I am trying to find a class or something that would allow me to do Shamir's Secret Sharing. I found a program in C# that allows you to do it but it does not supply source code. I was just wondering if anyone has a class that already does what I need. ...
So I have a web application that integrates with several other APIs and services which require authentication. My question is, is it safe to store my authentication credentials in plain text in my source code? What can I do to store these credentials securely? I think this is a common problem, so I'd like to see a solution which secures...
My company is developing an online HR and Payroll application where securing access is critical. I'm clear on how to lock down most of the authentication/authorization processes, except for the 'Forgotten Password' page. My initial plan was to require the user to enter both an e-mail address and a response to a previously selected/ente...
With forms I've always used <form method="post" action="<?php echo strip_tags($_SERVER['REQUEST_URI']); ?>"> To get my forms to submit to themselves. I use striptags() in case someone links to: http://www.mysite.com/page-with-form.php?bla="><script src="http://www.nasty.com/super-nasty.js"></script><a href="# Hav...
One of our clients has requested that we include the 'db_owner' role on the database login that their website uses, so that they can upload a script (an ASP page) to run some database changes. Normally the logins for the databases hosted on our server only include 'db_reader' and 'db_writer'. Is this ok, or should I request that they for...
What is your preferred method/datatype for storing passwords in a database (preferably SQL Server 2005). The way I have been doing it in several of our applications is to first use the .NET encryption libraries and then store them in the database as binary(16). Is this the preferred method or should I be using a different datatype or all...
I work in a large company, and I'm interested in best practices for internal security standards. We have a large ($500 million +) investment in SAP, and we also have .Net and a bit of JEE in our internal environment. I've found some documentation from MS and SAP, but it's outdated and not very specific. So far, it looks like we could e...
Hi Techies, In my a web application, I have a part to invoke an activex control .The Activex control is available in all the client PCs who are accessing my web application from web server. But When trying to run this ActiveX control from the browser in client machine (using Wshell), It was not getting invoked since "Run Activex Control...
I am fairly new to ASP.NET. I recently set up automated email from my website to notify me of an unhandled exceptions. Just a few hours ago in 3 minutes there were 10 unhandled exceptions and all stack traces were similar. There is a lot in the error messages I do not understand, but I do not like the way this looks. Here is one of the...
My company is building an ASP.NET HR application and we have decided to create one database per client. This ensures that clients cannot accidentally view another client's data, while also allowing for easy scalability (among other benefits, already discussed here). My question is - what is the best way to handle security and data acce...
When I start my web browser and I want to view a website or view something on a Flash Player I get this: Your Security settings do not allow websites to use ActiveX controls installed on your computer. This page may not display correctly. click here for options... or I get this: If this site does not load, click here to install Fla...
I'm developing an intranet application (C#) that uses some data (local to the web server) that we'd like to keep private. This data is encrypted (AES) using a legacy data repository. We can't totally prevent physical access to the machine. Clearly, we're never going to have perfect security here. However, we want to make it as hard as p...
How dangerous is this php code? What can be done about it? $name = $_POST["user"]; $pwd = $_POST["pwd"]; $query = "SELECT name,pwd FROM users WHERE name = '$name' AND pwd = '$pwd'"; ...
Hi, Say I am creating a forums application, I understand how to design a forum level permission system with Groups. i.e. you create a forum to group mapping, and assign users to a group to give them access to a particular forum. How can I refine the permissions to allow for row level permissions (or in forum terms, post level). ...
I have set up a WCF service on a server which lives in its own Workgroup. I've tried to make a TCP/IP connection to it from a client that lives on the corporate domain. When I try to open a connection, I get a SecurityNegotiationException with the message: "A remote side security requirement was not fulfilled during authentica...
Hi I've built an application that uses jQuery and JSON to consume an ASP.NET .asmx web service to perform crud operations. The application and .asmx are on the same domain. I dont mind people consuming the read operations of the .asmx remotely but dont want people randomly deleting stuff!!! I can split the methods i'd like to be publi...
Hello everyone! I'm attempting to set up MySQL replication with SSL encryption, and while I'm beginning to close in on the solution, there's one aspect of the process that I can't wrap my brain around relating to the way MySQL uses SSL. According to the documentation on MySQL 5.0 (setting up SSL for client/server and setting up SSL fo...
My research shows that only the Host, Referer, and User-Agent headers can be spoofed. (source http://download2.rapid7.com/r7-0026/ ) Is this a correct assumption to make? The security of a site I am building may require that "x-requested-with" cannot be faked. This is far from ideal but may be the only avenue I have. ...
I am trying to debug an application which was not written by myself when an event (adding a user) is fired the application throws a System.UnauthorizedAccessException. Are there an tools that you coulc recommend that would tell me what the application is trying to do?. I do know that is is most probably trying to access active directory...
My PHP app uses 404 Documents to generate HTML files so that multiple queries to the same HTML file only cause the generation to run once. I'd like to intercept requests to the HTML files so that the user needs to have an established PHP Session in order to pull up the files. In the best case, SESSION ID would be used in the URL and fo...