I'm currently working on a project where I've created a CA cert and a couple of child certs to that CA cert. The certificates are going to be used to protect inter-server communication in a SAMLV2 setup so I'm going to have a cert for the identity provider and a cert for the service provider. The user/browser isn't going to validate the ...
Hi all, As part of a course assignment i need to write an exploit code to cause a buffer overflow and execute code that is present on stack. I have turned off the stack randomiztion by the following command: sysctl -w kernel.randomize_va_space=0 However, i am unable to find a way to turn off the stack execution protection. I am not sur...
Which browsers do support HttpOnly cookies, and since which version? Please see http://www.codinghorror.com/blog/archives/001167.html for a discussion of HttpOnly cookies and XSS-prevention. ...
When creating a new ASP.NET application in Visual Studio, a couple of files and folders are created automatically. One of those folders is called App_Data. Also when publishing a website by selecting the menu option Build->Publish a checkbox is available Include files from the App_Data folder. Am I right assuming that the files put in ...
I want to access the full model of users with their roles in my SOAP app. For example, I might want to know the role of a user called "Fred." How do I reach into some sort of global JAAS registry and do (pseudocode) globalRegistry.getUser("Fred").getPricipals()? (Note that in JAAS, roles are represented by Principals.) I know how to...
Here is the scenario: IIS 6 and SQL Server 2005 on same machine: I have just created a new application inside of my main website in IIS. The root website has its own database. The application I just created under the root site has its own database, as well. ASP.net pages in the root site connect to their database using trusted securi...
I'm looking to run some un-verified scripts (written in a yet-to-be-determined language, but needs to be Java-based, so JRuby, Groovy, Jython, BeanShell, etc are all candidates). I want these scripts to be able to do some things and restricted from doing other things. Normally, I'd just go use Java's SecurityManager and be done with it....
Hello all! I am trying to use jSecurity for an enterprise java app, but the documentation is...well...lacking. Has anyone out there in SO-land been able to get the JDBCRealm setup, and if so did you find a SQL setup script or did you just derive it on your own? Either way, can you provide the create SQL statements to make this work? ...
We have an application that is distribute to a varity of customers. Sometime it is installed on a network share. Usually we can give that application access with caspol.exe and grant the LocalIntranet Zone FullTrust. Sometimes the customers admins do not manage to grant that application access due to some network settings. When we launc...
Guys, this can't be for real I'm trying to make a .NET 2.0 executable run from a network drive and it turns out that since Microsoft .net 2.0 has no mscorcfg.msc installed on server 2003, in order to get one I have to install the full SDK. I simply want to run the dang thing without downloading 350Mb piece of crap! Sorry for rant... An...
Hello :) I need to write my own SSL socket (CSocket ansestor) with server side certificate validation using Microsoft CryptoAPI. Can you tell me which book will help me (or any other user friendly source of information)? ...
I recently came across a system where all of the DB connections were managed by routines obscured in various ways, including base 64 encoding, md5sums and various other techniques. Is it just me, or is this overkill? What are the alternatives? ...
How can I launch the standard file permissions dialog from a .NET application? Can't seem to find any example of this anywhere. I don't want to programmatically set file permissions, I want to let a user set them via the dialog. ...
Why do we need a DB-specific functions like mysql_real_escape_string()? What can it do that addslashes() doesn't? Ignoring for the moment the superior alternative of parameterized queries, is a webapp that uses addslashes() exclusively still vulnerable to SQL injection, and if yes, how? ...
Is it possible to "wipe" strings in Delphi? Let me explain: I am writing an application that will include a DLL to authorise users. It will read an encrypted file into an XML DOM, use the information there, and then release the DOM. It is obvious that the unencrypted XML is still sitting in the memory of the DLL, and therefore vulnerab...
Typically, I always recommend using a cryptographically-strong random value as salt, to be used with hash functions (e.g. for passwords), such as to protect against Rainbow Table attacks. But is it actually cryptographically necessary for the salt to be random? Would any unique value (unique per user, e.g. userId) suffice in this rega...
In many places in msdn documentation you can find references to App_Data directory. For example here we can read: To improve security when using a local data file in an ASP.NET application, you should store the data file in the App_Data directory. and Files stored in the App_Data directory will not be served to the Web. I...
I created my own database schema to store user information. CREATE TABLE [dbo].[MyCustomMembership_Users]( [UserId] [uniqueidentifier] NOT NULL, [UserName] [nvarchar](256) NOT NULL, [LoweredUserName] [nvarchar](256) NOT NULL, [MobileAlias] [nvarchar](16) NULL, [IsAnonymous] [bit] NOT NULL, [LastActivityDate] [datetime] NOT NULL, [FirstN...
We're a small web development business and we eventually want to release web applications as well. Right now, we're doing some risk assessment and would like to know what other companies do for security and risk management. What are your risk management strategies and practices, technical and otherwise? Here's what I have so far (and I'...
I have created an ASP.NET 2.0 web application and would like to use SSRS 2005 for reporting purposes. The web application uses forms authentication and custom roles for authorization. I have created reports and deployed it to a our SQL Server 2005 box. I have two options to integrate the reports into my application: 1) Link to SSRS fr...