security

PHP - Sanitize all data?

Hi, I am making a CMS which can be extended by third-party developers. In the past I have had problems with newbie developers ignoring security all together. When they put their modules on my website, they are potentially compromising users websites. I want to create a globals object. This will overwrite all globals with a sanitized co...

HTTP site with JSONP API over HTTPS?

Hi there. Given all the coverage FireSheep has been getting, I have been trying to work out the best practices for balancing HTTP / HTTPS usage for some sites I manage (e.g. blogging sites, magazine sites with user contributed comments). To me, its over kill to deliver all pages over HTTPS if the user is logged in. If a page is public ...

What are the pros and cons of a 100% HTTPS site?

First, let me admit that what I know about HTTPS is pretty rudimentary. I don't know much about session security, encryption, or how either of those things is supposed to be done. What I do know is that web security is important; that horror stories of XSS, CSRF, and database injections pop up over and over again. I know that a preventa...

Protecting source code from theft during development

Is there any way to protect my code during development so that if a developer leaves my company they are unable to access files in my project? This is especially important with TFS where the project is downloaded locally, cached, and available for offline use. Ideally the code would be unreadable if they did not have a valid Active Di...

Actionscript call from javascript throws an exception

I know this subjet isn't new at all but i'm going to be crazy that it doesn't work at all. So I create a "KISS" (Keep It Stupide Simple) sample just to see if it may be something from the original SWF or just a real problem... HTML is hosted on web site A (actually the Javascript too, but this last one will be moved on web site C) en th...

Custom IExtensibility2-based Outlook AddIn silently not loading when macro security turned on.

Hi gang, We have a custom IExtensibility2-based Outlook AddIn that runs in Outlook 2003, 2007, and 2010 (i.e. we're not using VSTO). In most cases, the AddIn loads and runs fine, but if the user turns on the "Apply macro security settings to installed add-ins" setting (via Tools->Trust Center->Add-ins), then our AddIn is silently not ...

Sandbox Virtual Machine for an Application (concept)

I'd like to write a sandbox virtual machine for executing a compiled program. My goal is to isolate that program from the rest of operating system and control its execution so that it can't do anything harmful to a host computer. I assume that: executed program is compiled to Portable Executable format and it's in machine code, not i...

LogonUser and others return error 1337 in Windows Server 2003 x86

After some update, I see following issue on all Windows Server 2003 member servers (x86 only): LogonUser, and LogonUserEx calls are failing with error 1337 (The security ID structure is invalid). Basically, following code fails: HANDLE token; BOOL b = LogonUserA( "username", "DOMAIN", "password", LOGON32_LOGON_INTERACTIVE,...

For a REST service, is api.domain.com more secure than domain.com/api?

I'm considering what base URL to use for a REST web service. I have the option of using one of the following formats: https://domain.com/api https://api.domain.com I'd like to make it both easy to use from client-side javascript apps and secure against forged request attacks. Is there a best practice to follow here? ...

AIR – Google Maps API Security Sandbox Violation?

i've just started using the Google Maps API for Flash (map_1_20.swc) for an AIR 2.5 application i'm building with Flash CS5. everything loads and display fine in the ADL except that i'm receiving security sandbox violations: *** Security Sandbox Violation *** SecurityDomain 'http://maps.googleapis.com/mapsapi/publicapi? file=flashapi&u...

java ee6 security - use user entity class

All I need is a simple login page that will check against the username and password of a simple User entity class. Is that possible with JAVA EE6? In the tutorials they always store the users on the glassfish server. ...

Are services like AWS secure enough for an organization that is highly responsible for it's clients privacy?

Okay, so we have to store our clients` private medical records online and also the web site will have a lot of requests, so we have to use some scaling solutions. We can have our own share of a datacenter and run something like Zend Server Cluster Manager on it, but services like Amazon EC2 look a lot easier to manage, and they are incre...

If user didn't come from HERE then do not process - How?

I tried to make use of $_SERVER, but it didn't work for me. What I need is: In order to access a page on my site, the user must come back from Paypal. If he isn't redirected from Paypal to my site, then don't execute the file but give the user an error instead. How can I do this? I tried the following: $url = 'paypal'; if(strstr($...

Do I have to keep my salt in the same column as my hash?

So, I'm cool with using a per-user salt to hash my users' passwords. However, there's one piece of advice in the accepted answer: Do not use a separate column for the salt. This doesn't make sense to me. If I'm just catenating the hash and salt and putting them in the same column, surely that's semantically equivalent to two separ...

How to hide SQL queries from web browsers (PHP)

Hi, I'm new to this forum and have a dilemma with my MySQL/PHP site. Now I've created a function that will pass a SQL query to it and execute it. What I didn't account for was the fact my SQL query being passed to the function is showing up in the "view source" of all browsers; which is BIG security concern because hackers can see the ...

How to generate truly random numbers (NOT pseudo) in Linux

Hello, What is the (best) way to create a secure random numbers in Linux (C/ C++ code), more random than the general rand() results, and not pseudo as OpenSSL BN_rand? In Windows I found CryptGenRandom() as a good option. Is there any equivalent in Linux? Thank you in advance. ...

Why is this javascript code making browser draw 50% CPU and so much memory?

I have this banner rotator code: function ban_rot() { //First preload images // counter var i = 0; // create object imageObj = new Image(); // set image list images = new Array(); images[0] = "../Graphics/adv/1.gif" images[1] = "../Graphics/adv/2.jpg" // start preloading for (i = 0; i <= im...

Help in decompiling an SWF

Hi all.. Some time ago, me and my friend started working on a Flex project... Now it's almost finished, we are working on protection: my friend implemented a sort of encryption in the swf, so all the decompilers (we've tried) read the file as a "flash" app, and not "flex", so it's not possible to get the original sources etc... But (oh, ...

use of "setTimeout" to repeat function causes browser to display "Loading..." message

I have this banner rotator which is working fine except for one problem... This rotator here first goes through the function and when it reaches the "setTimeout" statement it triggers the "cycle" function again and again. You guys probably know that in Firefox there is a status-bar in the bottom-left corner, which says "loading" or "wa...

Python Firewall for Windows?

I am wanting to write a custom firewall for my win XP Pro SP2 computer. I would like to do it in Python, but I'm not exactly sure how. I would like it to block everything in and out of the computer until I approve it. How would this be done? ...