There are a couple of related questions, but I want to ask specifically for low end browsers.
We have an existing .NET MVC 2 web application and would like a scaled back, simple web interface to some of its functionality. As we are based in Africa we are targeting a wide range of very basic mobile browsers (ie not just Iphones, Android ...
I was reading about Firesheep and wondering how I can protect my Spring MVC 3.0 site against attacks like this:
It's extremely common for websites to
protect your password by encrypting
the initial login, but surprisingly
uncommon for websites to encrypt
everything else. This leaves the
cookie (and the user) vulnerable. HTT...
I just discovered ASP.net uses its own profile system to register users and there seems to be a lot of features available as bonus with it (such as secure authentication). However it seems rather specific to have such a feature for a general purpose development environment and things which work in the background the way the profiles syst...
I've just set up a proxy and run all my request through that proxy.
I investigated several different applications: they pass login and password pair raw, i.e. I can grab them from POST-request parameter.
How should it be implemented to make it more secure? (I haven't investigated gmail and facebook yet, but I think they don't have thi...
I want to include a secret key into an iOS app so that the app can "prove" to a certain server that a request is coming from the app itself and not some other system. I know that simply hardcoding a secret key into the code itself is very vulnerable as anyone can jailbreak their phone and attach GDB to my app's process to get the key. ...
The title pretty much says it all. A cookie seems to have a few advantages to me; however, I'll wait to see what others say.
Also - assuming a cookie is better, what can be done to make passing the session by GET variable better?
Specifically I'm thinking about PHP; however, this should apply generally.
...
Hi,
For wikipedia I read:
Joux[3] noted that 2-collisions lead to n-collisions: if it is feasible to find two messages with the same MD5 hash, it is effectively no more difficult to find as many messages as the attacker desires with identical MD5 hashes.
But why is this so? I can't imagine why? The algorithms are open right, people ...
I created a new MS Access project against a SQL Server 2008 database using windows based authentication. (UPDATE: Now using Login Credeitnals, same results though) I have some tables in the (dbo) schema and some I made in a (prj) schema.
In the access project itself, prj is not recognized but the dbo are. Looking at the access table l...
What methodologies do people recommend for mitigating the 'Firesheep' method for website applications?
We have thought about this and from a usability perspective, other than encrypting all traffic to a site, mitigating the attack can be somewhat of a problem for web developers.
One suggestion we came up with was to use path based cook...
So with Firesheep, everyone in a public Wi-Fi now has a one-click session hijack tool.
The way it works - to my understanding - is that it simply captures all traffic and grabs the session cookie (so it doesn't steal passwords).
From my understanding, this also means that a HTTPS secured login does not solve this alone, as further HTTP...
Hi, I have a webforms applications. There is a page with textboxes and users enters search terms into these which are used to query the database.
I understand I need to prevent javascript injection attacks?
How do I do this?
In MVC I would use Html.Encode. It doesn't seem to be recognising it here.
Thanks!
...
Soo, what is this? I haven't really experienced too much as far as "hacking" goes. I've dealt and solved most problems with PHP applications and I understand about 70% of this code.
but here is what I found, a Web Shell.. by Boff?
http://pastebin.com/kZeGHAHC
...
I was working with the new version of ASP.NET MVC3 and examining the WebSecurity class. I've added System.Web.Webpages as a reference and am able to the use the WebSecurity properties and methods however i'm trying to understand how to configure it inside an ASP.NET page and not one built by WebMatrix. In the Webconfig file, I did noti...
Recently, my website was hammered with thousands of POST requests from various bots.
Instead of taking the approach of blocking these bots based on their user agent, I've decided to find a way to block all POST requests sent to my website and allow all POST requests from within my website.
I came up with the following:
RewriteEngine ...
I would like to use a callback feature of an SVN repository (Unfuddle) to ping a URL on my server whenever a commit has been made. I have a PHP script accepting the message and attempting to call a shell script to execute an 'svn update'.
The problem I'm facing is that Apache is running under user 'www-data' and does not have access to ...
Hello all,
I have a question about the above topic. I have a WCF service and use the Transport security model for it. But there is some mechanism related to the Thread state that I can't understand. In constructor of my service I tried to set the Thread.CurrentPrincipal but at the begin of a called method of my service the Thread.Curren...
Hi,
I have a plain text and I have the cipher text with me and my task is to find the key for the cipher text declared. The key is a word list like a dictionary. I have written the code in c and it compiles perfect and creates the file with all the ciphers.
The problem I am facing is that every time i run the code a cipher text is comp...
I signed my jar and it's libs
using these commands
JarPath> keytool -genkey -dname "cn=ehab, ou=ehab, o=GDIT, c=SA" -alias CapSys -keypass 123456 -validity 999 -keystore CapSys -storepass 123456
JarPath> jarsigner -keystore CapSys -storepass 123456 -keypass 123456 CaptureSys.jar CapSys
and when running it i found this exception
j...
Hi all, I was wondering if anyone would be able to help me with the following?
I need some more complicated rules for authorisation in a webapp than just role, which I have working fine. Something along the lines of "Allow all Admins. Allow Buyers, provided they have the correct department ID and are allowed to see this customer's crede...
Hello Guys, I developed an application in ASP.NET MVC. This app has an action that returns a JsonResult and I get it with jquery in client side. Everything works fine but I'd like to know, if is there any way to make a security in this action to return only requests that came from my website.
Is there any way to avoid others websites t...