Is it possible to store passwords on the local system (Windows XP) that can only be accessed by the application itself? My instinctive answer would be "no". Even if some kind of hashing or encyption is used I would think that as long as the source code is available then the determined seeker could always use this to retrieve the passwo...
Is there a way to use the DPAPI (Data Protection Application Programming Interface) on Windows XP with Python? I would prefer to use an existing module if there is one that can do it. Unfortunately I haven't been able to find a way with Google or Stack Overflow. EDIT: I've taken the example code pointed to by "dF" and tweaked it into ...
As part of trying to describe the threat posed by spyware and how to mitigate it I've been looking for information on how the various common spyware trojans currently in the wild capture password data. My best guess is that they either log keystrokes, intercept browser submissions or intercept GUI messages. I'd like some more definitive...
I want to construct a transact sql script that will stop specified people from running certain commands against all databases: drop database, drop table or preferbly drop * delete update Is this possible? The user will already have access to the server. Note : I am not trying to develop a security model for a server, or to prevent...
A website I maintain pro-bono was hacked, dishing out 302s to gaming sites, etc. www.rebekahshouse.org. After much searching through my hosting company's control panel, I found the culprit in the htaccess file. It looked something like this: RewriteEngine on RewriteCond %{HTTP_REFERER} .oogle.com [NC,OR] RewriteCond %{HTTP_R...
Does anyone know a good practice of securing media for asp.net? I need to host a variety of media that require permission to a view a specific image/video. i.e. a specific user may or may not have permission to view a media file - and this fact may be changed on the fly. I don't care if they can download a media file that they have ...
Why was it decided that using XMLHTTPRequest to do XML calls cannot do a call across the domain boundary? You can pull down Javascript, images, CSS, iframes, and just about any other content I can think of from other domains. Why are Ajax HTTP Requests not allowed to cross domain boundaries. It seems like an odd limitation to put, cons...
I'm writing a GUI application that will have a user log in feature. Each user will belong to (at least one, possibly more than one) group and each group will have attributes indicating if certain rights are allowed or not allowed. The list of rights will cover things like editing things from the past, printing, deleting data, etc. Lots o...
I'm looking for some resources that allow me to understand how to use this library, particularly for signing XML. Most of what I found out there is Java related, and I would prefer to get documentation/FAQs/tutorials on the C++ library. ...
What is the best way to avoid that an application is copied and used without the owner’s knowing? Is there any way to trace the usage? Meaning periodically the application communicates back, with enough information so that we can know where it is, and if it’s legal. Next thing, of course, shut it down, if it’s not legit. ...
I'm trying to design some bookmarklets right now, that connect back to a server (say like magnolia), but by their very nature bookmarklets seem to fly in the face of what's established as internet security, and they are basically cross-site scripting by definition, however they are also powerful and cool tools, and fit the need of my req...
I have a database that contains sensitive information. I can encrypt / decrypt the data on the read write operations. The problem is that I need to store the key in the application. If someone has hacked their way in such they have access to the database then they can also grab the application (java) decomplie it and pull the key. This ...
Hi, Here is part of my web.config for my WCF service: <bindings> <basicHttpBinding> <binding name="sslBinding"> <security mode="TransportWithMessageCredential"> <message clientCredentialType="UserName" algorithmSuite="Default" /> <transport /> </security> </binding> ...
I use application managed security for an Intranet web application. I have the next filter in my web.xml file: <filter> <filter-name>employeeAccessFilter</filter-name> <filter-class>security.AuthorizationFilter</filter-class> <init-param> <param-name>roles</param-name> <param-value>employee</param-value> </init-pa...
When typing in html forms, browsers like firefox or ie store the values, sometimes quietly. So when typing in another webforms, the browser smartly suggest the same information. Another method to show the dropdown list is double-clicking an empty textbox. In a e-commerce website, the customer type the credit card number, and another sen...
Scenarion: I am having a web application which is going to use SqlServerReport(SSRS) sitting on ReportingServer which is on my DatabaseServer. There is a firewall between webapplication & SqlserverReport server. Now how safe is it to use reports directly from webserver (ie accessing something there on database server.) We use a appser...
I am invoking a webservice form my .net web application a getting the following com.ibm.wsspi.wssecurity.SoapSecurityException on invocation. WSEC5048E: One of "SOAP Header" elements required. The SOAP request seems to be valid so I guess the problem is something to do with the webservice using WS-Securty. I had to install a certific...
I have an ASP.NET MVC project containing an AdminController class - giving me URls like http://myserver/admin/AddCustomer, http://myserver/Admin/ListCustomers, etc. I want to configure the server/app so that URIs containing /Admin are only accessible from the 192.168.0.0/24 network (i.e. our LAN) I'd like to restrict this controller to...
I'm working on an application that loads untrusted assemblies via an interface. Each of those assemblies should be able to add one or more GameAction objects to a thread-safe queue used by the server. The first iteration of design was to just pass the queue--something like this: public interface IGameClient { void HandleStateChange(I...
I'm trying to create system users with a php script securely, In that, I'd like to be able to hash the password with the php script, so that their password shows up nowhere in the bash history. How to I take a string, and hash it so it is a unix password hash? $UX_PW = some_function('my_password'); exec("useradd -p $UX_PW newusername")...