I am designing the application in Flex that connects to some web services to perform some financial transactions. Web services are secured using https protocol and are asking for user token created at login on each request. This is used to authenticate and authorize the user. So far so good. The trick part is that not all of our web se...
Hi I am using the SharePoint namespace for a webpart and I encounter some permission errors when I try to use the System account. Is there a way I can use a defined user instead of the system account? Right now I have: SPUserToken sysToken = SPContext.Current.Site.SystemAccount.UserToken; using (SPSite site = new SPSite(_SPSite, sysTo...
Scenario I'm using a Custom IPrincipal and IIdentity to do asp.net authorization. I set the Principal and Identity during the PostAuthenticateRequest event using an IHttpModule. The web.config looks approximately like the following: <system.web> <authorization> <allow verbs="GET,POST" roles="domain\group"/> <deny verbs="*" ...
I'm in a school project on information security, and one of the assignments is to write some secure pages in PHP. None of the people on my group know PHP, that is not a big problem though, we'll learn enough to create the simple pages needed. One of the tips the students assistants have given is to use the two functions strip_tags() and...
I work on a site that generates dynamic images for each specific user. Sometimes these images contain depictions of very sensitive data. Lately we have started to see requests for images that belong to a different user in the form of http://myapp/images/someuid/image1.jpg obviously, someone figured out they could access another users i...
Hi everyone, Yay, first post on SO! (Good work Jeff et al.) We're trying to solve a bottleneck in one of our web-applications that was introduced when we started allowing users to generate reports on-demand. Our infrastructure is as follows: 1 server acting as a Webserver/DBServer (ColdFusion 7 and MSSQL 2005) It's serving a web-appl...
I'm building an e-commerce website with a large database of products. Of course, is nice when Goggle indexes all products of the website. But what if some competitor wants Web Scrap the website and get all images and product descriptions? I was observing some websites with similar lists of products, and they place a CAPTCHA, so "only h...
We are thinking to SSL enabled part of our website, but some page contains ads from third party vendor (like Google AdSense). I'd think this will create a annoying problem for our users since they are going to see warning message like "This page contains both secure and non secure items" when they view a page with ads. However, when I ...
While implementing a flash-based uploader, we were faced with an issue: Flash doesn't provide the correct cookies. We need our PHP Session ID to be passed via a POST variable. We have come up with and implemented a functional solution, checking for a POST PHPSESSID. Is POSTing the Session ID as secure as sending it in a cookie? Possib...
I have a folder on my server on which I have changed the permissions to 777 (read, write and execute all) to allow users to upload their pictures. What are the security risks involved in this? I have implemented code to restrict what file formats can be uploaded, but what would happen if someone was to find the location of the directory,...
Real world, how many here undergo in-depth security code reviews? Those that do, how often - once a quarter, once a version, once a blue moon? Those that don't - why not? (Not referring to small or hobby programmers - not that I'm trivializing them, its just I don't expect them to ;-) ). As a security consultant, I'm usually the one cal...
I have a normal Windows Server 2008 installation with II7. Each website has it's own application pool. But there is a security realated problem. There is no restriction for an asp.net application to write a file into C: or any other directorys. In IIS 6 before this could happen I would have to set those rights in the windows folder se...
Hi, I need to provide a code snippet to my clients that they can add to their website, similar to the google analytics code, e.g <script type="text/javascript"> var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www."); document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' ...
Is there a user-management plugin for grails? Nearly every website requires things like: Users Login/Authentication Registration (w/ email verification) Forgotten email reminders User User Profiles Are there any Grails plugins/frameworks/whatever that provide things like this as a base to build upon? I know how to build these th...
Generally I would go about this by placing something(s) unique and random in the ROM image and use that as a seed to encrypt the EEPROM content to stop extraction and reprogram after image mod. An obvious flaw seems to be that this doesn't stop tampering in the form of replacing the EEPROM external chip with a blank one... oh look were ...
Some popular CMSs have a huge number of add-ons and try to fix every security problem as quickly as possible, without hiding. They end up with a lot of security announcements. This seems to be the wrong way, because they distribute broken code and fix it after that. Not intentional, but that's the picture this is painting. Are there an...
I need to monitor and, if it is needed, decline process start in the Windows XP and Vista OS? What are known/documented/undocmented methods? What about known hacks of this methods? (It will be used for the shareware firewall/security software). ...
I need to put together a small brief about the weaknesses behind limiting content to specific countries based on IP address. Besides using proxy server located in another country, can you think of another way to circumvent such a system? ...
The MSDN states that when a file is uploaded using the ASP.NET ( v.2.0 ) Fileupload control or the underlying HttpPostedFile that "Files are uploaded in MIME multipart/form-data format. By default, all requests, including form fields and uploaded files, larger than 256 KB are buffered to disk, rather than held in server memory." MSDN Lin...
I want to protect only certain numbers that are displayed after each request. There are about 30 such numbers. I was planning to have images generated in the place of those numerbers, but if the image is not warped as with captcha, wont scripts be able to decipher the number anyway? Also, how much of a performance hit would loading image...