What are the security implications of storing the keystore in a public repo, along with the source code? The reason for storing it in the repo is convenience. There are no dependencies when you do a 'git pull or clone' and build on your local machine (for e.g. with sbt sign-release): you just provide the password when prompted and a sig...
I'm building a Login Service for an open source MMO game. I do not know much on the side of security/encryption and I am looking for a solution that will provide good protection against hackers and must not be too costly to generate. Our old system used a very simple system of authentication by storing the password as SHA1 in the databa...
Hello, I'm looking for a method to drop process rights for security reasons. I want to start as user with privileges and end as limited user. For example I want my web server to run under restricted user by I still want to listen on port 80. How can I do such things under Windows. Something similar to Unix's: bind_to_80(); chroot("/s...
We're using Mercurial on our production servers for some smaller web projects to easily deploy applications by pushing changes to the server over SSH. The repositories reside in the public_html folders of their respective accounts. Now if I do a hg clone http://www.domain.com I get real URL is http://www.domain.com/ requesting all c...
How do I have a research implement on wpf software? ...
Hello. I have a MUonline (link) gameserver running on Windows 2003 enterprise X64. I had a website running there too. I do not know much about security here so I'm asking for some tips or tutorials you know about this as my server was hacked (I don't know how, exactly) and Windows has been erased. So now I want to make a secure gameserve...
Situation: Silverlight 4 app communicating with a server component through WCF, using basicHttpBinding and HTTPS. Here is the binding used server side: <basicHttpBinding> <binding name="DefaultSecuredBinding" maxReceivedMessageSize="2147483647" maxBufferSize="2147483647"> <readerQuotas maxDepth="50" maxArrayLength="2147483647" ma...
The shareware registration system I'm currently developing embeds the public DSA key in the executable itself, and the private key resides on a server. (For the sake of discussion let's assume that the server is 100% secure, and there is no way for anybody to get their hands on the private key.) Whenever the program is purchased, the se...
Does anybody know how to secure the JNDI access for remote clients on JBoss? I know how to secure remote JMX invokers but even with that in effect it is still possile to lookup, bind and unbind things in JNDI even if the client is not authenticated. I would like that that the server refuses to give you access to the InitialContext if yo...
I want to use an ORM, and have been looking at EF 4. Is this platform scalable. I see a lot of stuff on the web, but everything looks very biased in one way or the other. Anyone know of benchmarks or non-subjective information. On that point, does EF prevent SQL injection or XSS. I know that it used parametrized queries, but is that eno...
This is what I want an user to be able: Upload ANY file to the server (attachment) to the uploads folder Be Able to download it afterwards So I have created this dir with the following .htaccess Allow from all DirectoryIndex .x php_flag engine off Options -Indexes Options -ExecCGI AddType text/plain .html .htm .shtml .php .php3 .php...
Is there any way/reason to keep your js/jQuery ouside public_html? Are there security benefits? ...
I have a c++ application in which threads could impersonate using LogonUser/ImpersonateLoggedOnUser, and then revert impersonation using RevertToSelf. I ran across the bug which caused thread to impersonate this way twice. I want to prevent this by testing if current thread is already impersonating and throw exception if it is. Is there ...
Suppose you develop for a customer that requires the utmost assurances of the provenance and process-compliance of the software you deliver to them. What measures can a development organization take to provide high-integrity software? This was originally inspired by a couple questions about security practices for development systems ove...
I already know how XSS works, but finding out all the many different ways to inject malicious input is not an option. I saw a couple libraries out there, but most of them are very incomplete, ineficient, or GPL licensed (when will you guys learn that GPL is not good to share little libraries! Use MIT) ...
Looking through some apache logs, I've run into the following pattern several times (URL decoded): GET /foo.php?id=1 and union select 0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,... -- Clearly this is an SQL injection attempt. But why the constant shown above? I can't see how it could be particularly significant, though it seems to appear quite ...
Hi, I'm using mail() to send simple mails. For convenience, i'm using a header to set a "from" address. I wonder, I can put whichever address there and pretend to be anyone; I tried just towards myself for curiosity and actually it works! Is this normal? It's the correct way to use the mail function? and is there any way to recognize the...
I use following code $this->getDb()->fetchRow($sql, $params); Is it free from sql injection? Please guide me. How i can make it free from sql injection. ...
Question: I have a document management system, and I am building a Web-Service interfaces to the database. Everything works so far, just that right now, it's totally unsecured, everybody can access it. How can I incorporate password or private-public key authentication ? I can only find 'best practises' and using 'windows user' or pas...
I develop an GWT applicationwith HTTP basic login type. I have a "Logout" button that calls a server side method logout() public void logout() { getThreadLocalRequest().getSession().invalidate(); } after the call it executes Cookies.removeCookie("JSESSIONID"); Window.Location.reload(); in order to reload the page and get a br...