Our web-based applications has user accounts tied down to users with the passwords specified during account creation. In the case of Java, how does one process the password securely, before persisting its hash in the database. To be more specific, how does one ensure that the string holding the password is garbage collected within a suf...
I would like to encrypt the passwords on my site using a 2-way encryption within PHP. I have come across the mcrypt library, but it seems so cumbersome. Anyone know of any other methods that are easier, but yet secure? I do have access to the Zend Framework, so a solution using it would do as well. I actually need the 2-way encryptio...
When I send ");-- from an input field to my localhost PHP server, it AUTOMATICALLY converts it to \");-- It seems great, except that I don't know how trustworthy this behavior is. Although it seems to avoid SQL injections, my development environment is not the same as the production environment and I'm afraid that the production en...
I'm building an application in asp.net mvc. Within this application I want to use the Silverlight multi-file uploader. I'm using the asp.net membership provider that ships with asp.net mvc. My question is how do I ensure security from the asp.net mvc application to the silverlight application? In simple terms: 1. How do I check within t...
Duplicate: Protecting .NET Code from Reverse Engineering We've recently released a small application and this weekend I found a cracked version of it on Piratebay that had the registration checking removed, so the app ran as if it was a registered version. Apart from using a code obfuscation tool (which doesn't seem to be that har...
I recently had a security audit run against one of the sites I work on. This was done with the Acunetix Web Vulnerability Scanner. This came back with a bunch of results that I'm sorting through. A lot of hits on XSS came up, but I'm not sure if they are false positives or not. Code such as: if(isset($_GET['variableNameX'])) $var_...
I do not understand this code snippet : function ms(){ var plc=unescape('". unescape( '\x43\x43\x43\x43\n.............\xEF'. $URL).CollectGarbage(); if (mf)return(0); mf=1; var hsta=0x0c0c0c0c,hbs=0x100000,pl=plc.length*2,sss=hbs-(pl+0x38); var ss=gss(addr(hsta),sss),hb=(hsta-hbs)/hbs; for(i=0;i<hb;i++) m[...
I have a website which google blocked because it had badware i removed the viruses from the server and its completely clean now, the problem that this virus changed in the html, js asp files in the site and added hidden iframes and strange scripts, i removed all what i found in the diles, but the website is toooo big, so any one have any...
What's the best way to prevent javascript injections in a VB.NET Web Application? Is there some way of disabling javascript on the pageload event? Recently, part of the security plan for our vb.net product was to simply disable buttons on the page that weren't available to the specific user. However, I informed the guy who thought of ...
I've got a Mac server and I'm building PHP code to allow users to upload images, documents, and even video files. Researching this has definitely gotten me nervous, I want the uploaded content to be virus free. Is building something myself going to be a huge challenge? Would you do it, or would you find some OS or OTS product? (And do ...
Here is a scenario: I am embedding form.swf in http://somesite.com/page.html. The SWF is loaded from https://mysite.com/form.swf and submits to https://mysite.com/secureform.php. So, is the transmission to the server secure? ...
As a relative newcomer to both web and MVC, I am looking for a good summary of security best practices that I should implement. The site will be public facing with "moderately sensitive data" (meaning we can't get sued, but probably wouldn't make many friends if the data got out!) and will have the following security steps taken: a:...
I'm writing a web app that will be making requests via AJAX and would like to lock down those calls. After a little research, I am considering using some form of random token (string) to be passed back along with the request (GUID?). Here's the important parts of my algorithm: Assign a token to a JavaScript variable (generated server...
hi ..... How can I protect files and directories with a password in C#? ...
Hi I have a SharePoint webpart which is compiled as a DLL and placed in the BIN folder of my SP site. My webpart works on my local machine, but when I put it on production it fails with a (401) Unauthorized. After doing some research I came acrooss what is known as the "One hop rule". Meaning I have to either pass in the credential...
I've stumbled upon the following pecularity: $handle = fopen(realpath("../folder/files.php"), "r"); can't read a file, but as soon as I remove php tags from the file, it becomes readable and my scripts prints non-empty file content on the page. Also, file.php is never ever executed, so I wonder why it is the problem. I guess somehow A...
I have an application server which connects to a database server. I would like to be able to supply users with installers and, with a moderate degree of comfort, trust that the database schema is secure. I understand that there are some risks that I will just have to accept with not controlling the computer on which it installed - a de...
I have a web application that once signed in, personalizes almost all pages. I want to be able to have some very specific pages locked down with SSL that may have sensitive information. From what I have been able to find, once you sign in via an SSL sign in page (area of the web site), the session information which I use to store a lot...
I am normally responsible for all scripting on web-sites running on my server, but some of my clients have other people working on (parts...) of their sites. When I give access, they can use php, so I regularly check if they seem to be knowing what they are doing, blocking people when they are: using mail() without proper input filter...
Hi community, I'm currently building a website that allows public access after classic verification methods (captcha + email verif.) I do my best to sanitize all of the inputs and stay in control of the data flows. I am 100% sure that there will be people / bots who will try to hack the system away : changing post values, trying to inse...