Here is the scenario: There is a file on the network I'd like my program to have access to. They haven't authenticated on the network when they run my software, so accessing the file fails. If I have the user open up explorer and manually navigate to the network path, they get asked by windows for their credentials, and from then on, w...
I looking into building authentication in my ASP.NET application with the following requirements. A user has exactly one Role (i.e. Admin, SalesManager, Sales, ....) A role has a set of permissions to CRUD access a subset of existing objects. I.e. "Sales has CREAD, READ, WRITE permission on object type "Products" but not DELETE" Someho...
Are there any ways to secure stored procedure consistency at the software level, so as to be sure that they're going to do what they're expected to do? I'm reluctant to use sprocs because reading and modifying them is so easy as long as you have administrative access to the computer and a copy of Management Studio Express. This is a com...
I asked the question: What's with those Do-Not-Use Javascript People and many people said that Javascript allows security exploits through client-side attacks. So I need to follow up and understand the how bad the nature of these attacks are: I'd like to hear some detailed descriptions of actual attacks or damage caused to your comput...
I am doing some work on a web site that has a secure area which is available to users only after they have logged in. In this area there is a page with links to pdf documents which can be downloaded. The physical documents are outside of the web site's root directory. The links to the pdf documents look something like this: index.php?pa...
I am working on an ASP.NET page that we, in code impersonate the requesting user. We are using the following code to start impersonating. Dim impersonationContext As System.Security.Principal.WindowsImpersonationContext Dim currentWindowsIdentity As System.Security.Principal.WindowsIdentity currentWindowsIdentity = CType(User.Identity,...
I've got a web service: http://machine001/Services/conversionService.asmx This web service has one method in it called convert(string pInput). I am trying to find out if there is a way to figure out, without logging into machine001 and without actually calling the convert method, if this web service has security applied. If I am able ...
When I upload a file to a site using the ASP:File control the FileName property is different in IE and Firefox. In Firefox, it just provides the name of the file, but IE provides the full path to the file. I have worked around this by adding the code: Dim FileName As String = file.FileName If FileName.LastIndexOf("\") > 0 Then Fil...
There's a lot of security advice out there to tell programmers what not to do. What in your opinion are the best practices that should be followed when coding for good security? Please add your suggested security control / design pattern below. Suggested format is a bold headline summarising the idea, followed by a description and examp...
Hello Everyone, Alright so here is my issue. I'm working a game engine that will eventually be multilayer. this engine allows games to be written in either a .Net language or Lua (the built in scripting engine). For security however I'd would like to prevent people from viewing these files and of course prevent them from editing them. M...
I have a WCF service that is hosted in a windows application. The service uses netMsmqBinding. The client and the host are in different domains. My question is how do I configure the security settings? The data that is transferred is sensitive so I would like to secure the communication between the client and the host of the service. T...
Doing some more tinkering with development on VS2008/Vista/IIS7, I'm wondering at a few things regarding the Network Service account. It had no issues running my website until I attempted to set up the Sql Role Membership Provider, which creates a local database in the App_Data folder. Somewhere in there, Network Service ran out of the p...
I am doing some research on .NET security. The most of sources just describe .NET security mechanisms but no even a word of possible vulnerabilities or things to be kept in mind. Do you know any security problems on .NET platform? ...
A simple stupid "UPDATE table SET something=another WHERE (always true)" in accident will easily destroy everything in the database. It could be a human mistake, an SQL injection/overflow/truncation attack, or a bug in the code who build the WHERE causes. Are popular databases provide a feature that protect tables by limit maximum numbe...
Assuming I do the same field validation in either case, is there any difference in terms of security whether you POST a form back to its own file or to another? Note that I'm not referring to sensitive information or passwords within the form data, but to whether either method is better at avoiding various types of attacks. ...
It's basically one app that is installed on multiple PC's, each install maintaining it's own database which is sync'd with other's as & when they are up (connected to the same network) at the same time. I've tested this using simple socket connections and custom buffers, but want to make the comms between the apps conform to accepted st...
This Wikipedia page has an extensive list of hashing methods As you can see, both MD5 and Sha1 have been broken (in Cryptography, "broken" means there's an attack less complex than the brute force attack. In other words, if you need 1 million year to find a collision instead of one billion year using brute force, the algorithm is consid...
See also What is the best way to check the strength of a password? Some applications (or websites) compute a password complexity when you type it. They typically display a red bar which turn orange, then green, then even greener as your password get longer, and contains more classes of characters (ie lowercase,uppercase, punctuation, di...
Is there a way to setup authentication (ala "Basic Authentication") without actually setting up an SSL Certificate? I'd also like to do this in REST or regular SOAP WCF Services, preferably in REST, but would like to be able to mix the services. In other words, "I want to be able to send a regular old username and password just like in...
Saving and auto-filing of username/password is a feature of most modern browsers. And the user can generally choose to disable this feature on a per domain basis. But is there a standard way for the site itself to prevent password caching? The emphasis here is cross-browser, so I would employ multiple parallel mechanisms if necessary. ...