I'm currently working on basic user authentication for an app I'm putting together, and I don't have much experience with security. This said, I understand the practice (and necessity) of salting/storing a (salted) password hash in a database as a blob, as opposed to the password (encrypted or no). I've already implemented this. Is th...
Due to the nature of OpenID, wouldn't it be a lucrative target for spammers? For starters, you could create an OpenID account on any site and use it on any other site which would mean that I could log into a forum and write a few thousand posts if the forum assumes that logged in users can be trusted. Do you agree OpenID is lucrative fo...
Hi, I would like to ask you guys cause I am not sure about the answer. I have website, Asp.Net 2.0, where I have section where only authenticated user has access. For sure user is redirected to restricted section only after successful authentication (login/pass). But my question is more concerned about fact if I need to use https o...
As much as I understand it is a good idea to keep passwords secret from the site administrator himself because he could try to take a user's email and log into his mailbox using the same password (since many users use the same password everywhere). Beyond that I do not see the point. I know it makes more difficult the dictionary attack ...
re question non-random-salt-for-password-hashes Mr Potato Head states that the use of md5 instead of SHA-512 makes generating rainbow tables easier? I'd have thought that once your rainbow table is generated that the algorithm used is irrelevant? It would make no difference to how you use the rainbow table to check for known hashs? An...
I am doing ssh to server x1.example.com from a laptop sometimes from outside and sometimes from lan. From lan I just say ssh karl@x1 and from wan: ssh [email protected] But from lan I get always a warning: remote host identification has changed. I can delete the other key in the known_hosts file each time, but I was wondering i...
It's a well known truth, that you don't can trust user inputs. These inputs can be even an security-problem, if they are used unfiltered. XSS and SQL-injections are possible problems coming from using unfiltered user-input (or input, that can be changed by the user). To avoid such problems, you have to control all strings, that can be i...
Macros refuse to run for me in Excel 2007 on Windows Server 2003. The macro and visual basic icons on the ribbon are grayed out. If I open a workbook with a macro, I get the warning: " This workbook has lost its VBA project, ActiveX controls and any other programmability-related features." If I try to make a new excel template in VSTO (E...
On a https site that I am working on, I keep getting "Do you want to view only the webpage content that was delivered securely?. This webpage contains content that will not be delivered using a secure HTTPS connection, which could compromise the security of the entire webpage." I made sure the site has relative links. Form actions are ...
I have the following comparison questions of KVM, and Xen: Security (how different are KVM and Xen here?) Speed(I'm a long time user of VMWare Workstation but there I'd think the loss is around 50 % to the native speed, this is IMHO too much) Stability (do Xen and KVM differ here much?) Maintainability (how difficult or easy is ot to s...
I want to add a simple kind of MAC to some of my URL parameters. This is only intended as an additional line of defense against application bugs and caching related problems/bugs, and not intended as any form of replacement of the actual login security in the application. A given business-object-id is already protected by backends to be ...
I am very new to the whole J2EE architecture. Could somebody help me out? I have a Swing client with Login, Password fields on machine A. Properties p = new Properties(); p.put(Context.INITIAL_CONTEXT_FACTORY, "org.jnp.interfaces.NamingContextFactory"); p.put(Context.URL_PKG_PREFIXES, "org.jboss.naming:org.jnp.interfaces"); p.put(Conte...
I'm just starting to play around with / learn NHibernate for a personal project, and feel like I'm not "getting" something. I'm used to having apps work like this: Presentation layer --> Business Layer --> Persistence layer. So for example, my presentation layer would call BusinessLayer.GetCustomer(id). In that method I would check that...
Hi guys. I developed a web application, that permits my users to manage some aspects of a web site dynamically (yes, some kind of cms) in LAMP environment (debian, apache, php, mysql) Well, for example, they create a news in their private area on my server, then this is published on their website via a cURL request (or by ajax). The n...
When registering at a site the other day, one of their password requirements was that it couldn't contain any special characters, such as ' " = : ; < > ( ) While this alone doesn't indicate they don't hash their passwords, is it a strong indicator? If the password is hashed, these special characters will be translated into something e...
I need to gain access to the files and directories that the current IPrincipal has access to via the Directory.GetDirectories() and Directory.GetFiles() methods, without listing the other files. The process itself is running as NETWORK SERVICE, so it must change the principal to the current user (via IPrincipal) for the duration of thes...
How can I secure the data that my session posts so that to reduce injections? Is there perhaps something I need to add when I use $_SESSION[''] = $var; or when I retrieve the data by $var = $_SESSION[''];? ...
I am working on a consumer facing web application built on .Net/C# MSSQL as the databse We have been following general good coding practices to prevent bugs and SQL/JS query injections but non of us are experts on security. What would be a good checklist to find out how really secure is the application we are building. ...
Hello, I have a folder named upload which is filled with folders of users uploaded files. Is there any way I can stop people from directly downloading my users files by simply typing the folder names and file name into the address bar? Example: user Jim's folder is stored at HOST/uploads/jim user Jim's important file "myimportantfile....
I have long been confused if using the BIO_* way would have obvious advantage over the raw SSL_* calls. I always use the non-bio as I thought I have more control. ...