript can be manipulated and can not be trusted... The problem now is - I still need to use those, even if I rel...
Creating a private folder in TFS 2008 Source Control System
I have a TFS2008 installation with a single TFS project that we use for all of our source code. Within this (super)project, we have a whole tree of sub projects. Our projects Contributors group has the default (read, write, checkin,, checkout etc.) access to this whole tree. We have a folder within this structure that we want to restr...
Actionscript3 SSL sockets
Hey, In the application we are working on we have to send secured messages from a flash movie running in the browser to an app engine application. One good candidate would be SSL which app engine seems to somewhat support (not exactly sure). But is there any implementation for SSL sockets for actionscript 3 (since afaik as3 doesn't have...