Hi, I'm deploying my web parts using the sharepoint solution mechanism. Untul now, everything worked fine, but when i added CAS policies to the manifest.xml file, the deployment doesn't work as it should. When deploying the solution with the CAS policies, there are no errors, but the policy file isn't created, the dll isn't copied, an...
Today online security is a very important factor. Many businesses are completely based online, and there is tons of sensitive data available to check out only by using your web browser. Seeking knowledge to secure my own applications Ive found that Im often testing others applications for exploits and security holes, maybe just for cur...
How heap overflow attacks are done? In case of stackoverflow attacks, the attacker replaces the function return address with his address. How this is done in heap overflow attacks? Also, is it possible to run code from heap? ...
I have an asp.net website on a server and the db MS SQL 2005 on another server, the last few days the website show me this error message: "A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that S...
If I have an applet embedded in a webpage and I want it to connect to server side software (also written in Java) how can I do this properly on a windows machine running local host? Would I have to run the java application from within the localhost directory and access the applet html from a browser (i.e. localhost/applet.html)? From wh...
I need a path I could specify in log4net file appender so that the log files would go there. However, aspnet or whatever account does not have write privileges to %APPDATA% folder. Is there any place I can write to without asking customer admins to give extra access privileges? Path.GetTempFile() is probably not a good idea. I need some...
How exactly do you do this? The reason is my CMS has been breached, well, mainly because the username and password is fairly common (my bad). But I've always thought that it is save, since the directory name is pretty un-common and hard to guess (not the usual /cms/ or /admin/). Brute-forcing from a script? or maybe some Google tricks? ...
The GString concept in Groovy is pretty powerful (see http://groovy.codehaus.org/Strings+and+GString). GStrings let you do things like: world = "World" println "Hello ${world}" # Output: Hello World println "1+2 = ${1+2}" # Output: 1+2 = 3 println "${System.exit(-1)}" # Program terminated I'm trying to figure out if using Groovy GStr...
I am writing a traditional ASMX webservice using C# with .Net 2.0 for deployment on IIS. The webservice will be deployed in a shared hosting environment where each client has their own copy of the application sitting in a separate virtual directory (I know, I know - it's a legacy app). There will be an individual copy of the Webservice s...
What's the point of JAAS if I have to write my own {whatever}LoginModule and everything else? ...
While tracing the active connection on my db i found that some times the connections exceeds 100, is that normal? and after few minutes it return back to 20 or 25 active connection more details about my problem Traffic on the site is around 200 visitor per day. Why i am asking? because the default MaxPool in the asp.net connection strin...
I am writing an ASP.NET application using ActiveDirectoryMembershipProvider, similar to the scenario outlined here: http://channel9.msdn.com/wiki/securitywiki/aspnet2formsauthtoadrolesinadintranet/ As part of this setup, I configured ASP.NET Membership as follows: <membership defaultProvider="MyADMembershipProvider"> <providers> ...
If I uncheck the "Enable anonymous access" checkbox in IIS, so as to password protect a site, i.e. by restricting read access to designated Windows accounts, does the resulting password dialogue which is then presented to all anonymous http requests, represent a security risk in that it (seemingly) offers all and sundry an unlimited numb...
I have an web application that uses windows integrated security. I also have a windows service that runs as local system. The web application uses .NET remoting to execute a method on the serivce through tcpip channel. Is there a way, on .NET 2.0, to pass the windows identity to the service? ...
I'm in the final stages of implementing a codeigniter site which requires a really simple login system: one user and one password, to protect the admin area. I think I will be using one of the many CI authentication libraries, which should allow me to ensure that people can't read from the database without being logged in as admin(I hop...
Does anyone have any thoughts on how to prevent malware attacks on standalone applications. Let's say this is a program on a Windows machine connected to the internet, this is the most common scenario. I'm also wondering what type of attacks are possible. I believe .NET will do some type of static check on the code before it runs it, ...
I feel fortunate that I have been given an opportunity to improve code practices in my office by starting to implement some internal code reviews which could start out as some simple checklist. I need suggestions on tools and general tips. I went to school for SoftE and understand the process of classic software development. I then wo...
I'm developing an application that needs to write to the registry. It works fine on XP, but when I run it on Vista, from Visual Studio, I get a security exception in: Registry.LocalMachine.OpenSubKey("SOFTWARE", true); I'm trying to write a new key into that branch of the registry. What's the right way to do this, firstly so that I ca...
This question is from a decomposition of http://stackoverflow.com/questions/678471/what-are-good-programming-practices-to-prevent-malware-in-standalone-applications The question has to do with malware dynamically getting into a program by infecting data files which the program reads/writes. Is it safer to require data be stored in a...
Hi there, I'm seeing web apps implementing limitations for user login attempts. Is it a security necessity and, if so, why? For example: you had three failed login attempts, let's try again in 10 minutes!! thanks :) ...