security

Secure a PHP file; how?

I have a classifieds website, and a partner of us (who runs another classifieds website) need to have access to a file on our server. The file is called 'partner.php'. This file simply prints out some information about the classifieds on our site. So for our partners, they would just need to access "www.domain.com/partner.php?id=1234"...

JSP login with declarative security - How does the actual authentication happen?

Hi, I've been a little puzzled with this as I have not seen many examples that gave me the complete picture. The best explanation I found so far is this. By defining a security role in web.xml such as "admin" for example, and having my login form with all the necessary fields (i.e j_security_check as action, and fields j_username, j_pa...

Hijacking Facebook with FireSheep; What is the best solution, and how does it work?

Regarding this security issue: http://techcrunch.com/2010/10/24/firesheep-in-wolves-clothing-app-lets-you-hack-into-twitter-facebook-accounts-easily/ Is it true to say "any time a user logs into a site, and isn't redirected to SSL/TLS/HTTPS connection, that the session cookies are vulnerable"? What is the best solution to protect a Fac...

TFS grant permissions to only one Branch

I was asked to grant permissions to several TFS users. These users must have access to one branch only. How can I do this? I'm going to create new TFS user group and deny access to root of Source Control, then allow access to necessary branch. What do you think? ...

How to get a MySQL Trigger to fire from multiple accounts

Hi folks, Here's my situation: I have a MySQL database in which I'd like to use triggers to automatically manage the updating of date creation and date modified fields in a few of my tables. Later, I'd like to expand them into logging data changes, but that's neither here nor there at the moment. The triggers work fine and update the...

Does facebook for android use https?

In light of the Firesheep exploit, does anyone know what protocol the Facebook for Android app is using? ...

Securing a payment gateway POST

I'm setting up a payment gateway on our site that we can post information to via php (so all information is hidden from prying eyes) which will post to authorize.net, post back to our gateway and post back to our current page. The purpose for this is to give us a streamlined method of processing payments and easier debugging. I have an...

Does sensitive ASP.NET Session data need to be encrypted?

Do ASP.NET Session[string key] data need to be encrypted to be secure? If such data always stays on the server, doesn't that make it safe to store credit card information, passwords, etc. there, as long as the data were sent via SSL from the client? ...

How to protect the connectionstring in web.config?

Hi, I have a website about to go live. I'm wondering what I should be doing about the connectionstring in the web.config. Do I obfuscate it and it so how? Thanks! ...

Can I limit PHP to just the file it's in (stop abuse?)

I'm making a small file editor and the only kicker is I don't want the people who have access to it do use dangerous functions like unlink chdir exec and I'm sure there's 100 more they shoudln't be able to use. I was thinking of just making an array of dangerous functions I don't want them to be able to use and when they save the file j...

Securing an "open" web service without HTTPS or private shared key

I am producing a web service which will allow any third party "device" to communicate with it. Each device has a reasonably unusual string to identify itself and uses the web service to store data against this id. However, this allows someone who wishes to game the service to scan through and guess device ids and store malicious data aga...

A good "loading" function in combination with a picture upload utility (PHP + JS)

I have a classifieds website, and when posting a new ad, users may chose to upload pictures. Currently, the form on the page submits to itself whenever a file is chosen, and then PHP uploads the actual file, which is then lastly displayed to the user. I use javascript to set some hidden-inputs on the page, and then submit the form to i...

Storing OAuth keys in code for iPhone apps

I'm writing an iPhone app that integrates with third party APIs. These APIs use OAuth (key/secret specific to my app not per user) in order to authenticate which app the request is being made in behalf of. Is it secure (or how secure) is it to simply put the key/secret in code? Can this sort of data be reverse-engineered? Is there a bet...

Symmetric integer to integer encryption

I need some pointers or a practical example on how to encrypt an int to another int, and a secret key would be required to decrypt the value. Something like: encrypt(1, "secret key") == 67123571122 decrypt(67123571122, "secret key") == 1 This guy asks pretty much the same question: http://stackoverflow.com/questions/3131193/symmetric...

block access to AJAX directory with .htaccess

I have a directory "AJAX" that has all my well AJAX content it is unformatted and ugly if you hit the pages directly. How do I stop someone from hitting http://www.site.com/AJAX/page1.php with the .htaccess file? ...

restrict direct linking to AJAX pages in a certain directory

I don't want to allow people to go directly to the pages in the AJAX directory but they still need to be served from their parent page. I have tried numerous .htaccess lines but they all block it from the main page as well. to sum up, I dont want people to be able to type in http://www.mysite.com/AJAX/page1.html and view it but page1.htm...

How do I derive from hashlib.sha256 in Python?

A naive attempt fails miserably: import hashlib class fred(hashlib.sha256): pass -> TypeError: Error when calling the metaclass bases cannot create 'builtin_function_or_method' instances Well, it turns out that hashlib.sha256 is a callable, not a class. Trying something a bit more creative doesn't work either: import h...

LSA Returns STATUS_BAD_VALIDATION_CLASS

Hello, I'm building an Authentication Package for Windows and I'm now just trying to make a skeleton for the package that I'm going to build. The Package at some point in time will need to call MSV1_0 but the workflow of my authentication is forbidding me from implementing it as a SubAuthentication Package for MSV1_0. Now, please exa...

Assets Security in Android.

Hello buddies, How can we make Android assets secure so that no one can read them after app deployment? ...

Using SecureZeroMemory in Delphi

I understand there is a SecureZeroMemory function in C. The function implementation is defined in <WinnNT.h> as RtlSecureZeroMemory function. QNS: How can SecureZeroMemory be used in Delphi? Did Delphi release a library that contains that function? I'm using Delphi 7. Windows.pas only has ZeroMemory but not SecureZeroMemory. ...