Hey everyone, I'm implementing a user-based image uploading tool for my website. The system should allow any users to upload JPEG and PNG files only. I'm, of course, worried about security and so I'm wondering how the many smarter people than myself feel about the following checks for allowing uploads: 1) First white list the allowa...
Hi, How to mysql real escape string all $_GET contents? Thanks ...
I'm writing a simple PHP script to access the Foursquare API. The PHP will always access the same Foursquare account. For the time being, I have this login information hardcoded in my script. What is the best way to secure this information? If I follow the advice from this thread, I should just place the login information in a config fi...
Hi to all! I have to do an advice with a teacher that will helps me to get better some files I have done. To do this we'll use Microsoft Office NetMeeting. The teacher has the server part of the software and I have the client part. I'll share with him my desktop, the files and the application to elaborate them. I'm a little in trouble ...
Hi, as per http://stackoverflow.com/questions/3642370/using-ptrace-to-write-a-program-supervisor-in-userspace, I'm attempting to create the program supervisor component of an online judge. What system calls would I need to block totally, always allow or check the attributes of to: Prevent forking or runing other commands Restrict to s...
Can *.avi or any media file contain any script or dangerous code? Today i saw following message in Microsoft Security Essentials: Category: Trojan Downloader Description: This program is dangerous and downloads other programs. Recommendation: Remove this software immediately. Items: containerfile:C:\Users\...\amediafilename.avi file:...
This may sound like a weird question but is there any where I can download a website that is vulnerable to sql injection the url kind not login bypass? I'm making a vulnerability scanner and I want to learn some SQLi so i can include it in my project. Thanks, it doesn't need to be fancy. Just enough to practice on. ...
I've been working on a forum-like system, which does not allow for HTML formatting. The method I currently use is to escape HTML entities before they get inserted into the database. I've been told (in relation to XSS vulnerabilities) that I should insert the raw comment into the database, and escape HTML entities upon output. Other ques...
I am looking for some best practices when is comes to creating EditMoels and updating data in an ASP.NET MVC app. Lets say I have a Url like so /Post/Edit?Id=25 I am ensuring the user has permissions to edit the specific post by Id on the Get request and the same for my Post in the controller. I am using the ValidateAntiForgeryToken. Q...
I have an executable that needs to run as an administrator on a Windows system, and it's started by a service. For the sake of simplicity and security, I'd prefer just to let the service run as the 'system' account, but would like the executable that it spawns to run with administrative privileges. Is there anything like a chmod +s on ...
Let's assume I must have user's sensitive data that was optionally encoded on the client side. Encryption (optional) should be done with user's passphrase. User login (optional) should be done with user's password. Notes: plain-text password is not stored on the server or transfered over the network. My options and their drawbacks:...
Hello, I'm trying to figure out how to implement a replay attack detection mechanism with WCF in a web farm scenario. WCF provides such detection mechanism by using a nonce cache. Correct me if I'm wrong, but the only way to ensure to prevent this attack in a message security and web farm scenario is by using a nonce cache shared acros...
Hi, Very simple question but I can't seem to get it to work. Imagine the following code, why would the compiler give me the errors below? I've imported the relevant header file, included the framework. Target is 10.6. #import <Security/Security.h> - (void) snowLeopardCodeSignCheck { SecStaticCodeRef ref = NULL; } 'SecStatic...
I have a python application designed to run as a service on Linux, and I've been asked to install it on a Windows XP box in an office where there are no Linux machines (for me, this makes it a bizarre and confusing place as I have virtually no experience developing for Windows). On Linux the application has its own user, and the applica...
In the documentation for securely consuming web services with WCF they state that it is recommended that you prohibit the DTD when consuming the metadata. Why is the DTD a security risk? http://msdn.microsoft.com/en-us/library/ms734741.aspx ...
I'm trying to write a Windows Scripting Component (WSC) which is referenced in a webpage and needs to read a single registry value. I use the WScript.Shell object for RegRead. On Vista (with UAC) my component is only loaded when I mark WScript.Shell as SafeForScripting (via HKCR\CLSID{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ImplementedC...
I am using the Key value of entities in my datastore as the unique identifier in the URL for pulling up a record: http://mysite.appspot.com/myaction/1x7s3fgdlbnRlcklkcicLAbcXc2VyQWNjb3VudCIFYW9uZ This is not a very attractive solution, nor is it SEO friendly, but it's the easiest way I've found to identify an entity uniquely in App En...
Hi! I'm trying to use the Microsoft.Web.Administration API to access the 'system.webServer/security/authorization' section (at the current request path) to see if anonymous users ("*") can access. To do that i'm trying to access the section configuration by: WebConfigurationManager.GetSection(HttpContext.Current, "system.webServer/sec...
I'm basically wondering what the best way to deploy an Asp.Net Web Site is, mostly from the point of view of security. Right now, I'm trying to publish the website using Visual Studio 2010. Could someone direct me to a good tutorial on how to do this securely? For example, can it be done over an encrypted connection via Visual Studio?...
Hello, I am trying to find some samples of how to take a string and hash it using MD5, and then be able to reverse hash (correct term?) back to the original string. Does anyone know of any documentation that shows how this can be done, or ideally has any sample code they could share? I've read about the java.security.MessageDisgest cl...