security

How do you set up use HttpOnly cookies in PHP

How can I set the cookies in my PHP apps as HttpOnly cookies? ...

Security advice for jquery ajax data post?

Hi, I'm using jquery ajax to post updates back to my server. I'm concerned about making sure I have put in place appropriate measures so that only my AJAX calls can post data. My stack is PHP on Apache against a MySQL backend. Advice greatly appreciated! ...

What SPN do I need to set for a net.tcp service?

I have a wcf application hosted in a windows service running a local windows account. Do I need to set an SPN for this account? If so, what's the protocol the SPN needs to be set under? I know how to do this for services over HTTP, but have never done it for net.tcp. ...

How to encrypt one message for multiple recipients?

What are the fundamentals to accomplish data encryption with exactly two keys (which could be password-based), but needing only one (either one) of the two keys to decrypt the data? For example, data is encrypted with a user's password and his company's password, and then he or his company can decrypt the data. Neither of them know the ...

Best way to avoid code injection in PHP

My website was recently attacked by, what seemed to me as, an innocent code: <?php if ( isset( $ _GET['page'] ) ) { include( $ _GET['page'] . ".php" ); } else { include("home.php"); } ?> There where no SQL calls, so I wasn't afraid for SQL Injection. But, apparently, SQL isn't the only kind of injection. This website ha...

PGP signatures from Python?

What is the easiest way to create and verify PGP/GPG signatures from within a Python application? I can call pgp or gpg using subprocess and parse the output, but I was looking for a way that didn't require an external program to be installed (my application is cross-platform mac/windows/unix). ...

How to store passwords in Winforms application?

I have some code like this in a winforms app I was writing to query a user's mail box Storage Quota. DirectoryEntry mbstore = new DirectoryEntry( @"LDAP://" + strhome, m_serviceaccount, [m_pwd], AuthenticationTypes.Secure); No matter what approach I tried (like SecureString), I am easily able to see the pass...

Is there a best .NET algorithm for credit card encryption?

The .NET System.Security.Cryptography namespace has a rather bewildering collection of algorithms that I could use for encryption of credit card details. Which is the best? It clearly needs to be secure for a relatively short string. EDIT: I'm in the UK, where I understand we're OK storing encrypted credit card details so long as the ...

How to safely embed any flash file (swf)?

I want to allow my users to embed their own Flash animations in their posts. Usually the actual file is hosted on some free image hosting site. I wouldn't actually load the flash unless the user clicked a button to play (so that nothing auto-plays on page load). I know people can make some really annoying crap in flash, but I can't fi...

Preventing Command Line Injection Attacks

We're currently building an application that executes a number of external tools. We often have to pass information entered into our system by users to these tools. Obviously, this is a big security nightmare waiting to happen. Unfortunately, we've not yet found any classes in the .NET Framework that execute command line programs whil...

Passing untampered data from Flash app to server?

I'm looking for secure ways to pass data between a client running Flash and a server. The data in question will be generated BY the Flash app, which in this case is your score after finishing a game. I want to verify the data is untampered on the server. What are some good methods of getting this done? One simple way is to perform so...

.Net 3.5, most secure way to pass string between processes

I'd like to be able to pass a SecureString (a cached passphrase) to a child process in C# (.Net 3.5), but I don't know what the most secure way is to do it. If I were to convert the SecureString back to a regular string and pass it as a command-line argument, for example, then I think the value may be prone to disk paging--which would ma...

Storing Windows passwords.

I'm writing (in C# with .NET 3.5) an administrative application which will poll multiple Windows systems for various bits of data. In many cases it will use WMI, but in some cases it may need to read remote registry or remotely execute some command or script on the polled system. This polling will happen at repeating intervals - usually ...

Top tips for secure web applications

I am looking for easy steps that are simple and effective in making a web application more secure. What are your top tips for secure web applications, and what kind of attack will they stop? ...

Making sure a web page is not cached, across all browsers.

Our investigations have shown us that not all browsers respect the http cache directives in a uniform manner. For security reasons we do not want certain pages in our application to cached, ever, by the web browser. This must work for at least the following browsers: Internet Explorer versions 6-8 FireFox versions 1.5 - 3.0 Safari ver...

Where can I find thorough DCOM documentation?

I work on an application that uses DCOM to communicate between what are essentially several peers; in the course of normal use, instances on separate machines serve a variety of objects to one another. Historically, for this to work we have used some magic incantations, chief among which is that on every machine the user must log into a...

What are some good SharePoint security resources?

I've got a SharePoint application and I'm sad to say that in my SharePoint-induced excitement, I ignored a lot of the security concerns I should have been paying more attention to. Though we didn't before, now we actually need granular security, so I need to get educated. I'm mostly interested in how to best create groups and add users...

Symmetric key storage

My company is going to be storing sensitive data for our customers, and will be encrypting data using one of the managed .NET encryption algorithm classes. Most of the work is done, but we haven't figured out how/where to store the key. I've done some light searching and reading, and it seems like a hardware solution might be the most se...

Other ways to encrypt WCF Connections

I'm currently working on a project that requires encrypted data be passed between WCF hosts. As I understand it there are only 2 ways to ensure that data passed over WCF is secure. Using Certificates Using a Domain (or having the same username and password on every machine on the network) Using certificates can be expensive and comp...

What would it take to make OpenID mainstream?

OpenID is a great idea in principle, but the UI and the explanation as to why it is good are currently not tailored for general use -- what do you think it would take to make OpenID work for the general public? Can this be solved with technology, or is the problem so intrinsically hard that we are stuck with difficult explanations/multi...