I wish to securely delete (not even a trace in memory) anything that user types into a textbox. I wonder if setting it to "" is secure enough. SetWindowText is a function in Win32 API, in user32.dll. In the program: SetWindowText(myHandle, "Hello"); SetWindowText(myHandle, "Goodbye"); //Was the buffer containing chars "Hello" overwrit...
I found many questions on stackoverflow which has a mention about digest authentication. I could not find on how does the digest authentication prevent replay attacks? I use the fiddler tool to intercept the http request to the servers. I used the same tool for replaying the requests to the server but the server asked for authentication....
What this javascript does? It's a buffer overflow? It's a xss? what it does? What is the decoded version of this farbbibliothek[x] array? <SCRIPT> farbbibliothek = new Array(); farbbibliothek[0] = new Array("#FF0000","#FF1100","#FF2200","#FF3300","#FF4400","#FF5500","#FF6600","#FF7700","# FF8800","#FF9900","#FFaa00","#FFbb00","#FFcc0...
I've been tasked with creating a Security Proxy service. The idea is that if the backend security provider changes there is no impact on the main application. This ideally is what the backend security provider is for, but I have been tasked with creating a seperate service which will affectively be a proxy to the backend security provide...
I was trying to sniff HTTP packets though wireshark on my localhost, when i tried working on a web2py instance at my localhost no http connections found. While digging deeper into it i found it is not creating `any connections in the application layer. well then how does it communicate with browsers without http? (I have heard of web2py ...
I have requirement to make sure that the configuration file is not tampered. It is simple key-value pair file. However I also do not want any strong encryption mechanism like AES and so on to ensure that the data in it is encrypted. I just want to ensure that I know that the file was tampered. Some way in which a simple protection is pro...
I'm using Asp.net running on a shared hosting environment. I'm using forms authentication to authenticate users. Now I need to add support for the users to create pdfs and images and save them on the server. The problem is that I need to protect the pdf/image created so only the user that created the file can use it, so it is protected f...
I've heard of people using this approach and would like to know what the implications are. I just know it's a bad idea! From what I understand, salting a password before storing the hash in a DB has the primary purpose of making every hashing algorithm unique, and thus requiring a new rainbow table for every user when trying to crack it...
Is it a bad idea to store a raw sql query in a php session variable for later use? Does this present any security issues? ...
Hello, I'll have to develop some private web-services, so I need a way to authenticate the users in order for each service to be able to know if a request is valid and to maintain some session states. I'd like to have a central authentication service with some simple operations like "logIn(login, password)" (that uses a directory like ...
Many unwanted users are creating fake accounts on our website for pester us. What can we do? ...
Hi, I have set this up so I can test sites and let my client see them, the thing is I am worried about potential security to my local machine. I port forwarded port 80. What's the risk if any? Thanks, R. ...
We have a custom javax.security.auth.spi.LoginModule used for web services as well as some web applications on a Weblogic 11g. The goal is to record information regarding logins when going through the LoginModule, especially failed logins. Part of the desired information is the IP address that the authentication request came from. The ...
I've noticed on viewing the source of my Rails app that a lot of information is publicly available that shouldn't be - specifically a Google Analytics script that contains my GA account number, and the authenticity tokens for my forms. Are there any guidelines on hiding this kind of code in the source? ...
I have a timer on the site which the user will only be able to click on every * seconds/minutes/hours. Every user has a timer value in the users table where the values are written and read. The value in the database is the amount of seconds that the user will have to wait. I've figured out how to make the timer countdown from the correc...
I currently have 20 Windows VMs that are running on Amazon EC2. There are LOTS of people in the company that need ad-hoc RDP access to each one of these boxes. Occassionally I also run Unix instances, which again tend to have a lot of ad-hoc SSH access from a large number of users. So now I have a problem... When these boxes run within ...
Typically the model for ORM's that I've used goes something like this: Program startup: Initialize ORM db connection While running: make/modify/delete domain objects, commit changes, rinse and repeat. Program shutdown: commit any uncommitted changes if necessary, disconnect ORM db connection What if someone is sniffing network traffic ...
Inspired by a thought while looking at the question "Correct HTTP status code when resource is available but not accessible because of permissions", I will use the same scenario to illustrate my hypothetical question. Imagine I am building a a carpooling web service. Suppose the following GET /api/persons/angela/location retrieves t...
I understand that XSS is when you can get a site to run arbitrary JavaScript by appending it to a URL or embedding it in the page somehow. I understand this is bad because it can allow people to steal cookies and such. What I don't understand is how that is possible. ALl my reading about it just shows people using alert() to display th...
I have been reading this - http://scarybeastsecurity.blogspot.com/2008/08/cross-domain-leaks-of-site-logins.html I do not understand it completely. The PoC displays an alert to the user. How does this help an attacker? From trying to understand that PoC, would it not rely on a CSS id of blah being present? How would you know in advan...