I need to call a .NET SOAP webservice in a secure way. It must be secure in such a way that others can't call the WebService methods, and also it should not be possible for "the middle man" to understand the content of the messages. The caller will also be a .NET webapplication installed on another IIS. I can design the webservice metho...
I read about session security eg. Session Fixation, Hijacking & Injection but am confused about the workings of session security. The way I usually do it: // when user logins, $_SESSION["user"] = "someuser"; // check user login if (isset($_SESSION["user"]) && !empty($_SESSION["user"])) Maybe I am doing it wrong, but I don't have Ses...
DISCLAIMER: At my place of work we are aware that, as none of us are security experts, we can't avoid hiring security consultants to get a true picture of our security status and remedial actions for vulnerabilities. This question is asked in the spirit of trying to be a little less dumb and a bit more aware of the issues. In my place o...
Somewhere behind our firewall sits a server full of PDFs. The PDFs contain private information so I need to restrict access to the PDFs. The public can log in to our web site and request their PDFs. Our software went to production recently. We're redirecting them to the PDF server's URL. This fails because the public can't access ou...
Hello, Iam trying to work set a property value in the IIS 6.0 API and i am getting this security error: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) on this line: path.CommitChanges(); This is my code: Function Test() '-- Dim metabasePath As String Dim propertyName As String Dim newValue As St...
I'm rewriting an application so that we can stop using the old Microsoft.Web.Services2.Security.X509 from Microsoft.Web.Services2.dll and start using System.Security.Cryptography.X509Certificates. There is one method that I can't figure out, though: bool Microsoft.Web.Services2.Security.X509.X509Certificate.SupportsDigitalSignature() ...
I have a web-application in java, spring framework, hibernate on tomcat, that has basically almost no security except the login and logout functionality (no spring security) I can access the user information in a controller by: // where request is HttpServletRequest HttpSession session = request.getSession(true); SystemUser user =...
Hi, in my silverlight application I am using the webBrowser control. I call following javascript function on the page i'm navigating to. function notify() { window.external.notify("Close"); } The weird fact is that it only works when I am navigating to the page by using: this.Browser.Source = new Uri("http://local...
I m making an ajax call using jQuery to an asp.net page which acts as my ajax server page to save the data which i am sending to it in the querystring. in the asp.net page when i am trying to read the querystring i am getting this error A potentially dangerous Request.QueryString value was detected from the client... I have set the V...
Hello, I am creating a PHP application and I'm having a bit of trouble finding a solution for a problem I'm having. I need to somehow completely deny access to anyone trying to access files on a web server (likely by returning a 403 Forbidden error or something) via HTTP unless a certain condition is true, such condition would be checked...
I've just read the PHP section on http://projects.webappsec.org/Null-Byte-Injection. The example it provides is pretty dumb - I mean, why would you ever want to include a file based on an outside param without checking it first (for directory traversal attacks, for one)? So, if following standard PHP security practices, such as encod...
If a function does all proper checks inside, should I check everything before calling it, or better not? Is security redundancy considered a good practice? Example (in a sort of C#-like pseudocode with by-reference arguments passing): doSomething(vector v) { ...; v.clear; useCleanVector(v) } useCleanVector(vector v) { if(!v....
I have learned most of c++ already and now some are saying that I should learn c and assembly for network security. Is it necessary to learn really low-level languages? I searched all over with no specific answers to this question. thanks ...
If a web server and a database server are on different hosts, is it possible for a hacker to do packet sniffing or use some other method to get the database username/password when you use mysql_connect in the PHP code? ...
Hi, I have active directory and several client computers joined the active directory. In the client computers I have installed wcf clients. On the server the wcf service is hosted in IIS. I use message secyrity with windows credentials. Everything is working fine. But I have heard that there are some programs than can extract the pa...
Hi, I'm calling an exe from within an html page using Javascript. The problem is my EXE has some dependencies which are referred from current directory. Therefore, I need to change current directory to the EXEs directory, and after calling the exe it should be changed back to previous one so that nothing else is effected in later steps....
I need to access a remote drive from a Web App. The drive isn't accessible to the ASP.NET process, so I want to impersonate the current user for the request. I saw some basic examples using WindowsImpersonationContext, and have tried the following. WindowsImpersonationContext impersonationContext = null; try { impersonationConte...
What security considerations are to be taken when developing a system similar to ASP.NET session? Edit: Some follow up to input received, Does encrypting the token actually offer real security? The ASP.NET session token is not encrypted, if they steal the entire cookie it doesn't matter whether it's encrypted or not the end result is t...
Hi, I want to develop a online trading application using silverlight in which I want to perform all the calculations at the client side instead of server. First, Is it possible to run the whole application on the client side?? Second, How secure is silverlight xap file to prevent decoding the logic?? Please let me know. Thanks, Mahes...
Hi all, I am looking for tools that I can use to audit the security of my database at the moment. Does anyone have any resources on this? I am running postgres, so that will take precedence. ...