I have to update old projects at work. I do not have any experience with classic asp, although i'm familiar with php scripting. Are there any functions I should use? Can you provide me with a good function for some basic protection? Is there something like a parameterized query in asp? Thanks! ...
We are deleting images that have been uploaded to our server using an ASP.NET web page. The site is running under 'NT AUTHORITY\NETWORK SERVICE' in IIS. On the IIS server we have created a local group 'Full_Access' that we have added the 'NT AUTHORITY\NETWORK SERVICE' to. This group has NTFS Modify permission enabled on the file. When ...
We have an application that among other things, checks the existence of a cookie and reads and decrypts the contents of the cookie. Though the data stored inside the cookie is not sensitive, it has been encrypted via TripleDes encryption. A question was raised today whether the cookie saved on a single PC, could be copied on to another P...
Let's say I have a simple ASP.NET MVC blog application and I want to allow readers to add comments to a blog post. If I want to prevent any type of XSS shenanigans, I could HTML encode all comments so that they become harmless when rendered. However, what if I wanted to some basic functionality like hyperlinks, bolding, italics, etc? ...
Hello, I have a small AJAX application, written in PHP that I did not secure from the start. I would like some recommendations on how to now secure the app, things to implement and check for. I have not found any exhaustive guides on google, and hope that some can be recommended. It is a small application that connects to and displays ...
Does anyone have an idea how can I fix this vulnerability in Apache 2.2.4, without upgrading the Web Server? This is what I found about it on the net at SecurityReason. The fix suggested by them is to upgrade it to version 2.2.6. But the server is live and upgrading t is the last resort. Apache2 XSS Undefined Charset UTF-7 XSS Vulne...
Parameters are used to protect you from malicious user input. But if the parameter expects a string, is it possible to write input that will be interpreted as sql, so malicious users can use things like 'DROP', 'TRUNCATE', etc...? Are there differences in protection between parameters in asp, asp.net, java and others? See also: Are ...
Hi guys, I'm writing a very simple flash app (AS 2) to sign users up to an email newsletter; the way it works is that it uses LoadVars to hit a (same-domain) PHP script via POST with the user's email address. The PHP script then passes the info through to another domain (the newsletter mailer URL) via curl to sign up the user. So far, ...
You'll have to pardon me as I wasn't sure where to place this. This overlaps in the areas of C# Web Services and Network/Security management I suppose. I have a server that runs various web applications. One of them is a web service. The account everything runs under is a local account on the machine. It is not a domain account. I don't...
As stated here custom field types (and any dlls they have a reference to?) must be deployed to the global assembly cache. Why, and what problems may arise by deploying to the bin directory? I’m trying to secure my code by writing CAS-policies and since my field controls uses a lot of help methods shared by my other code this seems like ...
Have any programming methods have been used to defeat reCAPTCHA? I'm interested in seeing evidence and potentially demonstrations that reCAPTCHA in particular has been made obsolete by completely automated, humanless methods. To clarify, not looking for reCAPTCHA-cheating solutions that involve humans in any way, whether teams in India...
Hello guys, I was reading about DoS attacks on Apache servers but the "Brute Force" word pops up sometimes I know DoS attacks but "Brute Force" seems to be similar, is there a difference or it is just another word of DoS ?? ...
I'm working with WCF at the moment and attempting to implement a custom security model based around an API key and signature (similar to how Facebook/Flickr/OAuth etc. work). There are a while bunch of classes like ServiceAuthorizationManager, SecurityToken, SecurityTokenValidator, IAuthorizationPolicy and so on, but I can't seem to fin...
I have an .aspx form with 20 fields that must be disable based on a users role and a status of a order record. Currently the application has 5 roles and 3 status, so I have 300 different possible conditions that I have to account for. My first thought is to store each permutation in a table, then set the fields when the page loads by ...
Working inside the context of an ASP.NET application I am creating a page that will be able to execute database scripts against one of many databases in our environment. To do this we need to prompt the user for a username/password combination, this value can be used for all servers without issue. The question is where is the most secu...
Problem I want to securely delete a file in windows XP. Context I need to delete my input file securely once i have finished with it, at the moment i am over writing all the data with zero, this is messy as my temp folder becomes full of old files also the name of the files is a security issue, rather than just moving them to the recycl...
Trying to get two erlang nodes talking to each other : one on a Ubuntu machine and one on Windows XP. We're getting a "Connection attempt from disallowed node" message which prevents one node receiving messages from the other. They're both using 5.XXX versions of Erlang OTP. Both nodes have the same cookie ( .erlang.cookie) We are s...
I ran a pen-testing app and it found a ton of XSS errors, specfically, I'm guilty of echo'ing unverified data back to the browser through the querystring. Specifically, running this puts javascript into my page. http://www.mywebsite.com/search.php?q=%00'" [ScRiPt]%20%0a%0d>alert(426177032569)%3B[/ScRiPt]. Thankfully, no where do I let ...
How do I open 'cross-domain security', so the JavaScript on the page can freely communicate with the SWF, even when this is hosted on another domain? I know for certain that this function communication is blocked by default, but by playing around with a file called "crossdomain.xml" and the actionscript 3 function: system.Security.allow...
I'm in charge of a web application that must be extremely secure. Users will be submitting highly sensitive information to each other using the site. Security must be world-class. We believe we've built site in such a way that minimizes security risks and we've implemented numerous policies and procedures company-wide to increase securi...