From a webpage, I can specify that a SWF should be loaded with "allowNetworking=internal" and "allowScriptAccess=none" to prevent it from modifying the state of the browser. Is it possible for SWF A to be loaded with no restrictions, and have A impose those restrictions on a SWF B that it loads? ...
I want to give my website users arbitrary read-only access to an SQLite3 database, without letting them write to the database or do any other damage. How? Making the db file read-only helps a little, but commands like "ATTACH", ".load" and ".output" allow people to read/write other files, which may not be protected. Of course, if I kne...
Imagine I have an ActionResult like this: [HttpGet] public ActionResult Cities(string q) { //Return a list of cities that matches parameter } How do I stop all other sites apart from mine using this as if it's their own little REST-based service for getting a list of matching cities? Is checking the referrer the only way to go...
I need to be able to lock a java applet to a specific domain or range of domains. I know that it is possible to do this with flash .swf files see article. I need to be able to do this with a java applet or jar. If anyone has any information on this it would be much appreciated. ...
Not sure if this is the right place at all, but figured it was worth a shot. I have a user that complained of broken links on my website. It occurs whether he uses Firefox or IE. I asked him to send the link, and this is what I got: javascript:if%20(confirm('This%20link%20will%20take%20you%20to%20the%20URL%20https://www.e-junkie.com/ec...
Hi, I have built an ASP.NET application that needs to be password protected. This application will be installed on multiple offline computers, and we need to make sure that when being installed it requires a password. But even if it requires a password, someone can easily copy the database and the published folder and duplicate the appl...
SHA512 is more complex than SHA1, but how much security am I losing by hashing a salted password with SHA1 compared to hashing it with 512? in terms of the time it would take for someone who has the db to crack a single password. I'm using a framework that doesn't give me easy access to SHA512, I'd have to override stuff to make it work,...
It has just occurred to me that when my Flex application does a ChannelSet.login, it is essentially sending the username and password over the wire in an unencrypted form to the BlazeDS server. While I use the binary AMF protocol over an AMFChannel, it would take nothing for somebody to sniff these passwords. Most of my clients do not ...
Hello everyone Modern template engines for php (say, dwoo or smarty) can use objects as variables. You can use {$obj->method()}, which is really convenient, and i am using this a lot. But, there is a clear security problem with exporting directly objects from ORM, which have methods such as insert, delete etc. Is there any sane method ...
My employer uses Dotfuscator on all our .Net production software. Because of this, we are absolutely forbidden to use ANY built-in databinding or anything that reflects on property/function names - because dotfuscator changes them and therefore anything bound instantly and irredeemably breaks. I keep rolling this logic over in my mind ...
We have a .NET 3.5 application with registered extensions. How can we protect it against DLL Hijacking attacks? Because of legacy & design problems strong naming/signing is not an option right now Extra Information if you don't know what DLL Hijacking is: What's DLL Hijacking - SO DLL hijacking vulnerabilities ...
what are the various implementation challenges in network security? ...
Hi, After reading and trying and reading, I hope somebody might help. I want to make an application that runs in an console (Click and it starts without complicated configuration) . Then an android client connects to the WCF service on the console, enters his username and password, and has access to the service. (only intranet) It soun...
Hello everyone, I am a student taking a course in Network security.As a part of my coursework I need to do a project on the security side of Android like developing a simple application which involves basic security concepts. I searched for different ideas which I can implement on Android within a span of 2-3 weeks.I found ideas such a...
I have started developing a drawing application in as3. I am thinking that I could integrate a cms and allow swf files to be uploaded in runtime as graphics.What are the potensial security issues involving third party possibly malicious swf files here? I would simply be adding the swf as a custom sprite class to a masked container sprit...
I have a classifieds website... As you might imagine, as a webmaster (administrator) I need to sometimes remove classifieds, edit them etc etc. I have my own Linux server, with root access offcourse. Currently I have a section of my website with all administrative php scripts which I use to remove classifieds, edit them etc: /www...
Hey. Although this is focused on Windows Phone 7, I guess the principle is universal. I would like to have a password protected zone within my app. However, my application is completely offline and so I will have to store credential details on the phone. My initial idea is to store a hash of the password and the salt. Would this be the...
I am not entirely finished with my website, and I am using apaches authentication to demand password and username when entering the site. I wonder, will this cause any problems with using and testing Google analytics? Should I first "open" and remove the authorization before using GA? Thanks ...
I'm adding a "change password" functionality to my webgame http://ninjawars.net , which currently has fixed (and essentially never changing) passwords. I want to avoid making a mess of it, so I'd like to make sure that I have the basic security bases covered. Taking what I can pull from facebook's way of doing things, a few points that...
My goal is to safely open a web page in a users default browser. The URL for this web page is considered "untrusted" (think of it as a link in a document opened with this software, but the document could be from anywhere and the links in it could be malicious) I want to avoid someone passing "C:\Windows\malicious_code.exe" off as a URL ...