Watching SO come online has been quite an education for me. I'd like to make a checklist of various vunerabilities and exploits used against web sites, and what programming techniques can be used to defend against them. What categories of vunerabilities? crashing site breaking into server breaking into other people's logins spam soc...
Okay, so I'm running a small test webserver on my private network. I've got a machine running Windows 2000 Pro, and I'm trying to run an ASP.NET app through IIS. I wrote it so that the webpage would use the registry to store certain settings (connection strings, potentially volatile locations of other web services, paths in the local f...
I have a web application that needs to read (and possibly write) files from a network share. I was wondering what the best way to do this would be? I can't give the network service or aspnet accounts access to the network share. I could possibly use impersonation. The network share and the web application are both hosted on the same do...
I have a project to build a voting desktop application for a class in Java. While security isn't the focus of the project, I would like to be as realistic as I can. What are some of the primary tools to integrate security into a Java application. Edit: I'm not primarily worried about physical security, we are simply building an applicat...
What should I do if I want to release a .net assembly but wish to keep its internals detailed in the manifest private (from a utility such as ildasm.exe) ? ...
What is the best approach to make sure you only need to authenticate once when using an API built on WCF? My current bindings and behaviors are listed below <bindings> <wsHttpBinding> <binding name="wsHttp"> <security mode="TransportWithMessageCredential"> <transport/> <message clientCredentialType="UserName" negoti...
Hello all, I know this might be a no-brainer, but please read on. I also know it's generally not considered a good idea, maybe the worst, to let a browser run and interact with local apps, even in a intranet context. We use citrix for home-office, and people really like it. Now, they would like the same kind of environment at work, a ...
It seems to me obfuscation is an idea that falls somewhere in the "security by obscurity" or "false sense of protection" camp. To protect intellectual property, there's copyright; to prevent security issues from being found, there's fixing those issues. In short, I regard it as a technical solution to a social problem. Those almost never...
Here's a perfect example of the problem: Classifier gem breaks Rails. ** Original question: ** One thing that concerns me as a security professional is that Ruby doesn't have a parallel of Java's package-privacy. That is, this isn't valid Ruby: public module Foo public module Bar # factory method for new Bar implementations ...
One of the joys of working for a government healthcare agency is having to deal with all of the paranoia around dealing with PHI (Protected Health Information). Don't get me wrong, I'm all for doing everything possible to protect people's personal information (health, financial, surfing habits, etc.), but sometimes people get a little to...
I've been tasked with the the maintenance of a nonprofit website that recently fell victim to a SQL injection attack. Someone exploited a form on the site to add text to every available text-like field in the database (varchar, nvarchar, etc.) which, when rendered as HTML, includes and executes a JavaScript file. A Google search of the...
Is there some way I can authenticate a user in the client-side (browser) in a web application? ...
Obviously there are security reasons to close a wireless network and it's not fun if someone is stealing your bandwidth. But how much of a problem is this? To address the first concern: Does a device on the same wireless network have any special privileges or access that an other device on the internet has? (Assume the wireless networ...
The leaving your wireless network open question reminded me of this. I typically share the root drive on my machines across my network, and tie login authorization to the machines NT ID, so there is at least some form of protection. My question, how easy is it to gain access to these drives for ill good? Is the authorization enough, or...
My boss has come to me and asked how to enure a file uploaded through web page is safe. He wants people to be able to upload pdfs and tiff images (and the like) and his real concern is someone embedding a virus in a pdf that is then viewed/altered (and the virus executed). I just read something on a procedure that could be used to destr...
Within an application, I've got Secret Keys uses to calculate a hash for an API call. In a .NET application it's fairly easy to use a program like Reflector to pull out information from the assembly to include these keys. Is obfuscating the assembly a good way of securing these keys? ...
After reading Jeff's blog post on Protecting Your Cookies: HttpOnly. I'd like to implement HttpOnly cookies in my web application. How do you tell tomcat to use http only cookies for sessions? ...
I have an application which really should be installed, but does work fine when deployed using JNLP. However, it would seem that some Java functions such as Runtime.exec don't work using the default security options. I would like to therefore disable UI functionality that relies upon such functions. So my question is, how do I detect a...
Hi there, The system I am currently working on requires some role-based security, which is well catered for in the Java EE stack. The system intends to be a framework for business domain experts to write their code on top of. However, there is also a requirement for data 'security'. That is, what information is visible to an end user. ...
After stumbling into Amazon Web Services again I have finally checked their prices and am shocked. Positively. With their flexible billing and extremely low prices, is there any reason for still using a dedicated hosting for a website? The only one I can think of is keeping sensitive data confined to the intranet - but for publicly acces...