What would be the easiest way to ban a specific IP (or a range of addresses) from being able to access my publicly available web site? Is it possible to do so using the ASP.NET only, without resorting to modifying any IIS settings? ...
Hi There, How do I get the LoginStatus for ASP.Net MVC? I can connect and authenticate on MVC, but I am not sure how to get the LoginStatus, can anyone help? Thanks ...
Hi, I have recently started a personal project that uses ASP.NET MVC (RC1 at the time of writing). My background is traditional ASP.NET WebForms development. My knowledge ASP.NET MVC is limited, so I would like your input on how to best approach authentication, input validation and protection against common attacks (XSS, XSRF, etc). I...
Background While at the Gym the other day, I was working with my combination lock, and realized something that would be useful to me as a programmer. To wit, my combination is three seperate sets of numbers that either sound alike, or have some other relation that makes them easy to remember. For instance, 5-15-25, 7-17-2, 6-24-5. The...
I am looking for Application Security Testing (Penetration Testing) of Thick Client Applications. I know of Echo Mirage and ITR as good tools to test these kinda applications. Does anyone know of any other tools that do this? ...
Is there any method of programmatically determining the current security zone settings for Internet Explorer? I'd like to know when my site will have the XMLHttpRequest ActiveX control blocked due to IE security policy, but before the site actually tries to create it and thus causes the yellow bar to appear up the top (saying "To help p...
I want write my own ClassLoader. It should be faster and more dynamic as the default ClassLoader for Applets. But I does not know how I should implements the method: PermissionCollection getPermissions( CodeSource codesource ) The super implementation grant no rights also if there is a valid certificate in the CodeSource. Must I ver...
Hi! Say I have a virtual folder /topFolder/ in IIS7, and in that folder there can be any file that can be displayed in a browser (xml, html, swf, doc etc - typically "unmanaged" resources from the IIS perspective). Before giving the request permission to open any file below the folder, I need to check some session variables in order to...
I am working on a system with Silverlight and using WCF to call services to do all of the work on the server side. I need to have a user log into the system, and once they are verified, all calls to the server need to contain the user info so the server can check security policies and do other operations based on the user. What is ...
Hi I was wondering in .NET 2.0 what is the best way to transfer parameters between pages? I cannot allow the user to modify these parameters, so I was thinking of using Session variables. Is this a safe method? Is there a way for the user to modify it? ...
Hello I would like to know if I'm safe against SQL injection when I use something like that with PostgresSQL: CREATE or REPLACE FUNCTION sp_list_name( VARCHAR ) RETURNS SETOF v_player AS ' DECLARE v_start_name ALIAS FOR $1; r_player v_player%ROWTYPE; v_temp VARCHAR; BEGIN v_temp := v_start_name || ''%''; ...
I am having a hard time understanding JAAS. It all seems more complicated than it should be (especially the Sun tutorials). I need a simple tutorial or example on how to implement security (authentication + authorization) in java application based on Struts + Spring + Hibernate with custom user repository. Can be implemented using ACEGI....
Each time I get a Java security update, I have to remember to untick the box to install the yahoo toolbar browser plugin that they've decided, for some mad reason, is an important security feature of Java. Is there a way to get it to remember my choice, or to get the security updates without it? Or to educate Sun about what is and isn'...
I have the following code snippet to delete records from a database given a primary key. This is called via an AJAY request, through GET. Anyone who were to examine my javascript could work out the URL and delete arbitrary records. What can I do to prevent this? Not use GET? Use sessions? if($cmd=="deleterec") { $deleteQuery = "DE...
We are working on creating an installation package for a WCF-based web service. The service uses message-level encryption via an installed certificate. I am trying to come up with an automated way to both install the certificate and set its permissions. Currently, we are manually installing the certificate via the MMC snap-in. After it ...
I'm starting on a project to allow an existing web application to use active directory for authentication but leaving authorization within the application. I want to start off simple so I was thinking a user would type their AD username/password into my existing login form, I would then do an ldap bind against the AD server to authentica...
We have a Coverity bug for this line of code: snprintf( tempStr, size, testStrings[testID], A2DtoV(testResults[testID].value), A2DtoV(testResults[testID].min),A2DtoV(testResults[testID].max)); The error says: non_const_printf_format_string: "format string is not a string literal, potential security vulnerability if user controlled" ...
When I create a new link in quick launch bar in any site, the link is static and is always visible even when a user may not have privileges to view that document, or the document library it is in. When any document library has a link in the quick launch (via the document library's "Title, Description, and Navigation" setting), the quick...
Can I store my users' credit card's expiration date & last 4 digits? The reasons for this is so we can notify the user that their card is about to expire and that they should change their account over to their new card. Storing the last four digits will allow the user to identify what card they have stored with our system. ...
I need to interface an existing application with Acegi/Spring security. In order to get started I am looking for one simple piece of information: in this context, will HttpServletRequest.getUserPrincipal() called from my application properly return the username obtained through Spring (as opposed to using Spring-specific objects)? I hav...