Autocomplete & security - retrieving credentials from local cache?
Is it possible to retrieve stored credentials from the browser cache if you use auto-complete to fill in a form? I believe that the data itself is encrypted. ...
security
Implementing two-factor authentication into a Java web app
I have an existing Java web application running through IBM WebSphere (I'm unsure of the version, but could find out if it helps) that I am looking to implement two factor authentication with. The system has a decent user base, and I wanted to distribute hardware tokens to the admin users of the system to ensure strong authentication. ...
PHP Include or copy paste mysql login info on every page?
Is it safe to use php_include file for mysql login information or is is better to copy/paste the login info for mysql on every page? If you go with php_include, how will you block that file from being seen? ...
How to prevent PHP files from being downloaded? And what are some ways someone can download them?
How do i prevent php files from being downloaded "illegally" like through the browser. And what are some ways someone can use to download the php files? ...
Security precautions for running python in cgi-bin.
I've been writing python scripts that run locally. I would now like to offer a service online using one of these python scripts and through the webhosting I have I can run python in the cgi-bin. The python script takes input from an html form filled in by the user, has the credentials and connects with a local database, calculates stuff...
Security vs Damage Control
Recently I posted a question about whether it was a good idea to use seperate databases for administration and public logins in an ASP.NET SQL authorization database to prevent compromises to the public site from spilling over into the admin side. I think I was really asking a bigger question though--when securing an application, should...
Are there spam concerns when using the address tag?
I know that spam bots scour web sites and harvest emails, however I wasn't sure about the extent of information that they search for (for instance, names, physical addresses, phone numbers, etc.) In essence, my question boils down to: "Do spam bots search web pages for physical addresses, and I am helping them through the use of the <a...
Can anyone explain in english this piece of WMI documentation! WMI securitycenter product state
Hey guys, I am trying to decipher the productState property in the SecurityCenter.productState WMI namespace. The product state is for example an int of : 262144 - which you then look at this page of documentation decipher into an actual product state meaning : http://msdn.microsoft.com/en-us/library/bb432509(VS.85).aspx I may have f...
How do you exit execution of a codeigniter program?
Hi everyone, I am currently working on adding pre-validation to my website. So that pages that require a log-in or other criteria, will only display if your session matches that criteria. I've got most of the system working, but I have one major obstacle. I cannot figure out how to stop CodeIgniter from running the rest of the controlle...
security issue running jruby on tomcat6
i deployed a jruby/rails app to tomcat6 through a warbler-built war. system is ubuntu 8, running tomcat6. when i try to start the app, i get the following stack trace Sep 13, 2010 7:57:24 PM org.apache.catalina.core.ApplicationContext log SEVERE: Application Error java.security.AccessControlException: access denied (java.ut...
What is wrong with my auto forum thread generator using HttpWebRequest?
I'm using HttpWebRequest to send request without using a browser but I always get this reply from this old school cgi forum: "duplicate thread". I'm pretty sure the thread is not a duplicate as it is the first time I send it. I'm guessing the forum software is detecting something unusual about my thread as is is machine generated. What c...
What are the prevention techniques for the Buffer overflow attacks ?
what are the ideas of preventing buffer overflow attacks? and i heard about Stackguard,but until now is this problem completely solved by applying stackguard or combination of it with other techniques? after warm up, as an experienced programmer Why do you think that it is so difficult to provide adequate defenses for buffer ov...
Hiding the backend technology stack
As a security measure, I want to hide the technology stack I am using on my server. What are effective ways to do this? I thought about 1) Use mod_rewrite or Rewrite Module to hide any page extensions like .php or .aspx 2) Turn off all error reporting 1b) use mod_rewrite to serve a misleading extension on purpose, like disguising a php...
security - Process.execute() on android
Given i have compiled linux exe file in my resources/raw directory. Can i execute it using Process.execute("./resources/raw/filename") or i have to have special permissions (like ROOT or smth) ? ...
CruiseControl.NET NTFS security of published packages are different then the parent folder.
I've setup CCNet to build under user CCBuild, which publishes the builds to C:\Build\Projects\ProjectName\Version\Package.zip I've allowed several AD domain users to access the folders from C:\Build\Projects\ProjectName But they can't download the packages because the security gets set differently. While they can acccess the ProjectNam...
SQL connection issue from sharepoint after messing with service accounts
Hi, I had a win7 x64 box with a local Sharepoint 2010 installed on an SQLEXPRESS DB. Last week I also installed an SQL 2008 R2 instance with integration and analysis services next to the existing database. Because I had issues deploying analysis services solutions, I messed around quite some with the SQL Services Accounts. Eventually...
crossdomain.xml and security issues
Hi, I read a lot about cross-site scripting with Flash, Javascript etc. and also found several lists with websites that have a crossdomain.xml that allows access from any server. For example flickr.com trusts all domains. Can somebody explain me why this seems to be secure and doesn't lead to attacks like session-hijacking? Is it becau...
Storing encrypted password and salt or only storing encrypted password?
I need a login system to check the user password. I know about salting passwords, but should I store the salt and the encrypted password or should I only store the encrypted password and the salt is somewhere in my app config file? Please pro and cons if there are some, thanks! ...
Hacked, what does this piece of code do?
WARNING: This is a possible exploit. Do not run directly on your server if you're not sure what to do with this. http://pastehtml.com/view/1b1m2r6.txt I believe this was uploaded via an insecure upload script. How do I decode and uncompress this code? Running it in the browser might execute it as a shell script, open up a port or somet...
Avoiding CSRF when serving AJAX or Flash requests
I have a Flash based game for the browser which sends users' scores to a php backend script which stores the score and the user id in the database. Now I have a url like www.example.com/update.php?score=200&uid=234 The problem is that this is very much exposed to an intelligent user, and he can use this url to store whatever score he w...