I am trying to deploy an application in a client network, with AD/domain controller. My application is a simple asp.net c# application, using windows authentication. I am using win2003. Basically, using VS2008, create a new website, hosted on IIS6.0. Only 2 changes. 1. On IIS Directory security for the application, enabled "Integrated...
When writing an average new app in 2009, what's the most reasonable digest function to use, in terms of security and performance? (And how can I determine this in the future, as conditions change?) When similar questions were asked previously, answers have included SHA1, SHA2, SHA-256, SHA-512, MD5, bCrypt, and Blowfish. I realize that...
I have two rails apps on separate virtual servers, but in the same facility. Both apps can communicate via local ip addresses. This is a two part question: 1) How do I check where the request is originating and limit requests only to those from that location? 2) Do you think this would be secure enough? My gut is telling me this...
Hi. I'm writing on a Java EE project which will have everything from 3-6 different clients. The project is open source, and I wonder what security mechanisms one could/should use. The problem is: Because it is open source, I would believe that it is possible for anyone with a user to write their own client (maybe not realistic, but trul...
I'm looking for information about 'the best' encryption algorithm for encrypting cookies. I hava the following requirements: It must be fast encrypting and decrypting the data will be done for (nearly) every request It will operate on small data sets, typically strings of around 100 character or less It must be secure, but it's not li...
Hi, my names's Carlos Im from Brazil. Im trying to open a file like this: image1.picture.loadfromfile('\\ntmemo01\c$\ozzy2.bmp'); but it doesnt work. Im receving the exception class EFOpenError with message "Cannot open file '\ntmemo01\c$\ozzy2.bmp' Access denied." Thanks, Carlos ...
I believe my server has been the ongoing target of a brute-force attack on SQL Server 2005 (SQLExpress). My Event Viewer log is filled with "Failure Audit" messages for SQL Server. The attempts usually last for an hour or two, with 1-2 seconds between attempts. Login failed for user 'sa' [CLIENT: 222.169.224.163] Event ID: 18456. B...
My boss is against requiring our users to have secure passwords, even going so far to request they be setup by default to have passwords the same as their username. What should I do in this situation? What would you do? Update - Some users have brought up the question of whether the application needs high security. This isn't credit car...
Using Active Directory / Windows Integrated authentication is a given. From a development standpoint, what is the best way to consume this? Is it through configuration? <location path="SecurePage.aspx"> <system.web> <authorization> <allow roles="MyDomain\My Secure Users" /> <deny users="*" /> </authorization> ...
I'm creating an image gallery site that you have to log in to access. The site will use sessions to keep track of usernames and passwords. Logged in users will be able to search for images and see results. Presumably, this means I'll be putting images in a web directory. How do I keep non-logged in people from being able to browse direct...
Hello everyone, I'm developing a photo sharing web site using the CodeIgniter PHP framework. The idea is that people could upload their photos, manage them (through some sort of file browser which allows them to create subfolders, drag files around, etc) and edit them (some basic things like resizing, rotating and cropping to start with,...
I need an applet to open a socket and communicate with a server listening on the local host to which the applet downloaded (the end user machine). contrary to what I have read about applet security, it seems that even signed applets cannot open a socket to a different host from which they were downloaded (on the same machine it works p...
We're providing a zip file of our application for testing and the same zip file on two separate machines is extracted differently. One will extract all files, the other will extract all but the executables (.exe and .msi specifically). We're going to have to tell our customers something other than 'use WinZip' (or 7zip, or whatever) Wh...
The company I work for has taken on a support contract for a large order processing system. As part of the initial system audit I noticed that the passwords stored in the database were actually the hashcode of the password. Essentially: string pwd = "some pasword"; string securePwd = pwd.GetHashCode(); My question is, how secure or o...
How should i design a login protocol to be more secure the way i have it right now is the client connects and sends his username the server sends the salt(always same) for the user the client adds the salt to the password hashes it and sends it to the server This way the password is hidden all the time but it does not stop a hacker ...
I have a textarea in an ASP.NET MVC Application where the user can type some text. When I show the text to the user, I use Html.Encode to prevent malicious input. The problem is that the user can type in Spanish and maybe he types año and the Encode transforms this into año. How Can I prevent this? EDIT: In the generated HTML, I see...
I'm using RSA to encrypt communication between a server and a client. Lets say we have 2 Asymetric keys, key 1 and key2. The server has key1 (Private) from the start and the client has the key1(public) So here is the scenario: the client generates key2 client connects to the server sending key2(public) encrypted with key1(public) fr...
I'm having an issue in IE on secure pages in my DEV and TEST environments which use a self-signed security certificate. Nothing is displaying (not even the text that is being replaced). Firefox, on the other hand, is displaying the sifr font fine. The URL used in IE to load the Flash movie is a 'https' URL. Has anyone seen this problem b...
When a user signs up in our Struts application, we want to send them an email that includes a link to a different page. The link needs to include a unique identifier in its query string so the destination page can identify the user and react accordingly. To improve the security of this system, I'd like to first encrypt the query string ...
Know any good courses, online or perhaps otherwise, you'd recommend to a relatively new PHP/MySQL web developer to get her up to speed on security vulnerabilities? It would be nice if it was fairly thorough and went beyond basic stuff like sql injection. Ideas? Edit: Thanks for the really great links and information, but I'm also loo...