I know there is the SecureString class, but for most scenarios I don't think it's really useful. For example, let's say I have a client/server system. The server doesn't need an application made by me, it could be even SQL Server without integrated authentication. When the user enters his password on a form in the client app, it's store...
Browsing through the more dubious parts of the web, I happened to come across this particular SQL injection: http://server/path/page.php?id=1+union+select+0,1,concat_ws(user(),0x3a,database(),0x3a,version()),3,4,5,6-- My knowledge of SQL - which I thought was half decent - seems very limiting as I read this. Since I develop extensive...
I understand the right way to protect a db from SQL injection is by using prepared statements. I would like to understand how prepared statements protect my db. For starters, are prepared statements the same thing as "parameterised queries"? As an example, I'm pasting below my code for the insertion of a new user in a user table. I...
Hi, I am attempting to secure a website I am currently developing using ASP.NET MVC 2.0 and forms authentication. In order to secure the forms authentication cookie I want to set the requiresSSL property to true so the cookie is only send by browsers when the connection is under SSL, and obviously ensure that all resources which require...
This is a fundamental design question about the service layer in my application, which forms the core application functionality. Pretty much every remote call reaches a service sooner or later. Now I am wondering if every service method should have a User argument, for which the operation should be performed or if the service should a...
Section 15.1.3 in RFC 2616 states: Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol However, I know many browsers have bugs and don't always follow spec, plus it only says SHOULD NOT, instead of MUST NOT. So my question is therefore: 1) Is...
Context I'm working a c# module which is responsible to integrate our business with an external entity as part of our SOA system. The external entity provides web services. They're a throughly tested as it is a federal government product. The module has been developed using test-driven approach, we use nUnit and everything was fine durin...
Specifically, I have written a Rails app in which I'm using the default (in Rails 2.3.5) CookieStore session store and I've spotted an odd problem in development. Myself and a few others had been using the site for a few weeks and we each had a login based on a username and password (each user registered themselves and I stored the (sal...
I'm setting up security on my Rails App according to the Ruby on Rails Guide. My understanding is that the 'edit' method in the Users Controller (which I'm using to render my User settings view) should only be submitting a GET request, and that the 'update' method is submitting the POST request. But when I want to verify the types of r...
I write test automation and scripts that require windows authentication to the domain to access. I don't like keeping them in the app.config because they are available in plain text. I don't like prompting for input because then it isn't automated anymore. If I hard code them in the assembly they are visible from .Net Reflector and they ...
Is ther a way to configure EC2 Security Groups so that they do not allow specific types of outbound connectivity (such as making HTTP requests to the public internet)? ...
I would like to prevent loading of malicious DLLs that may be possible through access of the current working directory as described in http://msdn.microsoft.com/en-us/library/ff919712(VS.85).aspx The solution implemented in our C++ apps was to make a WinAPI call to SetDllDirectory(""), which would effectively remove the current working ...
I have two different applications loaded into different frames. I need them to communicate I know that javascript security model does not allow frames loaded from different domains to communicate but since I control both applications maybe there is a way to allow frames loaded from specific another domain to communicate with this frame ...
Considering the recent ASP.NET vulnerability, what should I look for in my httphandlers that would cause such a Padding Oracle vulnerability? Asked in another way... what did MSFT do wrong and what did they fix in their handlers? ...
I see that ABE source given in this link http://acsc.cs.utexas.edu/cpabe/index.html is written in C for UNIX environment. I just have these libraries. Now, I need to use ABE in my C# project. How do I do that? how to migrate a project from unix environment to C# environment. How to compile the ABE project in windows environment using Mi...
Hi all i need to disable the security pop up when i use https:// in the IE browser and i need the js code or php code to do that thaanks. ...
Hi folks, I need to call a secured web service (https). using Java (or even any other prog lang). Do I need to do any extra steps rather than the usual steps to create a client for HTTP web service? EDIT: please I need answer to this question too : If not, So how my client do decrypte the encrypted message sent from the web service?...
I need to store authentication credentials for legacy systems in a J2EE container (IBM WebSphere Application Server Network Deployment 6.1). These legacy systems are accessed using an HTTP interface, but it's not a Web Service. The idea is to query these credentials using JNDI (or some other mechanism) and then use it to authenticate in ...
I want to generate a link http://site/?code=xxxxxxxxxx Where xxxxxxxxxx is an encrypted string generated from the string user01. And I will need to convert it back later. Is there a simple way to encrypt and decrypt a string like this? ...
i am looking for a book which has JSF 2.0 security topics and decent amount of tutorial/examples how to implement those security features (e.g session management, roles, limited number of login tries, input validation etc.). ...