security

Security in Mobile Web Application on Low end mobile browsers

There are a couple of related questions, but I want to ask specifically for low end browsers. We have an existing .NET MVC 2 web application and would like a scaled back, simple web interface to some of its functionality. As we are based in Africa we are targeting a wide range of very basic mobile browsers (ie not just Iphones, Android ...

Do I need to use Google Account Authentication instead of Spring authentication to avoid a Firesheep cookie-sniffing attack?

I was reading about Firesheep and wondering how I can protect my Spring MVC 3.0 site against attacks like this: It's extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTT...

Is it worth using the ASP.Net built in profile system?

I just discovered ASP.net uses its own profile system to register users and there seems to be a lot of features available as bonus with it (such as secure authentication). However it seems rather specific to have such a feature for a general purpose development environment and things which work in the background the way the profiles syst...

What is a secure way to pass login and password from a client to a server during authentication?

I've just set up a proxy and run all my request through that proxy. I investigated several different applications: they pass login and password pair raw, i.e. I can grab them from POST-request parameter. How should it be implemented to make it more secure? (I haven't investigated gmail and facebook yet, but I think they don't have thi...

How to securely include secret key/signature in iOS/Cocoa apps

I want to include a secret key into an iOS app so that the app can "prove" to a certain server that a request is coming from the app itself and not some other system. I know that simply hardcoding a secret key into the code itself is very vulnerable as anyone can jailbreak their phone and attach GDB to my app's process to get the key. ...

Is storing a session id in a cookie a better practice than a get var?

The title pretty much says it all. A cookie seems to have a few advantages to me; however, I'll wait to see what others say. Also - assuming a cookie is better, what can be done to make passing the session by GET variable better? Specifically I'm thinking about PHP; however, this should apply generally. ...

why does a collision detection in a cryptographic hash function make finding other collisions easier?

Hi, For wikipedia I read: Joux[3] noted that 2-collisions lead to n-collisions: if it is feasible to find two messages with the same MD5 hash, it is effectively no more difficult to find as many messages as the attacker desires with identical MD5 hashes. But why is this so? I can't imagine why? The algorithms are open right, people ...

Access Project Recognizes Schema as NetworkID

I created a new MS Access project against a SQL Server 2008 database using windows based authentication. (UPDATE: Now using Login Credeitnals, same results though) I have some tables in the (dbo) schema and some I made in a (prj) schema. In the access project itself, prj is not recognized but the dbo are. Looking at the access table l...

Mitigating the 'firesheep' attack in the application layer?

What methodologies do people recommend for mitigating the 'Firesheep' method for website applications? We have thought about this and from a usability perspective, other than encrypting all traffic to a site, mitigating the attack can be somewhat of a problem for web developers. One suggestion we came up with was to use path based cook...

Is HTTPS the only defense against Session Hijacking in an open network?

So with Firesheep, everyone in a public Wi-Fi now has a one-click session hijack tool. The way it works - to my understanding - is that it simply captures all traffic and grabs the session cookie (so it doesn't steal passwords). From my understanding, this also means that a HTTPS secured login does not solve this alone, as further HTTP...

How to Html.Encode in webforms

Hi, I have a webforms applications. There is a page with textboxes and users enters search terms into these which are used to query the database. I understand I need to prevent javascript injection attacks? How do I do this? In MVC I would use Html.Encode. It doesn't seem to be recognising it here. Thanks! ...

New Client needs help securing his website after getting hacked.. and I found this...

Soo, what is this? I haven't really experienced too much as far as "hacking" goes. I've dealt and solved most problems with PHP applications and I understand about 70% of this code. but here is what I found, a Web Shell.. by Boff? http://pastebin.com/kZeGHAHC ...

SimpleMembershipProvider

I was working with the new version of ASP.NET MVC3 and examining the WebSecurity class. I've added System.Web.Webpages as a reference and am able to the use the WebSecurity properties and methods however i'm trying to understand how to configure it inside an ASP.NET page and not one built by WebMatrix. In the Webconfig file, I did noti...

Why isn't this .htaccess file working?

Recently, my website was hammered with thousands of POST requests from various bots. Instead of taking the approach of blocking these bots based on their user agent, I've decided to find a way to block all POST requests sent to my website and allow all POST requests from within my website. I came up with the following: RewriteEngine ...

Is setting the SUID/SGID bit on the SVN binary a security risk?

I would like to use a callback feature of an SVN repository (Unfuddle) to ping a URL on my server whenever a commit has been made. I have a PHP script accepting the message and attempting to call a shell script to execute an 'svn update'. The problem I'm facing is that Apache is running under user 'www-data' and does not have access to ...

WCF Transport Security with SSL and Thread information

Hello all, I have a question about the above topic. I have a WCF service and use the Transport security model for it. But there is some mechanism related to the Thread state that I can't understand. In constructor of my service I tried to set the Thread.CurrentPrincipal but at the begin of a called method of my service the Thread.Curren...

openssl encryption and decryption using evp library

Hi, I have a plain text and I have the cipher text with me and my task is to find the key for the cipher text declared. The key is a word list like a dictionary. I have written the code in c and it compiles perfect and creates the file with all the ciphers. The problem I am facing is that every time i run the code a cipher text is comp...

Signing Applet problem

I signed my jar and it's libs using these commands JarPath> keytool -genkey -dname "cn=ehab, ou=ehab, o=GDIT, c=SA" -alias CapSys -keypass 123456 -validity 999 -keystore CapSys -storepass 123456 JarPath> jarsigner -keystore CapSys -storepass 123456 -keypass 123456 CaptureSys.jar CapSys and when running it i found this exception j...

Authorising Web App users against User Information as well as Role.

Hi all, I was wondering if anyone would be able to help me with the following? I need some more complicated rules for authorisation in a webapp than just role, which I have working fine. Something along the lines of "Allow all Admins. Allow Buyers, provided they have the correct department ID and are allowed to see this customer's crede...

Security Request for JSon Result in Asp.Net MVc

Hello Guys, I developed an application in ASP.NET MVC. This app has an action that returns a JsonResult and I get it with jquery in client side. Everything works fine but I'd like to know, if is there any way to make a security in this action to return only requests that came from my website. Is there any way to avoid others websites t...