Im building a simple web app in Python using web.py - and was wondering what best practices are in terms of securing the application. I had two main questions at this stage: I want the application to be able to send email - its not hosted on GAE, but I thought a simple solutions might be to write / find a s script tha...
I'm building an app that needs to accept credit card payments with something like active merchant. In terms of security, is it possible for it to live on heroku and use authorize.net (or similar) as the payment gateway? What if it needs to store the credit card numbers? Edit Would not be forwarding users to authorize.net. ...
I know there are already a few questions on SO about the oracle padding exploit but none of them explain how it downloads the web.config. I run a couple of ASP .NET apps which I have already tested using Microsoft recommended mitigation factors but i'm still scared that people will be able to get the web.config. Can someone please expl...
I have a website developed in PHP. There are 2 classes (in 2 seperate php files) that contain the siteadmin's gmail user id and password (in plain text) and database password (again in plain text). Though none of these classes are displayed on the browser ( like index.php). These files contain only php classes and no html code and the re...
Just reading about this ASP.NET security vurnerability. Just wondering if this could be used to attack a WCF service hosted under IIS to get to its web.config or if its a pure ASP.NET vurnerability ...
I have read that to prevent SQL Injection one must use PreparedStatement. Does that mean if i am using perparedStatement then no one can perform SQL Injection in any of my page? Is it foolproof against SQL Injection? If not then please give some example to demonstrate this. ...
Like a lot of people I've gone with ASP.Net Forms authentication because it's already written and writing our own security code we're told is generally a bad idea. With the current problems with ASP.Net I'm thinking it might be a good time to look at alternatives. Important: ASP.NET Security Vulnerability - ScottGu Video demonstrating...
The scifihifi-iphone project is a wrapper for the Apple Keychain. But it not documented enough. For which iphone OS is this made? iOS 3? What does the "UI" group do? Do I need this? How to use it? Thanks in advance! ...
In Scott Guthries blog on the ASP.NET Security vulnerability noted here he says that for ASP.NET 3.5 SP1+ the following attribute should be set in the custom errors section redirectMode="ResponseRewrite" What is the significance of this in relation to the vulnerability and why only 3.5 SP1 and above? ...
Is ASP.NET MVC 2 vulnerable to the oracle padding attack? If so, what workaround should be implemented? The instructions on Scott Gu's blog appear to only be for Webforms. I tried this: <customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="/Home/ErrorPage" /> however, http://www.example.com/PageThatDoesNotExist ...
we were all recently alerted by scottgu with this security vulnerability. http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx I'm wondering, since I've been redirecting errors via Global.asax on the Application_Error event, I was wondering if that can suffice the fix for this issue or do I sti...
I'm getting a string from the current window's fragment identifier (location.hash). I want to use that string as the argument to location.replace(str). Under normal circumstances, the string will come from code I control, so I'm not worried about validating that the string is a URL. If the string isn't a URL, the call to replace will ...
I'm wondering how secure the below code is: if ($username == $user-username && $password == $user->password) { $_SESSION['loggedIn'] = true; $_SESSION['user_id'] = $user->userId; } Basically, would there be any way for someone to fake the SESSION variable (besides actually stealing a users cookie)? ...
I need to discuss and know the possible seucruity issues in Microsoft CardSpace. I have been reading the official guide for CardSpace. So far, one of the concern that I see is that it is plain XML information which is being communicated. Solution to that is SSL or some certificates. But besides that, what are known issues in Microsoft ...
I have some code that wraps the PayflowPro .NET API. It essentially posts to a HTTPS address (a payment gateway) from C#. I can run this code locally and it works nicely. I can run it in my MSUnit tests and it works, and I can run it from a console application on my test environment and it also works. I have a workflow hosted in IIS ...
Hi all, I'm looking for an alternative to that code: expl = eval "BeEF::Modules::Exploits::#{klass.capitalize}.new" Here the eval is totally insecure. Is there an alternative I could use to generate dynamically classes without using eval? As in, klass is always different. So my code stays generic. Thanks for your time. ...
Why does the recent ASP.NET security vurnerability specify an html error page to redirect to pre ASP.NET 3.5 SP1 but an aspx page for later versions? ...
My WCF has 3 endpoints webHttpBinding - for RESTFull pattern wsHttpBinding - consumed by a VSTO plugin app. using service reference mexHttpBinding. In the bindings section of my app.config (server). To configure security for RESTFull Service , this is how I configure ...
I have tested my email server on allaboutspam.com to see why the emails are beeing considered spam by hotmail and gmail servers. The results was amongst other faults, the BATV. This is the complete result from allaboutspam.com on my BATV: BATV is a mechanism wherein an outgoing Email server adds a tag to the Envelope From address of a...
Hi All, I am working on an online video training website and i want to make secure my videos so that no one can download the videos. Can any one help me how can i restrict video download, i have tried different HTML5 and javascript players but none of these are providing this feature. ...